WIXLIB

A Security Overview of the Centrify CloudThe Cloud Connector delivers the following security capabilities: For each tenant, a unique PKI Certificate issued from the Centrify Cloud to the CloudConnector during registration Cloud Connector registration code is provided to authorized admins after login to CloudManager All communications between the Centrify Cloud and the Centrify Cloud Connector areencrypted and mutually authenticated for each tenant using these unique certificates None of the traffic between the Centrify Cloud and the Cloud Connector can be read by theAzure infrastructure All the traffic between the Cloud Management Console and User Portal is sent over HTTPSwith a VeriSign signed certificate for *.centrify.comOperational SecurityThe architecture of the Centrify Cloud and the on-premises Cloud Connector also offer thefollowing operational security capabilities: Class-leading Active Directory and LDAP integration with no replication of users and multiforest support Built-in Integrated Windows Authentication (IWA) for silent authentication from corporatenetworks When a user account is disabled within Active Directory or LDAP the user will beautomatically logged off from the user portal upon notification from the Centrify CloudConnector which monitors on-premises directories for changes. Similarly, when a user account is disabled within the Centrify Cloud Directory, the user willbe automatically logged off from the user portal. No user data is cached or stored on the users mobile device or within any browser User credentials are decrypted only inside the Centrify Cloud and inserted into the user’sbrowser over SSL. At no point are the user credentials stored or transmitted in the clear Cloud-based platform for IT administrators to manage their mobile workforce providesmonitoring, reporting and auditing as well as mobile device management, containermanagement and application management Role-based rights management for administration and application access All the administrative traffic between the Cloud Management Console and the CentrifyIdentity Service is sent over HTTPS with a VeriSign signed certificate for *.centrify.com8 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVEDWWW.CENTRIFY.COM

POLICY GUIDECertificatesSpecific to the mobile devices being managed by the Centrify Cloud, some of the securitycapabilities include the fact that the certificates are issued to the devices at enrollment tosupport mutual authentication for all device management operations. When a device policyrequires a certificate for Wi-Fi 802.1x or VPN or Exchange Active Sync authentication, the devicewill request the certificate trough the cloud tenant service from the on-premises MicrosoftCertificate Server. All resource requests are encrypted with TLS 1.2User Authentication Certificates are issued to the Centrify mobile client at login and to Macusers at enrollment, to support Zero Sign-on services.Centrify CloudCentrifyCloud ConnectorCertificate for VPNor 802.1x WiFi authTenant ServerCertificate for VPN or802.1x WiFi authOTP Authentication forregistration & Certificaterequests from Tenant CADevice enrollment withDevice CertificateDomainCertificateAuthorityUser DeviceTenant CertificateAuthorityActive DirectoryEnrollment and Certificate Management with CentrifySecurity TestingOn a monthly basis, the Centrify Security Committee reviews the need to update security,availability and confidentiality policies, and implements changes as necessary.Centrify’s security policies include, but may not be limited to, the following matters: Identifying and documenting the security requirements of authorized users Classifying data based on its criticality and sensitivity and that classification is used todefine protection requirements, Access rights and access restrictions, and retention and destruction requirements Assessing risks on a periodic basis Preventing unauthorized access Adding new users, modifying the access levels of existing users, and removing users whono longer need access9 Assigning responsibility and accountability for system security Assigning responsibility and accountability for system changes and maintenance 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVEDWWW.CENTRIFY.COM

A Security Overview of the Centrify Cloud Testing, evaluating, and authorizing system components before implementation Addressing how complaints and requests relating to security issues are resolved Identifying and mitigating security breaches and other incidents Providing for training and other resources to support its system security policies Providing for the handling of exceptions and situations not specifically addressedin its system security policies Providing for the identification of and consistency with applicable laws and regulations,defined commitments, service level Agreements, and other contractual requirements Providing for sharing information with third parties Security tests are regularly conducted and tuned using penetration testing tools.Centrify routinely runs static/dynamic analysis utilizing network scanning tools. Centrify hires third party security experts each year to expose vulnerabilities,manually simulate various attacks, and perform manual code scanning.User SecurityCloud Applications and Single Sign-onBy leveraging a single identity across cloud, mobile and onsite apps, IT can manage the fullapp lifecycle and enforce identity-based access policies, to eliminate the hassles of multiplepasswords and enforce consistent security policy.Security benefits include: Traffic between the Centrify User Portal and the Centrify Identity Service is encryptedwith class 3 certificates signed by VeriSign 10Enforce user policy from a single authoritative source, eliminating “policy silos” for each app 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVEDWWW.CENTRIFY.COM

