Project Spotlight
U Central Florida Enhances IT Security with Privileged Account Management System
The University of Central Florida has
implemented a new password management system to provide IT staff with privileged
access to the enterprise systems it uses to support the campus.
Prior to installing the new system, the university's Central IT department
had been using an in-house password management tool, but when administrators wanted to
implement new features to meet the university's evolving security needs, they
weighed the cost of upgrading the in-house system against purchasing an
off-the-shelf password management tool. "[We concluded that] maintaining the
in-house tool was not cost effective when off-the-shelf software offers better
features, support and software security assurance," said Matthew Fitzgerald,
senior security analyst at the university.
Searching for a Solution
The university assembled a selection committee — including IT leadership and
end users from the Central IT department — to research the password management
tools offered by several vendors. "The goal was to replace our password vault,
enhance auditing capabilities and expand into using advanced features such as
automatic password changing, password checkout workflows and launching
privileged access without the end user knowing the credential used," said
Fitzgerald.
The committee identified the ability to prevent pivot attacks — where an
attacker gains access to one system on the network and uses it to attack other
connected systems — as a key requirement for protecting the university's
systems. To prevent such an attack, the university needed the ability to assign
a unique password to each machine, share certain passwords between teams and
automatically change passwords on a predetermined basis, according to
Fitzgerald.
Regulatory compliance requirements for the university's multiple data centers
also meant that IT needed to manage an increasing number of credentials
effectively. Other key requirements included the ability to generate and store
long, complex passwords using granular group- or role-based permissions for
multiple types of systems; high availability; the ability to automatically
randomize system and appliance passwords; and two-factor login authentication.
On top of all of that, the tool needed to be easy to learn and use.
After evaluating its options, the committee selected
Secret Server
enterprise password management software from
Thycotic. "Our previous tool did not have the advanced features that Secret
Server offers," said Fitzgerald. "Secret Server is able to integrate with UCF’s
systems and provide a level of proven security assurance on par with other major
university enterprises like our own."
Implementation
The Central IT staff used Thycotic's installation and security best practice
guides, as well as an in-application hardening checklist, to install the software
themselves in UCF's virtualized environment, with occasional remote support from
Thycotic staff. "Thycotic’s easy install process on a single machine allows any
IT person to quickly launch a proof of concept," said Fitzgerald. "I like that
the tool offers various configuration options that help it to install in any
environment and secure the deployment."
UCF uses Secret Server to manage enterprise passwords for system,
network and database administrators; application developers; security
practitioners; managers; and other operational staff in the Central IT
department. The software stores all of the passwords for the enterprise systems that the
department uses to support the campus.
Since Secret Server manages the department's powerful privileged user
accounts, the department implemented the tool's built-in support for two-factor
authentication — a combination of two separate user authentication methods —
for all accounts. "Once users are authenticated, they can easily search for the
password they need to use and launch a session directly from Secret Server,"
said Fitzgerald. UCF's central IT teams also use the software to share secrets
with each other within Secret Server because the password never leaves the
encrypted database.
Results
One of Fitzgerald's favorite features of the software is its ability to help
thwart pivoting attacks by changing all of the local server passwords to unique,
complex and rotating passwords, but the new system has provided other benefits
as well, he said. For example, it improved the de-provisioning process when
people leave the department. Now staff can quickly search the database to
identify the accounts a user has access to and reset those account passwords.
Fitzgerald said that UCF also uses Secret Server to improve its implementation
of the "least-privilege" security principle, which hides passwords from junior
administrators while still allowing them to elevate their privileges when
necessary and launch a remote session to complete a task.
"Secret Server keeps track of all the actions a user performs in the system
so we know which administrator accessed which system," said Fitzgerald. "The
password checkout and approval workflows help secure privileged accounts by
changing the passwords upon check-in."
Central IT plans to begin offering the Secret Server enterprise password
management system as a service to other colleges
and departments on campus. Fitzgerald thinks all universities should consider
implementing a privileged account management tool "because most laws,
regulations and security best practices, such as the
SANS top 20 list of
Critical Security Controls, recommend limiting and controlling privileged
account use," he said.
