Educause Security Discussion mailing list archives
Re: Password Storage
From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Thu, 17 Nov 2016 20:20:54 -0500
Veeam plus database backups to a file share (also backed up) here as well. David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728 ~ david.curry () newschool edu Sent from my phone; please excuse typos and inane auto-corrections. On Nov 17, 2016 19:57, "Taylor Randle" <TRandle () parker edu> wrote:
+1 for Veeam - we're using it as well -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Garrett Hildebrand Sent: Thursday, November 17, 2016 6:27 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Storage We do scheduled backups of the database also, and in addition, the backups are backed up to another site on campus, and those backups rotate off-campus weekly. Additionally, we are running the Windows server that Secret Server runs on on a VM, and a twice-daily Veeam replication takes place at midnight and noon to another VM which is in a geographically different location (San Diego versus Irvine). This is a perfect clone (replicant) of the VM here. In the event of a local disaster, we can take the remote VM to an active state, change DNS to point to it, and we are done. The Veeam replication allows for changing the IP address in the replicant. (more on Veeam here: https://urldefense.proofpoint.com/v2/url?u=https-3A__www. veeam.com_blog_starting-2Dwith-2Dvmware-2Dvm- 2Dreplication-2Dusing-2Dveeam-2Davailability-2Dsuite.html&d=CwIFaQ&c= Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r= xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m=sG8GeZK_oLk589CJJi9gE0- gGk6hZWTSmdYV9iQZz3U&s=wPqy2Z4OcCzSjoD9maR5tsUmwxS1ZYuXq0qozKhIAnk&e= However, we are currently considering building a secure cloud infrastructure and putting it there. Our campus uses AWS, but my group is not happy with the security of it. Garret -==-==- G.D. Hildebrand Senior IT Security Analyst UC Irvine, OIT, 6137 Ayala Sci Lib., Irvine, 92697-1175 tel.: 949-824-8913 email: gdh () uci edu *Splunk - the Benihana of log-data slicing and dicing.* Don't be a victim of phishing. Legitimate businesses don't ask you to send sensitive information through insecure channels. Learn more: https://urldefense.proofpoint.com/v2/url?u=http-3A__er. educause.edu_blogs_2016_3_april-2Ddont-2Dget-2Dhooked&d=CwIFaQ&c= Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r= xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m=sG8GeZK_oLk589CJJi9gE0- gGk6hZWTSmdYV9iQZz3U&s=tJyNkjLPKc2Jk-gPPSfVxzTKwNi0XgJ-8VHqY7ge4NA&e= Handle passwords wisely: https://urldefense.proofpoint. com/v2/url?u=http-3A__www.bbc.com_news_technology-2D37510501&d=CwIFaQ&c= Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r= xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m=sG8GeZK_oLk589CJJi9gE0- gGk6hZWTSmdYV9iQZz3U&s=z_5onXPAZeWPB9ykYV26joVVQnPIqM6rxYNenCz8X50&e= Today (Thu, 17 Nov 2016) at 22:27 -0000 Taylor Randle wrote:Hi Thomas, All editions of Secret Server have the ability to schedule backups ofthe database/IIS directory – in addition, an admin can perform a plain text export of all “secrets” in a printable format – which could be stored in a safe/lock box/etc. We’re happy enough simply backing up the database/IIS dirs (very) regularly and keeping the backups in a separate location. The paid versions also support clustering/HA (as an add-on) but we have not seen the need to go that direction just yet.As far as having everything in one basket, we’ve see more benefit thanrisk so far. Centralizing the storage of passwords simplifies auditing and ensures compliance with password policies, etc. Then there’s the scenario where someone leaves the University and there’s a mad scramble to change the passwords they had access to or get into some third party account they used their creds for. Secret Server allows us to quickly determine what passwords they had access to with a simple report – and even delete all those passwords in one click – although that seems pretty extreme.Hope this helps. ~Taylor From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas CarterSent: Thursday, November 17, 2016 3:51 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Storage I’ve looked into Thycotic; does the “all in one basket” aspect concernyou? A problem with the server (corruption / failure / etc) and you have no passwords? What DR options do you have with your vault?Thomas Carter Network & Operations Manager / IT Austin College 900 North Grand Avenue Sherman, TX 75090 Phone: 903-813-2564 www.austincollege.