POLICY GUIDE Access to only by IT approved applications Control cloud and mobile applications through identity-based policy, based on singleauthoritative source for identity, and managing the device used for access Improve security by eliminating the use of easy-to-remember and/or improperly storedpasswords User passwords are stored in the tenant database encrypted with AES265 symmetric keys Each cloud tenant has its own unique private key pair that cannot be used on any othercloud tenant Unique, Centrify mobile app for zero sign-on (ZSO) to authorized apps Selectable Multi Factor Authentication (MFA) authentication factor Centrify Mobile Authenticator Soft Token One Time Password (OTP) Interactive mobile phone call to verify user factor One Time Passcode sent via SMS or email Trigger multi-factor or step-up authentication based on per-app policy Rich policy script to check the context of the authentication request based on time of day,network location, role, user attributes, device attributes, client type to deny access orrequire additional authentication factorsMobile SecurityThe Centrify Identity Service providesa full complement of mobile devicemanagement tools to protect corporatedata and access across devices. TheCentrify Identity Service includesextensive support of Samsung KNOX withsupport for the advanced features ofSamsung for Enterprise KNOX Workspacedevice management policies. For iOS7 and iOS 8, Centrify enables businessmanagement and features including“Open in” control, Per-App VPN and thenew Mobile Device Management (MDM)configuration options.Mobile Identity ServicesCentrify Identity Service provides extensive identity capabilities for mobile devices. Some of thefeatures include SSO for Native and Web-apps utilizing the devices enrolled identity. This is tied to ActiveDirectory and/or a cloud-based directory service Automated Certificate Management for auto-issuance and renewal of User andComputer certificates through Microsoft CA for PKI authentication to Wi-Fi, VPN andExchange Active Sync11 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVEDWWW.CENTRIFY.COM

A Security Overview of the Centrify Cloud Exchange Access Management through automated management of the Allow/Block/Quarantine access rights to User’s mailboxes Exchange Active Sync (EAS) Server Access Management combined with PKI-based deviceauthentication for the most stringent access controls. Users are required to enroll theirmobile devices to access your organization’s email infrastructure Protection of your organization’s email access by leveraging existing investment inExchange Servers, without requiring any new servers or gateways. To ensure email privacydata flow between the mobile client and Exchange servers is not interrupted or modified.Mobile Device ManagementTo complete the security solution for mobile devices, Centrify provides MDM functionalitynot found in competing IDaaS offerings. Web and Mobile application authentication and access management from a single console Role-based mobile application distribution supports user centric mobile applicationinstallation and management for custom and commercial applications on iOS and Android Enterprise App Store provides user self-service mobile app management interfacefor enterprise distribution of rich mobile client apps Allows IT administrators to require mobile devices to have a passcode and set thecomplexity desired. Provisioning of Wi-Fi, VPN and email settings for both touchdown and the built-inSamsung email client Remote management of Samsung KNOX devices including wipe, lock, reboot,power off, lockout Configurable security settings such as requiring encryption of removable storage anddisallowing un-enrollment from MDM Full application management for the device, including automatic installation of public andprivate apps, app whitelisting / blocking, restricting applications that can be launched. Configurable device Bluetooth settings and restrictions, firewall settings, and other devicesettings and restrictions such as tethering, USB debugging, data usage. Configurable roaming settings for Mobile devices Apple Volume Purchase Program (VPP) support for paid mobile applicationsMobile Container ManagementContainers can provide an additional layer of security for sensitive corporate data. Centrify’sIdentity Service supports the deployment and management of the Samsung KNOX mobilecontainer. The solution allows for application and identity services from within the container. Full support for Samsung KNOX container management Remote container administration supporting container create, lock, and wipe Full mobile container policy enforcement for complete configuration and policymanagement to apply container specific-policies (e.g. apps allowed) Role-based container application management supporting application installation, whitelistalong with Single Sign-on service authorization control12 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVEDWWW.CENTRIFY.COM

