Educause Security Discussion mailing list archives
Re: Question for IT departments using LastPass
From: "Kimmitt, Jonathan" <jonathan-kimmitt () UTULSA EDU>
Date: Tue, 6 Aug 2019 12:13:56 +0000
Hi Dave, We use Lastpass Enterprise for our internal IT passwords, and it seems to work well. We chose to have a very flat structure, and have 5 shared folders (one for each IT department), and we used groups to grant permissions. There are some people who are in multiple groups, and 3 of the officers have admin (for backup purposes). All passwords within that department are visible to everyone in that departments (we are a small university). All Chief Officers can see all passwords. While there is some organization into subfolders within the parent-shared-folders, its minor, instead we have focused on clear and understandable password labels, and most people use the search instead of trying to navigate the structure to find passwords. We also use the shared notes feature for some documentation. We did NOT use AD or federated identity to auth our people, instead we let them setup their own passwords and required multi factor. We chose to do this to make sure we had access in case our domain is offline. IT Sec does an audit a couple of times of year to make sure we have all the passwords to primary systems (and they work), that the passwords meet complexity requirements, and that everyone uses multifactor. We also require some documentation within the passwords notes on the the hostname/ip, and basic login info for DR type scenario. (how to login the server, and what service needs to be running, etc.). I’m happy to answer any questions. -Jonathan ~ Jonathan Kimmitt CISSP, PCIP, CEH, CIPM, GPEN, CIPT, CIPP/E Chief Information Security Officer Information Technology The University of Tulsa 918.631.2743 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of David Curry Sent: Tuesday, August 6, 2019 6:55 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Question for IT departments using LastPass We're just beginning our move off of Thycotic Secret Server and onto LastPass Enterprise for our IT department, to manage all the server, database, application, etc. passwords. In our Thycotic environment, we took a very hierarchical approach to storing things, with permissions set generally along the org charge structure. The different "silos" of the department had access to different areas of the vault, and there wasn't much cross-silo access. That worked for a while, but as the organization started changing, it started getting in the way of getting things done. Now we're thinking, partly because our organization has changed and there's much more cooperation and working together than there used to be, but also because LastPass doesn't support the same hierarchical storage model, that we should be organizing things more simply. But while we have some high-level ideas on how we might want to do this, we're not quite sure of the details. So we're hoping to learn from others who've already done it. If your IT department is using LastPass internally to manage the department's passwords and share them with staff, how have you chosen to organize things storage-wise in LastPass (i.e., how have you named the folders and what have you put into them)? And how have you set up your user groups for sharing purposes? Thanks, --Dave -- DAVID A. CURRY, CISSP DIRECTOR • INFORMATION SECURITY & PRIVACY THE NEW SCHOOL • INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 646 909-4728 • david.curry () newschool edu<mailto:david.curry () newschool edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Cc300dfa24be24c18408408d71a64fc37%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C1%7C637006893395311186&sdata=X5YAmDOIFXKvMeDMSt7nknZByNaIL1vOY9%2FXfwDWM9c%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Question for IT departments using LastPass David Curry (Aug 06)
- Re: Question for IT departments using LastPass Kimmitt, Jonathan (Aug 06)
- Re: Question for IT departments using LastPass Greg Williams (Aug 06)