Userify: role-based security for Devs and Engineers

Userify sets up administrative and developer users in RackSpace and Amazon clouds and adds secure SSH keys to the new home directories. It also makes it easy to specify which user gets root permissions on each instance.

  • SSH & Roles

    SSH & Roles

    Userify gives you a control panel and API that deploys your SSH credentials and sudo roles across all of your cloud instances.

  • Cloud Decentralized

    Cloud Decentralized

    It deploys in seconds and creates native Linux accounts on your cloud instances, so there’s no central server that can crash or be hacked to keep you out of your instances.

  • Secure Agent

    Secure Agent

    Userify works by running a very small, non-root, source-available agent on each of your end-node instances.

How it Works

Userify easily deals with the highly dynamic environment of the cloud, as well as standard datacenter duties. Userify installs a small, open source agent on each of your end-node instances. The agent connects to the central user manager instance and updates the user accounts on the system within seconds, creating or deleting users as needed.

Userify completely eliminates the central point of failure of relying on an enterprise directory for core administrative logins, since each instance performs its own authentication.

Userify creates the accounts as soon as the instance boots or when a new user is added in the control panel, and removes accounts within seconds upon demand, to ensure compliance with SOX, HIPAA, NIST, and PCI.

Decentralized Architecture

Userify’s decentralized Agent-based infrastructure means that even if Userify is DDoS’ed or down, or even if you cancel your account, you can still get into your instances — because that’s the only thing that really matters.

Unlike centralized authentication systems like LDAP and Active Directory, an attacker can actually create a local account and then use that very instance to DoS your critical authentication infrastructure! Even worse, if your LDAP or AD lives inside a protected HQ, you almost certainly don’t want to allow direct access to it!

Userify isolates your cloud authentication infrastructure from your internal user database and allows you to design your architecture any way you like. Want to push your user database from your existing Enterprise Directory (ED) to Userify? Our API lets you do so in no time!

  • Incredibly reliable architecture

    No other centralized system creates local accounts that will survive the failure of any central server. Userify only centralizes the management of the user accounts, but the user accounts are still distributed, just like you probably do it now manually.

  • Remove an user from all of your instances with one action

    One action can target all your instances, so when you need to remove, add or modify privileges for only one user, you can do it easily on your control panel across all of your instances or servers.

  • Designed for agile enterprise management

    Userify provides the right tool to make management and control easy and safe for large and complex needs and natively supports agile project/team methodologies.

Features

    Manage your Cloud Server Instances

Keep your instance data and information safe giving to your users only the access they need. Instantly assign root privileges to a user with a click of a button, even from your mobile phone!

  • Give Access only the people you want

    Easily control privileges of administrators and engineers and manage them across all your instances from one control panel.



  • Single-view Auditing of Permissions

    Instantly view a color-coded view of current user permissions on any group of servers.

  • Support SSH and API role based Authorization and Authentication

    Better iteration between administrators and developers means using the right tool for the job.

  • Layered Permission Structures

    Userify breaks down permissions into organization Projects and Instance Groups within each project. For example, for an e-commerce application deployment, the Project might be named Storefront and it might contain instance groups such as Web, RDS, and App Servers. Server instances are registered within an instance group and users are deployed across an entire group of server instances at once, in seconds.

  • Flexibility for Agile Development and Continuous Integration

    Users are not constrained to a strict corporate hierarchy: project administrators can instantly allocate any level of login or root privileges to any user in the organization, regardless of team.

We minimize the storage and use of any secret material.

In fact, we don’t even have logins into your servers!

We also validate that the public key you are uploading is an actual public key through a simple string check and warn you if it looks like whatever you’re uploading isn’t a public key. We recommend RSA ssh2 keys but also accept DSS.  (You can instantly rotate your key everywhere you have access, right in the Userify console!)

To do the job, we only need a user’s public key, so we also don’t currently generate key pairs. I’m not so sure that’s such a good practice, anyway. It’s convenient, but it doesn’t promote safe/secure key education and also requires the vendor to hold your private keys, even if only for a limited period of time. Private keys should be just that. Even worse, keys generated in a virtual server (i.e., an EC2 instance) may not have sufficient entropy.

Userify’s mission is partly educational, to help developers, admins, and non-security-types get up to speed with the awesome capabilities of SSH as well as learn how to use it securely.

 

Encrypted communications protect everyone

If Userify was ever completely compromised — and even if it stayed compromised — (like if someone could sniff the TLS traffic or spoofed the SSL certificate and was able to maintain a MITM attack), any data loss would be minimal.

We only have public keys. Even your web password is salted and hashed with SHA-256 (certified for Top-Secret Classified materials) right in the web browser before they even get to us! Even if our password database was compromised, those passwords couldn’t be used anywhere else and the plain text of those passwords would only be accessible through brute-force (which for SHA-256, as you know, would pretty much be fantasy at least in our lifetime.)

In terms of security algorithms, we store salted double-hashed SHA-256 passwords which are used to log into the web interface and public keys only. All communications, both server-to-server and user-to-server, takes place through 2048-bit TLS.

Userify takes security and privacy very seriously.