Main Nav

We are currently managing our departmental passwords (think service accounts, online services, etc) in keepass (an encrypted password management tool). However, it is clearly not for enterprise. There can only be one password, there is no way to control access or audit what has been viewed, etc. I’d love to have a tool that can do all of those and still store the passwords in a trustworthy way.

 

What are you using to solve this problem?

 

On a related note do you have a password strength/rotation policy for service accounts? (i.e. Accounts used by computers for computers, say the account that runs scheduled tasks on some server somewhere.)

Travis Wooley
Director of Information Technology
Florida Hospital College of Health Sciences
407-303-9440

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

For the last several years, we had been using Cyber-Ark for this purpose. But from a cost perspective, it was really kind of an overkill solution, and when our appliances hit end-of-life, we decided that the cost of upgrading everything far outweighed the benefits that we were getting.

So, we switched to Thycotic Secret Server, which was about 1/4 the cost, and does pretty much everything we need. It runs on a Windows/IIS/SQL Server platform, physical or virtual. Unlike Cyber-Ark which uses this cumbersome (to us) "safe" abstraction to organize things, Secret Server organizes stuff ("secrets" - passwords, files, whatever) with a regular old folder tree abstraction. Permissions on secrets can be set explicitly or inherited from folders. Users can be local or taken from Active Directory, and you can put them into locally-defined groups or use AD groups (or a mixture). So we're using local groups to put people into "roles" (system admin, network admin, help desk, etc.) and then assigning folder permissions to the groups. This way each person has access to what he or she needs, depending on the role(s) he or she is in.

We're currently in the process of dragging all the information out of Cyber-Ark (one of the features we didn't like about it is that there's almost no export capability) and transferring it to Secret Server.  I've talked to tech support a few times; I needed some help with the installation and making it do what I wanted (I'm not an IIS/SQL Server guru, or I could have figured it out myself), and I've asked a few questions around the best way to achieve this or that desired result. They've always been prompt to answer my questions, and are quite willing to do a screen-sharing session and guide you through it if that's what you prefer.

Secret Server has all the same features as the "big boys" (Cyber-Ark and Beyond Trust); we're not using most of them at the moment, but it's nice to know they're there as we evolve in our use of the product.

So far, everybody who's using Secret Server likes it much better, and we are quite happy with it.

--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu




On Mon, Nov 14, 2011 at 15:44, Wooley, Travis <Travis.Wooley@fhchs.edu> wrote:

We are currently managing our departmental passwords (think service accounts, online services, etc) in keepass (an encrypted password management tool). However, it is clearly not for enterprise. There can only be one password, there is no way to control access or audit what has been viewed, etc. I’d love to have a tool that can do all of those and still store the passwords in a trustworthy way.

 

What are you using to solve this problem?

 

On a related note do you have a password strength/rotation policy for service accounts? (i.e. Accounts used by computers for computers, say the account that runs scheduled tasks on some server somewhere.)

Travis Wooley
Director of Information Technology
Florida Hospital College of Health Sciences
407-303-9440

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Travis,

 

Try ManageEngine’s Password Manager Pro.  It allows you to “silo” your groups so that workers only see what devices they manage but also allows for master access to view everything.  It encrypts the db all this is stored on and have been trouble-free for us.

 

_______________________________________

Steve Swartz

Chief Information Officer & Assistant Vice President

Fitchburg State University

160 Pearl Street

Fitchburg, MA  01420-2697

Office: 978-665-4444

 

Steve, Try SecureAuth: http://www.gosecureauth.com/ We've been using it for almost 2 years now. We also us SecureAuth to authenticate to our Google Apps domain. Rodney B. Murray, Ph.D. Executive Director Office of Academic Technology University of the Sciences 600 S. 43rd St., Philadelphia, PA 19104 O: 215-596-8789 | C: 484-238-0303 r.murray@usciences.edu | www.usciences.edu USciences: Where healthcare and science converge. Subscribe to Academic Technology News -- www.InsideHigherEd.com/thepulse www.twitter.com/RodsPods --
Message from tim.cappalli@lsc.vsc.edu

This came out today. I use the consumer version on my BlackBerry for my personal passwords and I have been very pleased with the product.