POLICY GUIDE IT administrator-configurable browser settings / restrictions for the SamsungKNOX container Configurable VPN settings for the container, including the ability to provide specific VPNsettings on a per-app basis, thus ensuring that only desired apps can access the internalcorporate network Email provisioning and configuration / restrictions for the Samsung KNOX container Configured passcode complexity requirements for the KNOX container, and containerrestrictions, such as disallowing camera usage and controlling what apps can be used toshare data within the containerMobile App ManagementThe Centrify Identity Service completes the offering with application management for mobiledevices including support for: Web and Mobile application authentication and access management from a single console Role-based mobile application distribution supports user centric mobile applicationinstallation and management for custom and commercial applications on iOS and Android Enterprise App Store provides user self-service mobile app management interface forenterprise distribution of rich mobile client apps Apple Volume Purchase Program (VPP) support for paid mobile applicationsPhysical & Data CenterSecurity — Azure Data CentersRunning the Centrify Cloud in Azure data centers means Centrify customers get the benefitof Microsoft’s cutting-edge security practices and unmatched experience running some of thelargest online services around the globe.Design and Operational SecurityBy being hosted in Microsoft Azure, the Centrify Cloud leverages Microsoft’s industry-leadingbest practices in the design and management of online services, including:Security Centers of Excellence: The Microsoft Digital Crimes Unit, MicrosoftCybercrime Center, and Microsoft Malware Protection Center provide insight into evolvingglobal security threats.Security Development Lifecycle (SDL): Since 2004, all data center/cloud products and serviceshave been designed and built from the ground up using its SecurityDevelopment Lifecycle: A comprehensive approach for writing more secure, reliable andprivacy-enhanced code.Operational Security Assurance (OSA): The OSA program provides an operational securitybaseline across all major cloud services, helping ensure key risks are consistently mitigated.13 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVEDWWW.CENTRIFY.COM

A Security Overview of the Centrify CloudAssume Breach: Specialized teams of security engineers use pioneering security practices andoperate with an ‘assume breach’ mindset to identify potential vulnerabilities and proactivelyeliminate threats before they become risks to customers.Incident Response: Microsoft operates a global 24x7 event and incident response team tohelp mitigate threats from attacks and malicious activity.Security Controls and Capabilities — Azure Data CentersAzure data centers provide additional levels of security around cloud applications andinfrastructure, including:24-hour monitored physical securityData centers are physically constructed, managed, and monitored to shelter data and servicesfrom unauthorized access as well as environmental threats.Monitoring and loggingSecurity is monitored with the aid of centralized monitoring, correlation, and analysis systemsmonitoring devices within the environment and providing timely alerts. Multiple levels ofmonitoring, logging, and reporting are available to provide visibility to customers.PatchingIntegrated deployment systems manage the distribution and installation of securitypatches. Customers can apply similar patch management processes for Virtual Machinesdeployed in Azure.Antivirus/Antimalware protectionMicrosoft Antimalware is built-in to Cloud Services and can be enabled for Virtual Machinesto help identify and remove viruses, spyware and other malicious software and provide realtime protection. Customers can also run antimalware solutions from partners on theirVirtual Machines.Intrusion detection and DDoSIntrusion detection and prevention systems, denial of service attack prevention, regularpenetration testing, and forensic tools help identify and mitigate threats from both outsideand inside of Azure.Zero standing privilegesAccess to customer data by Microsoft operations and support personnel is denied by default.When granted, access is carefully managed and logged. Data center access to the systems thatstore customer data is strictly controlled via lock box processes.IsolationAzure uses network isolation to prevent unwanted communications between deployments, andaccess controls block unauthorized users. Virtual Machines do not receive inbound traffic fromthe Internet unless customers configure them to do so.Azure Virtual NetworksCustomers can choose to assign multiple deployments to an isolated Virtual Network and allowthose deployments to communicate with each other through private IP addresses.14 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVEDWWW.CENTRIFY.COM

