By Jeff Gould, CEO & Director of Research, Peerstone Research

According to IDC, Windows Server, Linux and Unix now account for 67%, 20% and 9% respectively of a worldwide server installed base of nearly 33 million units. If you do the math, you will see that all other operating systems combined represent only 4% of the total. Of course, the IBM mainframes tucked away in that 4% still own a disproportionately greater share of the truly mission critical applications and data residing on these millions of machines. But if we consider just the sheer number of Windows and *nix systems installed, then a very clear picture emerges. We now live in a world where most organizations of any size have large numbers of users logging in every day on servers that live in parallel universes. The resulting duplication of administrative tools and manpower consumes vast amounts of time and money that could be more fruitfully employed elsewhere. The obvious solution would be to consolidate the twin Windows and *nix management infrastructures into just one infrastructure that could handle both worlds. But how do you do this? Microsoft doesn’t happen to bundle Identity and Access Management (IAM) for Linux and Unix with Windows Server. And it’s not too keen about opening up Windows to Linux or Unix based tools either. Clearly the task of bridging the gap between the two worlds must fall to third party vendors who have the knowledge and the agility to plant a foot on both sides of the divide. This is exactly the approach taken by software vendor Centrify, which has transformed Microsoft’s previously Windows-only Active Directory into a tool for cross-platform IAM. I recently had the opportunity to chat with Centrify’s CEO and Founder, Tom Kemp. What follows is a lightly edited transcript of our conversation.

"DirectAuthorize takes the role based management features in DirectControl to the next level. It’s the next step in policy-based access control."

Tom Kemp, CEO of Centrify

Q : How did Centrify get started?

A: I was one of the co-founders of NetIQ back in the 1990s. We were one of the first vendors to focus on Windows as a platform for mission-critical computing. We took NetIQ from just an idea to a public company with over $300 million in revenue and 1500 employees. I really enjoyed that process and learned a lot from it. So when I left NetIQ in 2003 I knew I wanted to start another company. I knew I wanted to concentrate on infrastructure management in the broad sense, which includes both system management and security. Linux was just emerging as an enterprise platform then. My fellow Centrify co-founders and I (Adam Au and Paul Moore) looked closely at Linux and we quickly realized that, unlike Windows and Unix, it didn’t have a good solution for Identity and Access Management. Most Linux systems were still managed with just a text file of passwords that had to be manually configured on each individual server. There was a tremendous need for something better, and we said to ourselves that we were going to fill that need.

Q: How did you get from identifying the need for IAM in the Linux market to choosing Active Directory as the solution?

A: We didn’t start out with exactly that idea. I had acquired a great respect for Active Directory while still at NetIQ. It was a big step forward because it brought centralized digital identity and group policy to Windows in a very secure and manageable way. I knew Linux needed something like it. But originally I thought we were going to build our own Linux-based equivalent of Active Directory rather than use Microsoft’s. Then reality set in. Even with the Linux boom, Windows still had the lion’s share of the commodity server market. And there was no way that Windows was going to dip below 90% of the desktop market in the foreseeable future. It was also clear that Microsoft would never support another directory taking control of the Windows desktop. We knew it would cost a fortune to duplicate Active Directory on Linux. What people really needed was a cross-platform IAM solution that would let them leverage the AD infrastructure they already had. After all, these customers had just spent five years migrating to AD. They had spent a tremendous amount of money to implement it and build up the relevant skill set in their organizations. Why not let them leverage all that and consolidate Linux and Unix directories with AD? So that’s how we conceived our first product, which was DirectControl.

Q: How does DirectControl work exactly?

A: DirectControl extends the authentication, single sign-on (SSO) and group policy functionality in Active Directory to non-Microsoft systems. It does that by leveraging the Kerberos authentication protocol and the Lightweight Directory Access Protocol (LDAP) service built into AD. It is a little software agent or client that installs on non-Microsoft servers and desktops – Linux, Unix or Macintosh. You then run a command to join that system to an AD domain. Now end users can sign in on this system using their AD user ID and password. From the point of view of the administrator who has to provision and manage user accounts and set group policy rules, these non-Microsoft systems now look and feel and act exactly like Windows desktops or Windows Server systems. As of today we support just about every flavor of Linux and Unix, plus the Macintosh and VMware ESX.

Q: How do you control the access rights of these users who can now log on to a Linux or Unix system using their Active Directory password?

