Centrify Harnesses Active Directory For Mobile Device Management

Mobility can increase worker productivity -- but only if a variety of workflow and security headaches are avoided. This avoidance is easier said than done, but Centrify aims to help. Monday, the company unveiled its DirectControl for SaaS, a new service that harnesses Active Directory (AD) to allow single sign-on (SSO) access to cloud apps and services.

Created by Microsoft more than a decade ago, AD offers a central hub through which IT can manage user identities and define access to corporate data. It has become a security cornerstone not only in traditional Windows environments but also, thanks to Centrify and other third-party vendors, those that rely on UNIX, Linux and OS X. Mobility, though, presents new challenges.

BYOD injects heterogeneity into businesses that were once technologically uniform. It also increases the number of devices used regularly by each employee. These developments mean that IT has had to deal with provisioning and monitoring devices that aren't always designed for its existing infrastructure, and over whose back ends it does not have complete control. For employees, meanwhile, the changes have meant additional authentication and security hoops to jump through, each of which is a potential drain on productivity and a possible threat to corporate compliance efforts.

The rise of software-as-a-service (SaaS) and cloud computing has been a particular stimulant for this challenge; access to traditional apps that ran natively on PCs could be easily negotiated using AD, but SaaS has often demanded that users maintain a separate user name and password for each service.

[ Learn more about how to keep BYOD risks in check. See Why Mobile Device Management Isn't Enough. ]

Centrify DirectControl for SaaS enables IT to bring these disparate devices and services back under centralized management, regardless of whether or not the devices are on the corporate network. As a cloud-based service, it does not require additional appliances or changes to the firewall, meaning that existing AD infrastructure, processes and skills can be applied not only to PCs but to a variety of smartphones and tablets.

In an interview, Centrify CEO Tom Kemp said this amounts to "an easy button" for IT. Without AD, he said, administrators might have to individually shut down access to dozens of applications when an employee leaves the company. DirectControl reduces this process to a single management console, regardless of what device was used.

For users, meanwhile, the AD integration means a single username and password can cover a range of apps. SaaS tools are accessed through MyApps, a browser-based launch page that can hook into hundreds of services, including Box, Salesforce, Microsoft Office 365, WebEx and Google Apps.

MyApps is part of a larger MyCentrify portal that also offers a number of self-service utilities through which devices can be remotely wiped or locked, passcodes can be reset and account activity can be monitored. This user autonomy allows lost or stolen devices to be addressed immediately, with no delay required to accommodate IT intervention; data is thus less likely to be compromised because the window of vulnerability can be reduced. The self-service functions also diminish IT burden in general, as users can handle many common tasks themselves. Liberated from the burden of day-to-day maintenance, administrators can pursue projects that are typically forced to the backburner.

Mobile users can also opt for "zero" sign-on. This feature recognizes that authenticating individual apps on a smartphone is particularly slow and inconvenient: because handsets are better suited to consumption than to data input, the tedious task of typing user credentials can be a legitimate impediment to productivity. DirectControl for SaaS avoids this aggravation by authenticating app access as soon as a device has been unlocked, without additional passcodes.

Several other BYOD security players offer or intend to offer SSO capabilities. For example, MobileIron recently integrated the feature into its product suite, and Dell plans to include Active Directory support in an upcoming Cloud Client Manager update.

Kemp said Centrify's offering is different because its built-in access to hundreds of SaaS apps facilitates a more seamless and secure deployment. Centrify's single and zero sign-on capabilities also can also extend to native rich media apps through a developer's SDK, further stretching its reach.

Centrify also manages aspects of security differently than some of its competitors. On the one hand, its identity-centric approach to protecting data eschews sandboxing, app wrappers and other tactics that some companies use to partition corporate content from personal content. On the other hand, Centrify's service confines user identity information to the existing AD infrastructure, keeping it under IT control. DirectControl for SaaS uses Centrify's Cloud Service to communicate between an on-premises AD and the user portal, but directory content is never replicated. For businesses leery of storing sensitive user data in the cloud, this distinction could be meaningful.

Perry Carpenter, a research VP at Gartner, said in an email that his "initial thoughts about this announcement are very positive." The new offering, he wrote, "addresses a very real customer need -- gaining greater control over SaaS -- while also offering proven strategies to simplify enterprise IT burdens."

Gregg Kriezman, also a Gartner research VP, expressed similar sentiments. "The new products give an AD-centric shop a way to do [mobile device management] fundamentals," he stated in an email, "but they also have the authentication and SSO pieces." On the topic of competing programs, he wrote that, "I think Centrify has pieces, and if you look at any one piece, you will find vendors that do that piece as well or better." He countered, however, that when all the components are strung together, "you have something that's pretty nice."