POLICY GUIDEEncrypted communicationsBuilt-in SSL and TLS cryptography enables customers to encrypt communications withinand between deployments, from Azure to on-premises data centers, and from Azure toadministrators and users.Private connectionCustomers can use ExpressRoute to establish a private connection to Azure data centers,keeping their traffic off the Internet.Data encryptionAzure offers a wide range of encryption capabilities up to AES-256, giving customers theflexibility to implement the methods that best meets their needs.Centrify Compliance& CertificationsCentrify address a wide range of international, country, and industry-specific regulatoryrequirements. By providing compliant, independently verified cloud services, In addition, anextensible compliance framework that enables Centrify to design and build services using asingle set of controls to speed up and simplify compliance across a diverse set of regulationsand rapidly adapt to changes in the regulatory landscape. The Centrify Cloud is certified withSOC 2 and TRUSTe.SOC 2 SSAE 16/ISAE 3402 AttestationsCentrify has successfully passed an independent audit against the rigorous SSAE 16 SOC 2Type II standard and achieved compliance, a prestigious accomplishment showcasing Centrify’slongstanding commitment to securing customer data. Information security is far reaching andingrained into Centrify’s culture and is evident from design of the service and infrastructureto the processes and people. Furthermore, achieving compliance demonstrates Centrify’sdedication to both its existing high security standards and Centrify’s ability to quickly andeffectively raise the bar and adapt to the changing information security climate.Audits are conducted in accordance with the Statement on Standards for AttestationEngagements (SSAE) No. 16 put forth by the Auditing Standards Board (ASB) of the AmericanInstitute of Certified Public Accountants (AICPA) and International Standard on AssuranceEngagements (ISAE) 3402 put forth by the International Auditing and Assurance StandardsBoard (IAASB). In addition, the SOC 2 Type 2 audit included an examination of the CloudControls Matrix (CCM) from the Cloud Security Alliance (CSA).Customers should contact their Centrify representative to request a copy of the SOC 2 reports.15 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVEDWWW.CENTRIFY.COM

A Security Overview of the Centrify CloudTRUSTeCentrify has been awarded the TRUSTe privacy Trustmark and is Safe Harbor compliant.Centrify is commitment to privacy and transparency. The Centrify Privacy Policy can be viewedhere. The TRUSTe mission, as an independent third party, is to accelerate online trust amongconsumers and organizations globally. Through the process of achieving TRUSTe compliance,our Privacy Policy is scrutinized to ensure it is accurate with respect to our offered services, ourservices are scanned for potential privacy threats ensuring that you are receiving the expectedlevel of privacy for your users. For more information please visit the Truste website.SafeHarborCentrify also complies with the U.S. — E.U. Safe Harbor framework and the U.S. — Swiss SafeHarbor framework as set forth by the U.S. Department of Commerce regarding collection, useand retention of personal data from European Union member countries and Switzerland. Youcan learn more about the Safe Harbor program and view our certification by visiting the SafeHarbor website.Cloud Security Alliance Cloud Controls MatrixCentrify has been audited against the Cloud Controls Matrix (CCM) established by theCloud Security Alliance (CSA). The audit was completed as part of the SOC 2 Type 2 assessment,the details of which are included in that report. This combined approach is recommended bythe American Institute of Certified Public Accountants (AICPA) and CSA as a means of meetingthe assurance and reporting needs of the majority cloud services users.The CSA CCM is designed to provide fundamental security principles to guide cloud vendorsand to assist prospective customers in assessing the overall security risk of a cloud provider.By having completed an assessment against the CCM, Centrify offers transparency into howits security controls are designed and managed with verification by an expert, independentaudit firm.16 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVEDWWW.CENTRIFY.COM

POLICY GUIDEMicrosoft Azure Compliance& CertificationsIn

The Centrify Identity Service unifies cloud app and mobile device management into an enterprise cloud service, to secure and manage application access from anywhere. By leveraging a single user identity across cloud, mobile and on-site apps, IT can manage the full app lifecycle. They can enforce identity-based access policies, to eliminate the .