Re: Password Storage

[David Curry <david.curry () NEWSCHOOL EDU>]

Veeam plus database backups to a file share (also backed up) here as well.

David A. Curry,  CISSP
Director of Information Security
The New School -  Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david.curry () newschool edu
Sent from my phone; please excuse typos and inane auto-corrections.

On Nov 17, 2016 19:57, "Taylor Randle" <TRandle () parker edu> wrote:

> +1 for Veeam - we're using it as well
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Garrett Hildebrand
> Sent: Thursday, November 17, 2016 6:27 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password Storage
>
> We do scheduled backups of the database also, and in addition, the backups
> are backed up to another site on campus, and those backups rotate
> off-campus weekly.
>
> Additionally, we are running the Windows server that Secret Server runs on
> on a VM, and a twice-daily Veeam replication takes place at midnight and
> noon to another VM which is in a geographically different location (San
> Diego versus Irvine).  This is a perfect clone (replicant) of the VM here.
> In the event of a local disaster, we can take the remote VM to an active
> state, change DNS to point to it, and we are done. The Veeam replication
> allows for changing the IP address in the replicant.
>
> (more on Veeam here:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.
> veeam.com_blog_starting-2Dwith-2Dvmware-2Dvm-
> 2Dreplication-2Dusing-2Dveeam-2Davailability-2Dsuite.html&d=CwIFaQ&c=
> Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r=
> xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m=sG8GeZK_oLk589CJJi9gE0-
> gGk6hZWTSmdYV9iQZz3U&s=wPqy2Z4OcCzSjoD9maR5tsUmwxS1ZYuXq0qozKhIAnk&e=
>
> However, we are currently considering building a secure cloud
> infrastructure and putting it there. Our campus uses AWS, but my group is
> not happy with the security of it.
>
> Garret
> -==-==-
> G.D. Hildebrand              Senior IT Security Analyst
> UC Irvine, OIT, 6137 Ayala Sci Lib., Irvine, 92697-1175
> tel.: 949-824-8913                   email: gdh () uci edu
> *Splunk - the Benihana of log-data slicing and dicing.*
>
> Don't be a victim of phishing. Legitimate businesses don't ask you to send
> sensitive information through insecure channels. Learn more:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__er.
> educause.edu_blogs_2016_3_april-2Ddont-2Dget-2Dhooked&d=CwIFaQ&c=
> Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r=
> xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m=sG8GeZK_oLk589CJJi9gE0-
> gGk6hZWTSmdYV9iQZz3U&s=tJyNkjLPKc2Jk-gPPSfVxzTKwNi0XgJ-8VHqY7ge4NA&e=
> Handle passwords wisely: https://urldefense.proofpoint.
> com/v2/url?u=http-3A__www.bbc.com_news_technology-2D37510501&d=CwIFaQ&c=
> Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r=
> xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m=sG8GeZK_oLk589CJJi9gE0-
> gGk6hZWTSmdYV9iQZz3U&s=z_5onXPAZeWPB9ykYV26joVVQnPIqM6rxYNenCz8X50&e=
>
>
> Today (Thu, 17 Nov 2016) at 22:27 -0000 Taylor Randle wrote:
>
> > Hi Thomas,
> >
> > All editions of Secret Server have the ability to schedule backups of
> the database/IIS directory – in addition, an admin can perform a plain text
> export of all “secrets” in a printable format – which could be stored in a
> safe/lock box/etc. We’re happy enough simply backing up the database/IIS
> dirs (very) regularly and keeping the backups in a separate location. The
> paid versions also support clustering/HA (as an add-on) but we have not
> seen the need to go that direction just yet.
> > As far as having everything in one basket, we’ve see more benefit than
> risk so far. Centralizing the storage of passwords simplifies auditing and
> ensures compliance with password policies, etc. Then there’s the scenario
> where someone leaves the University and there’s a mad scramble to change
> the passwords they had access to or get into some third party account they
> used their creds for. Secret Server allows us to quickly determine what
> passwords they had access to with a simple report – and even delete all
> those passwords in one click – although that seems pretty extreme.
> > Hope this helps.
> >
> > ~Taylor
> >
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter
> > Sent: Thursday, November 17, 2016 3:51 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Password Storage
> >
> > I’ve looked into Thycotic; does the “all in one basket” aspect concern
> you? A problem with the server (corruption / failure / etc) and you have no