A: Most organizations don’t want to let Joe User log on to just any Unix or Linux system he pleases. So we added our own proprietary secret sauce to let you control that. We call it Zoning. A Zone is a group of systems that a user or set of users are allowed to log on to. AD administrators set up these Zones just the way they set up user accounts. You can also delegate administration rights over certain systems to specific administrators. For example, you can set it up so that only the Linux administrator controls access rights to the Linux systems, even though the AD administrators control the overall system. DirectControl is very granular and flexible in this way.

Q: What about the applications that are running on these Linux and Unix systems? Can users log on to them too using AD?

A: Yes. We have DirectControl plug-ins for enterprise applications and databases such as SAP, DB2 and Oracle as well as for web apps that run on platforms like Apache, JBoss, Tomcat, WebLogic or WebSphere. So now you can extend the single sign-on that Kerberos gives you inside the Microsoft environment to these other applications. The Kerberos ticket that lets you sign on to Exchange or use the office printer now also works for SAP.

Q: Isn’t it risky for a software company like Centrify to be so dependent on a Microsoft technology it doesn’t control?

A: I learned when I was at NetIQ that Microsoft is actually a very good vendor to work with if you have a complementary product and know how to deal with them. If you understand where they are going and what they like and don’t like, you can be quite successful. A lot of people in the vendor community are unduly paranoid about them or don’t understand where they are going. But they are not as threatening as people think. It’s like the Austin Power movie where he is screaming that he’s about to get run over by a steamroller that’s moving at two miles per hour. Microsoft is like that steamroller. There’s time to get out of the way if you plan your product roadmap accordingly, or even hop on board as a value-added solution.

Q: Now that DirectControl has been on the market for a few years, what have the killer applications for it turned out to be?

A: We always knew that improving the security of Linux and reducing the amount of IT labor required to administer it would be key drivers. And they are. But the biggest driver of all has turned to be compliance. Almost every company has compliance issues these days, even if you’re private. Everyone knows about Sarbanes-Oxley, of course. But there’s also HIPAA in the health care arena, PCI DSS for credit cards, Gramm-Leach in financial services, and so on. It would take a long time to list all the regulatory regimes companies are subject to these days. These rules create all sorts of issues for IT organizations. There are too many people accessing applications, users sharing passwords when they shouldn’t be, end users who have too much access to information, and so on. A lot of customers who come to us are organizations who have just failed a compliance audit. They know they have to do something, and the idea of consolidating user sign-ons for all these heterogeneous systems into a single central directory and authentication protocol with Active Directory all of a sudden makes a lot of sense to them, even if they come from a Unix or Linux background and have traditionally been skeptical of Microsoft technology. In fact, the demand for help with compliance issues has been so strong that we developed a second product called DirectAudit just to address that need. This product captures all user activity on Linux and Unix systems and stores it in a SQL Server database. It tells you who logged on to which system, which commands they executed, and what data they modified. It also lets you playback entire user sessions, just like a Tivo or a VCR.

Q: What is the difference between Centrify and Enterprise Single Sign-on (ESSO) products like Passlogix?

A: ESSO products like Passlogix are installed on the user’s PC and store the user’s log-on actions in an encrypted wallet. When you log on to an application like SAP, it will store your ID and password and remember to use them the next time. It will do that for all the systems and applications the user logs on to. But the problem is that you still have separate IDs and passwords for all those systems and no central way of managing them. If an employee leaves your organization, your admins will still have to go to each one of those systems and manually disable his or her access rights. With Centrify we do it in a centralized server-based way. We install a plugin on the SAP system that will accept a Kerberos ticket issued by Active Directory. That allows the user to silently authenticate to SAP just like they do for Exchange or any other application in the AD domain. Your AD password is now basically your enterprise password. Every help desk knows how to reset an AD password. Users can go into their PC or Mac and change their password, and it changes globally in AD. You can use AD to enforce policies such as password aging for all these systems. And if someone leaves your organization you can go into AD and turn off all their access rights.

Q: What about organizations that want to use some other directory than AD?

