Re: Question for IT departments using LastPass

["Kimmitt, Jonathan" <jonathan-kimmitt () UTULSA EDU>]

Hi Dave,

  We use Lastpass Enterprise for our internal IT passwords, and it seems to work well.

We chose to have a very flat structure, and have 5 shared folders (one for each IT department), and we used groups to 
grant permissions.  There are some people who are in multiple groups, and 3 of the officers have admin (for backup 
purposes).  All passwords within that department are visible to everyone in that departments (we are a small 
university).  All Chief Officers can see all passwords.  While there is some organization into subfolders within the 
parent-shared-folders, its minor, instead we have focused on clear and understandable password labels, and most people 
use the search instead of trying to navigate the structure to find passwords.  We also use the shared notes feature for 
some documentation.

We did NOT use AD or federated identity to auth our people, instead we let them setup their own passwords and required 
multi factor.   We chose to do this to make sure  we had access in case our domain is offline.

IT Sec does an audit a couple of times of year to make sure we have all the passwords to primary systems (and they 
work), that the passwords meet complexity requirements, and that everyone uses multifactor.  We also require some 
documentation within the passwords notes on the the hostname/ip, and basic login info for DR type scenario.  (how to 
login the server, and what service needs to be running, etc.).

I’m happy to answer any questions.

-Jonathan


~
Jonathan Kimmitt
CISSP, PCIP, CEH, CIPM, GPEN, CIPT, CIPP/E
Chief Information Security Officer
Information Technology
The University of Tulsa
918.631.2743




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of David Curry
Sent: Tuesday, August 6, 2019 6:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Question for IT departments using LastPass


We're just beginning our move off of Thycotic Secret Server and onto LastPass Enterprise for our IT department, to 
manage all the server, database, application, etc. passwords. In our Thycotic environment, we took a very hierarchical 
approach to storing things, with permissions set generally along the org charge structure. The different "silos" of the 
department had access to different areas of the vault, and there wasn't much cross-silo access. That worked for a 
while, but as the organization started changing, it started getting in the way of getting things done.

Now we're thinking, partly because our organization has changed and there's much more cooperation and working together 
than there used to be, but also because LastPass doesn't support the same hierarchical storage model, that we should be 
organizing things more simply. But while we have some high-level ideas on how we might want to do this, we're not quite 
sure of the details. So we're hoping to learn from others who've already done it.

If your IT department is using LastPass internally to manage the department's passwords and share them with staff, how 
have you chosen to organize things storage-wise in LastPass (i.e., how have you named the folders and what have you put 
into them)? And how have you set up your user groups for sharing purposes?

Thanks,
--Dave


--

DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.curry () newschool edu<mailto:david.curry () newschool edu>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Cc300dfa24be24c18408408d71a64fc37%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C1%7C637006893395311186&sdata=X5YAmDOIFXKvMeDMSt7nknZByNaIL1vOY9%2FXfwDWM9c%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community