Re: Question for IT departments using LastPass

[Greg Williams <gwillia5 () UCCS EDU>]

We have used LastPass for the past 5 years for those in OIT who need access to many >100 passwords.  We have around 100 
folders and around 15 groups.  We don’t use AD sync or federated access, but use MFA along with some other security 
policies.  Even though there is not a hierarchical access infrastructure, groups work well.  For example, the podium 
computers folders are accessed by our academic support group and the administrator, and that’s it.  The one advantage 
that you have with groups/folders vs. hierarchical access is speed.  The more passwords you have in your vault, the 
longer it takes to load or search (still only a couple of seconds however).  Another advantage is that you are only 
giving password access to those that need access to those passwords and not a hierarchy.

Greg Williams, ME
Director of Operations
Office of Information Technology
University of Colorado Colorado Springs
1420 Austin Bluffs Parkway, (EPC 136A)
Colorado Springs, CO 80918
Phone: (719) 255-3292
www.uccs.edu<http://www.uccs.edu/>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of David Curry
Sent: Tuesday, August 6, 2019 5:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Question for IT departments using LastPass


We're just beginning our move off of Thycotic Secret Server and onto LastPass Enterprise for our IT department, to 
manage all the server, database, application, etc. passwords. In our Thycotic environment, we took a very hierarchical 
approach to storing things, with permissions set generally along the org charge structure. The different "silos" of the 
department had access to different areas of the vault, and there wasn't much cross-silo access. That worked for a 
while, but as the organization started changing, it started getting in the way of getting things done.

Now we're thinking, partly because our organization has changed and there's much more cooperation and working together 
than there used to be, but also because LastPass doesn't support the same hierarchical storage model, that we should be 
organizing things more simply. But while we have some high-level ideas on how we might want to do this, we're not quite 
sure of the details. So we're hoping to learn from others who've already done it.

If your IT department is using LastPass internally to manage the department's passwords and share them with staff, how 
have you chosen to organize things storage-wise in LastPass (i.e., how have you named the folders and what have you put 
into them)? And how have you set up your user groups for sharing purposes?

Thanks,
--Dave


--

DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.curry () newschool edu<mailto:david.curry () newschool edu>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cgwillia5%40UCCS.EDU%7C7a0a0b8a1ed94d648b0308d71a64fb8a%7C529343fae8c8419fab2ea70c10038810%7C1%7C0%7C637006893337029018&sdata=SRGGM8UPVZzWXHtr8gWybk%2FPjHun4V1VksBz5S0vLIc%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community