Re: Password Storage

[Garrett Hildebrand <gdh () UCI EDU>]

We do scheduled backups of the database also, and in addition,
the backups are backed up to another site on campus, and those
backups rotate off-campus weekly.

Additionally, we are running the Windows server that Secret Server
runs on on a VM, and a twice-daily Veeam replication takes place
at midnight and noon to another VM which is in a geographically
different location (San Diego versus Irvine).  This is a perfect
clone (replicant) of the VM here. In the event of a local disaster,
we can take the remote VM to an active state, change DNS to point
to it, and we are done. The Veeam replication allows for changing
the IP address in the replicant.

(more on Veeam here:
https://www.veeam.com/blog/starting-with-vmware-vm-replication-using-veeam-availability-suite.html

However, we are currently considering building a secure cloud
infrastructure and putting it there. Our campus uses AWS, but
my group is not happy with the security of it.

Garret
-==-==-
G.D. Hildebrand              Senior IT Security Analyst
UC Irvine, OIT, 6137 Ayala Sci Lib., Irvine, 92697-1175
tel.: 949-824-8913                   email: gdh () uci edu
*Splunk - the Benihana of log-data slicing and dicing.*

Don't be a victim of phishing. Legitimate businesses don't ask you
to send sensitive information through insecure channels. Learn more:
http://er.educause.edu/blogs/2016/3/april-dont-get-hooked
Handle passwords wisely: http://www.bbc.com/news/technology-37510501


Today (Thu, 17 Nov 2016) at 22:27 -0000 Taylor Randle wrote:

> Hi Thomas,
>
> All editions of Secret Server have the ability to schedule backups of the database/IIS directory ??? in addition, an 
> admin can perform a plain text export of all ???secrets??? in a printable format ??? which could be stored in a 
> safe/lock box/etc. We???re happy enough simply backing up the database/IIS dirs (very) regularly and keeping the 
> backups in a separate location. The paid versions also support clustering/HA (as an add-on) but we have not seen the 
> need to go that direction just yet.
>
> As far as having everything in one basket, we???ve see more benefit than risk so far. Centralizing the storage of 
> passwords simplifies auditing and ensures compliance with password policies, etc. Then there???s the scenario where 
> someone leaves the University and there???s a mad scramble to change the passwords they had access to or get into 
> some third party account they used their creds for. Secret Server allows us to quickly determine what passwords they 
> had access to with a simple report ??? and even delete all those passwords in one click ??? although that seems 
> pretty extreme.
>
> Hope this helps.
>
> ~Taylor
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas 
> Carter
> Sent: Thursday, November 17, 2016 3:51 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password Storage
>
> I???ve looked into Thycotic; does the ???all in one basket??? aspect concern you? A problem with the server 
> (corruption / failure / etc) and you have no passwords? What DR options do you have with your vault?
>
> Thomas Carter
> Network & Operations Manager / IT
> Austin College
> 900 North Grand Avenue
> Sherman, TX 75090
> Phone: 903-813-2564
> www.austincollege.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.austincollege.edu_&d=CwMGaQ&c=Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r=xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m=y8pN_cscxNfv8S487z5tCTS1wCGMV29tYU1_z6XqFEg&s=1V03MOtsPCTNTmM6kdW1NdImRi90gXogNszEPoTWek8&e=>
> [http://www.austincollege.edu/images/AusColl_Logo_Email.gif]
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
> Curry
> Sent: Thursday, November 17, 2016 9:35 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] Password Storage
>
> We are also using Thycotic Secret Server and have been for four or five years now. We've had it in a "high 
> availability" configuration (basically an active/passive failover configuration) for about three years. We don't use 
> the automatic password change functionality (one of these days...), but we have a few dozen people from three 
> different teams using the vault on a daily basis and it works quite well.
>
> Support is always a pleasure to work with; I usually just do upgrades with one of their folks over a GoToMeeting 
> screen share, and it goes smoothly. Integrating it with our two factor solution was easy as well (they have 
> out-of-the-box support for pure RADIUS solutions like SecurID; our solution requires a little extra).
>
> --Dave
>
>
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> DIRECTOR OF INFORMATION SECURITY
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 ??? david.curry () newschool edu<mailto:david.curry () newschool edu>
>
> [The New School]
>
> On Thu, Nov 17, 2016 at 10:18 AM, Jones, Justin <jucjones () iu edu<mailto:jucjones () iu edu>> wrote:
> My department, we use KeePass, it???s decent, but I personally use 1Password, and they have 1Password for teams now.
>
> Justin Jones
> VPR Information Technology Support (VPR IT)
> Office of the Vice President for Research
> IT Support Specialist ??? Team Lead
> 980 Indiana Ave
> Office:  2214 Lockefield Village
> 317-274-8962
>
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
> LISTSERV EDUCAUSE EDU>] On Behalf Of Chris Green
> Sent: Thursday, November 17, 2016 10:09 AM
>
> To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] Password Storage
>
> Bill,
>
> Are you allowing others on campus to use the personal version, or are you using the enterprise version for your 
> campus?
>
>
> Thanks,
>
> -C.
>
> Chris Green
> Information Security Officer
> University of Texas at Tyler
> cgreen () uttyler edu<mailto:cgreen () uttyler edu>
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
> Barnes, William
> Sent: Thursday, November 17, 2016 9:00 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] Password Storage
>
> I???m personally using lastpass, and I???ve been recommending it to people here that ask for a password manager.
>
>
> Thanks!
> --Bill
> *************************************************************************
> * Bill Barnes, RHCE, CISSP
> * Manager of Technology Support Services
> * and Library Network Administrator
> * Technology Support Services
> * Bloomsburg University
> * ph: 570-389-2813
> * e-mail: wbarnes () bloomu edu<mailto:wbarnes () bloomu edu>
> *************************************************************************
>
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin 
> Crider
> Sent: Thursday, November 17, 2016 9:58 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: [SECURITY] Password Storage
>
> Does anyone have any recommendations for password storage?
>
> We???re evaluating Keeper (which we???ve heard some disparaging things about their support), and Last Pass.
>
>
> Thanks,
>
> Kevin
>
> --
> Kevin Crider
> Director, Enterprise Systems
> Skidmore College
> 815 North Broadway
> Saratoga Springs, NY 12866
> 518.580.5929
> kcrider () skidmore edu<mailto:kcrider () skidmore edu>