> passwords? What DR options do you have with your vault?
> > Thomas Carter
> > Network & Operations Manager / IT
> > Austin College
> > 900 North Grand Avenue
> > Sherman, TX 75090
> > Phone: 903-813-2564
> > www.austincollege.edu<https://urldefense.proofpoint.com/v2/
> url?u=http-3A__www.austincollege.edu_&d=CwMGaQ&c=
> Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r=
> xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m=y8pN_
> cscxNfv8S487z5tCTS1wCGMV29tYU1_z6XqFEg&s=1V03MOtsPCTNTmM6kdW1NdImRi90gX
> ogNszEPoTWek8&e=>
> > [https://urldefense.proofpoint.com/v2/url?u=http-
> 3A__www.austincollege.edu_images_AusColl-5FLogo-5FEmail.gif&d=CwIFaQ&c=
> Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r=
> xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m=sG8GeZK_oLk589CJJi9gE0-
> gGk6hZWTSmdYV9iQZz3U&s=co4Lhx_C51nzabVQVF6mBoriO0wf-w93jxur9i1WuNw&e= ]
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Curry
> > Sent: Thursday, November 17, 2016 9:35 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU
> >
> > Subject: Re: [SECURITY] Password Storage
> >
> > We are also using Thycotic Secret Server and have been for four or five
> years now. We've had it in a "high availability" configuration (basically
> an active/passive failover configuration) for about three years. We don't
> use the automatic password change functionality (one of these days...), but
> we have a few dozen people from three different teams using the vault on a
> daily basis and it works quite well.
> > Support is always a pleasure to work with; I usually just do upgrades
> with one of their folks over a GoToMeeting screen share, and it goes
> smoothly. Integrating it with our two factor solution was easy as well
> (they have out-of-the-box support for pure RADIUS solutions like SecurID;
> our solution requires a little extra).
> > --Dave
> >
> >
> >
> >
> >
> > --
> >
> > DAVID A. CURRY, CISSP
> > DIRECTOR OF INFORMATION SECURITY
> > INFORMATION TECHNOLOGY
> >
> > 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> > +1 212 229-5300 x4728 • david.curry () newschool edu<mailto:
> david.curry () newschool edu>
> > [The New School]
> >
> > On Thu, Nov 17, 2016 at 10:18 AM, Jones, Justin <jucjones () iu edu<mailto:
> jucjones () iu edu>> wrote:
> > My department, we use KeePass, it’s decent, but I personally use
> 1Password, and they have 1Password for teams now.
> > Justin Jones
> > VPR Information Technology Support (VPR IT)
> > Office of the Vice President for Research
> > IT Support Specialist – Team Lead
> > 980 Indiana Ave
> > Office:  2214 Lockefield Village
> > 317-274-8962
> >
> >
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On
> Behalf Of Chris Green
> > Sent: Thursday, November 17, 2016 10:09 AM
> >
> > To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU
> >
> > Subject: Re: [SECURITY] Password Storage
> >
> > Bill,
> >
> > Are you allowing others on campus to use the personal version, or are
> you using the enterprise version for your campus?
> > Thanks,
> >
> > -C.
> >
> > Chris Green
> > Information Security Officer
> > University of Texas at Tyler
> > cgreen () uttyler edu<mailto:cgreen () uttyler edu>
> >
> >
> >
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barnes, William
> > Sent: Thursday, November 17, 2016 9:00 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU
> >
> > Subject: Re: [SECURITY] Password Storage
> >
> > I’m personally using lastpass, and I’ve been recommending it to people
> here that ask for a password manager.
> > Thanks!
> > --Bill
> > ************************************************************
> *************
> > * Bill Barnes, RHCE, CISSP
> > * Manager of Technology Support Services
> > * and Library Network Administrator
> > * Technology Support Services
> > * Bloomsburg University
> > * ph: 570-389-2813
> > * e-mail: wbarnes () bloomu edu<mailto:wbarnes () bloomu edu>
> > ************************************************************
> *************
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Crider
> > Sent: Thursday, November 17, 2016 9:58 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU
> >
> > Subject: [SECURITY] Password Storage
> >
> > Does anyone have any recommendations for password storage?
> >
> > We’re evaluating Keeper (which we’ve heard some disparaging things about
> their support), and Last Pass.
> > Thanks,
> >
> > Kevin
> >
> > --
> > Kevin Crider
> > Director, Enterprise Systems
> > Skidmore College
> > 815 North Broadway
> > Saratoga Springs, NY 12866
> > 518.580.5929
> > kcrider () skidmore edu<mailto:kcrider () skidmore edu>