Skip to content

Centrify Empowers DevSecOps with a New Approach to Identity and Access Management for Applications and Services

SANTA CLARA, Calif. ― July 28, 2020Centrify, a leading provider of Identity-Centric Privileged Access Management (PAM) solutions, today debuted Delegated Machine Credentials (DMC) as part of the Centrify Privileged Access Service to reduce risk and empower automation in increasingly complex, infrastructure-as-code-based elastic environments. Centrify DMC enables organizations to reduce their reliance on service accounts with static credentials used to access password vaults for workloads and services in the cloud or on-premise, instead of delegating the entitlements of the machine to applications running on it. The result is improved agility through the reduction of manual processes, and a smaller attack surface due to a significant reduction of service accounts that could potentially expose the organization.

The ongoing challenge for DevOps continues to be enabling agility for developers while also making sure that operations and security teams have confidence that everything is running smoothly and securely. Increasingly, the use of password vaults is becoming a bottleneck that developers don’t want to be hassled with, while security teams are struggling to keep up with the dynamic nature of DevOps-centric environments. One of the main challenges is that password vaults were designed to manage human administrative login to servers. Ideally, privileged access for and between workloads would be automated by a modern cloud-PAM solution so humans don’t need to be involved.

Enter Centrify Delegated Machine Credentials, which leverages the power of the Centrify Client to enroll a machine in the Centrify Platform. The Centrify Platform gives the machine a unique identity and credential, can automatically assign role-based permissions, and scope which vault APIs can be called, to constrain access by individual applications, services, or other workloads on the machine. This machine credential can now be delegated for use by workloads on that system, leveraging the binding trust the machine has with the Centrify Platform, avoiding the need to create and manage hundreds or thousands of additional service accounts in a vault. This reduces risk and improves operational efficiency.

“The explosive growth of machine and service accounts in the enterprise is creating a wealth of opportunity for cyber-attackers to sneak into the enterprise,” said David McNeely, Chief Strategy Officer at Centrify. “Our infrastructure-as-code approach makes PAM a ‘first-class citizen’ in the CI/CD pipeline, eliminating the need for thousands of potential exposure points while increasing agility. The unique binding trust between the Centrify Client and the Centrify Platform is what makes this identity-centric approach to managing machine identities and their entitlements possible.”

Traditional application-to-application password management (AAPM) approaches have been more of a band-aid. They took embedded credentials out of code, but then require the creation of hundreds or thousands of new service accounts in the vault, a credential and rotation schedule for each one, and client code to obtain the credential. This is an undertaking that can drag down even generously-sized Ops teams. Centrify Delegated Machine Credentials solves this issue by eliminating the requirement for hundreds or thousands of additional service accounts.

“Conceptually, delegated machine credentials can be thought of as ‘federation for machine identities,’ in the sense that rather than applications sharing passwords or secrets directly, the Centrify client can broker a temporary access token between Centrify’s PAS and target resources – applications, service accounts, containers, and APIs,” said Garrett Bekker, a principal security analyst at 451 Research, part of S&P Global Market Intelligence. “DMC creates a machine identity and issues a scoped token that is only valid for a defined period of time, in lieu of using many service accounts with long-lived credentials that present a greater attack window.”

More information about Centrify Delegated Machine Credentials is available in the Centrify blog, and a demo video can be viewed on the Centrify YouTube channel:


About Centrify
Centrify is redefining the legacy approach to Privileged Access Management by delivering multi-cloud-architected Identity-Centric PAM to enable digital transformation at scale. Centrify Identity-Centric PAM establishes trust and then grants least privilege access just-in-time based on verifying who is requesting access, the context of the request, and the risk of the access environment. Centrify centralizes and orchestrates fragmented identities, improves audit and compliance visibility, and reduces risk, complexity, and costs for the modern, hybrid enterprise. Over half of the Fortune 100, the world’s largest financial institutions, intelligence agencies, and critical infrastructure companies, all trust Centrify to stop the leading cause of breaches – privileged credential abuse.

©Centrify is a registered trademark of Centrify Corporation in the United States and other countries. All other trademarks are the property of their respective owners.