A: Most organizations have some kind of provisioning system, although ironically most provisioning systems today are still home-brewed. So when a new employee gets added into HR, this triggers the provisioning system to set them up with an e-mail and desktop Windows account. But then they also need access to three or four web apps on the company portal. And then there are the SAP or Oracle apps, which will require manual provisioning. Pretty soon you need a database up in the sky to keep track of all these provisioned IDs, and you have tons of complex synchronization occurring between identity stores. So organizations end up with this database on top of the 50 or 60 identity stores they already have. After a while they realize they need to do something to reduce the chaos, and the auditors will probably find their access control is lacking, so they say OK let’s call IBM, or CA, or Sun, or Oracle. Those big vendors love this kind of situation. They all have big portfolios of IAM products built by acquiring smaller vendors. But the products are integrated mostly at the brochure level only. They know they’re going to sell you a bunch of stuff for a million bucks and then charge you five million more to integrate it all and deploy it. And it will take a year. Often they require their own directory or database that will synchronize with the identity stores you already have, such as AD or SAP’s directory, etc. These big IAM vendors are not AD-centric because it competes with their own directories. But no one can compete with AD in the Windows space because it comes built into Windows Server for free and everyone already has it. So now you have a fork in the road. You can build a complex synchronization layer on top of AD and all the identity stores you already have. Or you can use Centrify to extend the AD that you are already using for Windows and probably e-mail too if you have Exchange. Then you replace all those other identity stores instead of adding complexity on top of them. This makes it much easier to provision a user, because Centrify lets you consolidate identity stores down to a much more manageable number.

Q: You have a new product coming out, DirectAuthorize. How does it fit in with the rest of your portfolio?

A: DirectAuthorize takes the role based management features in DirectControl to the next level. It’s the next step in policy-based access control. It manages and enforces role-based entitlements in a centralized way through Active Directory. It gives you much more fine-grained control over user access and privileges on your Linux and Unix systems. With DirectControl you could control which users could log on to which systems. Now with DirectAuthorize you can control which commands they can type, what time of day or night they can log on, whether they can access the system with FTP or ssh or have to log on directly, and so forth. You can now define very precise roles with specific rights. For example, you can create a “Backup Operator” role that can log on to a system physically between 9pm and midnight and type six commands, but can’t do anything else. In effect you are creating a white list of actions they are allowed to perform and everything else is excluded. Then you can assign this role to an AD user or group.

Q: Are you selling your three main products separately or in a suite?

A: We are delivering our products in an integrated suite called the Centrify Suite. The Standard Edition of the suite includes DirectControl and the new product DirectAuthorize. The Enterprise Edition is the Standard Edition plus DirectAudit. Then there is the Application Edition which contains the plugins for things like SAP and Oracle. The basic price for the Standard Suite is $350 per Linux server.

Q: What about the Macintosh?

A: We have a lot of customers using Macs. At least a million Macs a year are being sold into the kind of enterprises that we sell to. On the desktop the Mac is obviously a bigger competitor to Windows than Linux is. So it’s very important to us. In addition to the support we already have for the Mac in DirectControl, we are coming out with enhanced Macintosh smart card support. People have smart cards that they use with Windows to log on to AD. For example in the federal government you have the CAC and PIV cards. Now we will let you use that same smart card for your Mac with the appropriate reader. Organizations are finally letting the Mac back in, but their IT departments want to be able to manage them with the same tools. So we facilitate single sign-on and group policy for the Mac through AD. Apple already provides basic AD log in, but we provide much finer grained group policy. We can enforce lock down rules on your Macs, such as not allowing anyone to put a USB device into a Mac, or a rule that says how long you can leave a Mac unattended before requiring a new log on. Windows already has this kind of group policy with AD, we are just extending it to the Mac. DirectControl costs $60 per Mac client.

Q: Where is Centrify as a company today?

A: We launched our first product in February 2005 and now, three and half years later, we have 600 customers. We’ve doubled our customer base in each of the last two years. We have 38% of the Fortune 50 and we sell mostly to large companies. Some of our customers are using Centrify to manage thousands of Linux servers, but we are also getting purchase orders from people who want to tie five Macs into their Active Directory. Our addressable market is over $1 billion and growing rapidly. The IT world is a very heterogeneous place and it’s going to stay that way. Windows may be dominant, but there are still a hundred thousand Unix servers and well over a million Linux servers being shipped every quarter. We feel that we have a disruptive technology in a market that has a lot of players of all sizes but isn’t dominated by one or two companies. We’ve raised $36 million in venture capital, which makes us the best funded Identity and Access Management startup around. We are very optimistic about our future growth.

PS: Centrify invites InteropNews readers to attend its November 19, 2008 Webinar with Gartner Group entitled “Beyond Authentication: Utilizing Active Directory for Robust Access Control and Authorization for UNIX, Linux and Mac.”