Educause Security Discussion mailing list archives

Re: Password Storage

From: Brian Griffith <griffibw () WHITMAN EDU>
Date: Thu, 17 Nov 2016 22:40:21 +0000

We've been running Secret Server on AWS as something of a pilot program,
for DR reasons.  In our case, we're using local accounts (long story, but
we can enforce a lot stronger password policy and 2 factor auth this way),
so it's a standalone server - no need for AD, etc.  So far I've been
impressed with the responsiveness and the cost of running on AWS. I was
also able to negotiate quite a bit with Thycotic.  I was very happy with
the deal we ended up getting.  We're just starting to get into some of the
fancier Enterprise features, but so far I like it.

Brian W. Griffith
Information Security Officer
Whitman College
griffibw () whitman edu


On Thu, Nov 17, 2016 at 2:32 PM David Curry <david.curry () newschool edu>
wrote:

Thycotic supports a "high availability" configuration with multiple web
and database instances. We run ours with two instances, one in each data
center (you can have more than that if you want). We run IIS and SQL Server
on the same server in each instance, although you can split them up as
well. There are actually a few different configuration options depending on
your needs.

I suppose if you really wanted to you could put an instance in the cloud
on AWS or something, although we have not tried this since we'd also have
to put Active Directory and our two factor solution out there, which is
more than we're prepared to do at present just for this.

There's also a mobile app that can keep an encrypted copy of all the
secrets (passwords) and run in "offline" mode if you want to do that to
cover the case of everything being down and you need console access to
stuff.

--Dave

David A. Curry,  CISSP
Director of Information Security
The New School -  Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 <(212)%20229-5300> ~ david.curry () newschool edu
Sent from my phone; please excuse typos and inane auto-corrections.

On Nov 17, 2016 16:51, "Thomas Carter" <tcarter () austincollege edu> wrote:

I’ve looked into Thycotic; does the “all in one basket” aspect concern
you? A problem with the server (corruption / failure / etc) and you have no
passwords? What DR options do you have with your vault?



*Thomas Carter*
Network & Operations Manager / IT

*Austin College*
900 North Grand Avenue
Sherman, TX 75090

Phone: 903-813-2564 <(903)%20813-2564>
www.austincollege.edu

[image: http://www.austincollege.edu/images/AusColl_Logo_Email.gif]



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *David Curry
*Sent:* Thursday, November 17, 2016 9:35 AM

*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Password Storage



We are also using Thycotic Secret Server and have been for four or five
years now. We've had it in a "high availability" configuration (basically
an active/passive failover configuration) for about three years. We don't
use the automatic password change functionality (one of these days...), but
we have a few dozen people from three different teams using the vault on a
daily basis and it works quite well.



Support is always a pleasure to work with; I usually just do upgrades with
one of their folks over a GoToMeeting screen share, and it goes smoothly.
Integrating it with our two factor solution was easy as well (they have
out-of-the-box support for pure RADIUS solutions like SecurID; our solution
requires a little extra).



--Dave






--

*DAVID A. CURRY, CISSP*
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 <(212)%20229-5300> • david.curry () newschool edu

[image: The New School]



On Thu, Nov 17, 2016 at 10:18 AM, Jones, Justin <jucjones () iu edu> wrote:

My department, we use KeePass, it’s decent, but I personally use
1Password, and they have 1Password for teams now.



Justin Jones

VPR Information Technology Support (VPR IT)

Office of the Vice President for Research

IT Support Specialist – Team Lead

980 Indiana Ave

Office:  2214 Lockefield Village

317-274-8962 <(317)%20274-8962>





*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Chris Green
*Sent:* Thursday, November 17, 2016 10:09 AM


*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Password Storage



Bill,



Are you allowing others on campus to use the personal version, or are you
using the enterprise version for your campus?





Thanks,



-C.



*Chris Green*

Information Security Officer

University of Texas at Tyler

cgreen () uttyler edu







*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Barnes, William
*Sent:* Thursday, November 17, 2016 9:00 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Password Storage



I’m personally using lastpass, and I’ve been recommending it to people
here that ask for a password manager.





Thanks!
--Bill
*************************************************************************
* Bill Barnes, RHCE, CISSP

* Manager of Technology Support Services

* and Library Network Administrator
* Technology Support Services
* Bloomsburg University
* ph: 570-389-2813 <(570)%20389-2813>
* e-mail: wbarnes () bloomu edu

*************************************************************************





*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Kevin Crider
*Sent:* Thursday, November 17, 2016 9:58 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Password Storage



Does anyone have any recommendations for password storage?



We’re evaluating Keeper (which we’ve heard some disparaging things about
their support), and Last Pass.





Thanks,



Kevin



--

Kevin Crider

Director, Enterprise Systems

Skidmore College

815 North Broadway

Saratoga Springs, NY 12866

518.580.5929 <(518)%20580-5929>

kcrider () skidmore edu

Current thread:

Re: Password Storage, (continued)
- - Re: Password Storage Baillio, Aaron (Nov 17)
  - Re: Password Storage Chris Green (Nov 17)
    - Re: Password Storage Jones, Justin (Nov 17)
    - Re: Password Storage David Curry (Nov 17)
    - Re: Password Storage Thomas Carter (Nov 17)
    - Re: Password Storage Taylor Randle (Nov 17)
    - Re: Password Storage Garrett Hildebrand (Nov 17)
    - Re: Password Storage Taylor Randle (Nov 17)
    - Re: Password Storage David Curry (Nov 17)
    - Message not available
    - Message not available
    - Message not available
    - Re: Password Storage David Curry (Nov 17)
    - Re: Password Storage Brian Griffith (Nov 17)
- Re: Password Storage Taylor Randle (Nov 17)
  - Re: Password Storage Russell Fulton (Nov 29)
    - Re: Password Storage Harry Hoffman (Nov 29)
- Re: Password Storage Cam Beasley (Nov 17)
- Re: Password Storage Penn, Blake (Nov 17)
  - Re: Password Storage Brian Epstein (Nov 17)