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.austincollege.edu_&d=CwMGaQ&c= Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r= xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m=y8pN_ cscxNfv8S487z5tCTS1wCGMV29tYU1_z6XqFEg&s=1V03MOtsPCTNTmM6kdW1NdImRi90gX ogNszEPoTWek8&e=>[https://urldefense.proofpoint.com/v2/url?u=http-3A__www.austincollege.edu_images_AusColl-5FLogo-5FEmail.gif&d=CwIFaQ&c= Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r= xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m=sG8GeZK_oLk589CJJi9gE0- gGk6hZWTSmdYV9iQZz3U&s=co4Lhx_C51nzabVQVF6mBoriO0wf-w93jxur9i1WuNw&e= ]From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David CurrySent: Thursday, November 17, 2016 9:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Storage We are also using Thycotic Secret Server and have been for four or fiveyears now. We've had it in a "high availability" configuration (basically an active/passive failover configuration) for about three years. We don't use the automatic password change functionality (one of these days...), but we have a few dozen people from three different teams using the vault on a daily basis and it works quite well.Support is always a pleasure to work with; I usually just do upgradeswith one of their folks over a GoToMeeting screen share, and it goes smoothly. Integrating it with our two factor solution was easy as well (they have out-of-the-box support for pure RADIUS solutions like SecurID; our solution requires a little extra).--Dave -- DAVID A. CURRY, CISSP DIRECTOR OF INFORMATION SECURITY INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.curry () newschool edu<mailto:david.curry () newschool edu>[The New School] On Thu, Nov 17, 2016 at 10:18 AM, Jones, Justin <jucjones () iu edu<mailto:jucjones () iu edu>> wrote:My department, we use KeePass, it’s decent, but I personally use1Password, and they have 1Password for teams now.Justin Jones VPR Information Technology Support (VPR IT) Office of the Vice President for Research IT Support Specialist – Team Lead 980 Indiana Ave Office: 2214 Lockefield Village 317-274-8962 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Chris GreenSent: Thursday, November 17, 2016 10:09 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Storage Bill, Are you allowing others on campus to use the personal version, or areyou using the enterprise version for your campus?Thanks, -C. Chris Green Information Security Officer University of Texas at Tyler cgreen () uttyler edu<mailto:cgreen () uttyler edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barnes, WilliamSent: Thursday, November 17, 2016 9:00 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Storage I’m personally using lastpass, and I’ve been recommending it to peoplehere that ask for a password manager.Thanks! --Bill ************************************************************************** Bill Barnes, RHCE, CISSP * Manager of Technology Support Services * and Library Network Administrator * Technology Support Services * Bloomsburg University * ph: 570-389-2813 * e-mail: wbarnes () bloomu edu<mailto:wbarnes () bloomu edu> *************************************************************************From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin CriderSent: Thursday, November 17, 2016 9:58 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Password Storage Does anyone have any recommendations for password storage? We’re evaluating Keeper (which we’ve heard some disparaging things abouttheir support), and Last Pass.Thanks, Kevin -- Kevin Crider Director, Enterprise Systems Skidmore College 815 North Broadway Saratoga Springs, NY 12866 518.580.5929 kcrider () skidmore edu<mailto:kcrider () skidmore edu>
Current thread:
- Password Storage Kevin Crider (Nov 17)
- Re: Password Storage Barnes, William (Nov 17)
- Re: Password Storage Baillio, Aaron (Nov 17)
- Re: Password Storage Chris Green (Nov 17)
- Re: Password Storage Jones, Justin (Nov 17)
- Re: Password Storage David Curry (Nov 17)
- Re: Password Storage Thomas Carter (Nov 17)
- Re: Password Storage Taylor Randle (Nov 17)
- Re: Password Storage Garrett Hildebrand (Nov 17)
- Re: Password Storage Taylor Randle (Nov 17)
- Re: Password Storage David Curry (Nov 17)
- Re: Password Storage Barnes, William (Nov 17)
- Message not available
- Message not available
- Message not available
- Re: Password Storage David Curry (Nov 17)
- Re: Password Storage Brian Griffith (Nov 17)
- Re: Password Storage Russell Fulton (Nov 29)
- Re: Password Storage Harry Hoffman (Nov 29)
- <Possible follow-ups>
- Re: Password Storage Penn, Blake (Nov 17)
- Re: Password Storage Brian Epstein (Nov 17)