 

http://splashdata.com/enterprise/

 

 

 

Tim Cappalli, CCNA ACWA | IT Services | (802) 626-6456

» tim.cappalli@lyndonstate.edu | it.lyndonstate.edu

 

 

The problem with these enterprise password vaults is that they are designed for end-user password management (one user/many devices.) What we need for our IT system admins is an enterprise vault that is designed for many users/many devices. For example, I want all 5 of the system admins for XYZ server to access the same secure password vault rather than each maintain their own vault. When the password changes it is done in one place. Also, the 3 system admins for ZYX server are different people and cannot have access to XYZ server. I also need to have a log of who accessed what password and when.
 
These end-user password vaults are a pseudo SSO solution and may have a place in some organizations. They do not provide a password management solution for IT system admins. Is there a password vault that can handle the complexities of IT system management?
 
Rick DeVries
Calvin College
 


>>> "Cappalli, Tim G @ LSC-ITS" <Tim.Cappalli@LSC.VSC.EDU> 11/15/2011 4:46 PM >>>

This came out today. I use the consumer version on my BlackBerry for my personal passwords and I have been very pleased with the product.

 

http://splashdata.com/enterprise/

 

 

 

Tim Cappalli, CCNA ACWA | IT Services | (802) 626-6456

» tim.cappalli@lyndonstate.edu | it.lyndonstate.edu

 

 

HI Rick,

 

Take a look at Privileged Account Manager from Netwrix Corporation.   I believe it has the features that you’re looking for and is relatively inexpensive if the free version doesn’t meet your needs.

 

Regards,

Manny

----------------------------------------------------------------

Manuel (Manny) Amaral

Associate Director, Information Technology

Franklin W. Olin College of Engineering

Needham, MA 02492

781-292-2433

 

 

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Richard DeVries
Sent: Wednesday, November 16, 2011 10:15 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Is There a Good Enterprise Password Management Tool?

 

The problem with these enterprise password vaults is that they are designed for end-user password management (one user/many devices.) What we need for our IT system admins is an enterprise vault that is designed for many users/many devices. For example, I want all 5 of the system admins for XYZ server to access the same secure password vault rather than each maintain their own vault. When the password changes it is done in one place. Also, the 3 system admins for ZYX server are different people and cannot have access to XYZ server. I also need to have a log of who accessed what password and when.

 

These end-user password vaults are a pseudo SSO solution and may have a place in some organizations. They do not provide a password management solution for IT system admins. Is there a password vault that can handle the complexities of IT system management?

 

Rick DeVries

Calvin College

 



>>> "Cappalli, Tim G @ LSC-ITS" <Tim.Cappalli@LSC.VSC.EDU> 11/15/2011 4:46 PM >>>

This came out today. I use the consumer version on my BlackBerry for my personal passwords and I have been very pleased with the product.

 

http://splashdata.com/enterprise/

 

 

 

Tim Cappalli, CCNA ACWA | IT Services | (802) 626-6456

» tim.cappalli@lyndonstate.edu | it.lyndonstate.edu

 

 

That’s exactly what ManageEngine’s product does.  See the response several emails below.

 

- Steve

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Richard DeVries
Sent: Wednesday, November 16, 2011 10:15 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Is There a Good Enterprise Password Management Tool?

 

The problem with these enterprise password vaults is that they are designed for end-user password management (one user/many devices.) What we need for our IT system admins is an enterprise vault that is designed for many users/many devices. For example, I want all 5 of the system admins for XYZ server to access the same secure password vault rather than each maintain their own vault. When the password changes it is done in one place. Also, the 3 system admins for ZYX server are different people and cannot have access to XYZ server. I also need to have a log of who accessed what password and when.

 

These end-user password vaults are a pseudo SSO solution and may have a place in some organizations. They do not provide a password management solution for IT system admins. Is there a password vault that can handle the complexities of IT system management?

 

Rick DeVries

Calvin College

 



>>> "Cappalli, Tim G @ LSC-ITS" <Tim.Cappalli@LSC.VSC.EDU> 11/15/2011 4:46 PM >>>

This came out today. I use the consumer version on my BlackBerry for my personal passwords and I have been very pleased with the product.

 

http://splashdata.com/enterprise/

 

 

 

Tim Cappalli, CCNA ACWA | IT Services | (802) 626-6456

» tim.cappalli@lyndonstate.edu | it.lyndonstate.edu

 

 

Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.