Project Spotlight

U Central Florida Enhances IT Security with Privileged Account Management System

password management

The University of Central Florida has implemented a new password management system to provide IT staff with privileged access to the enterprise systems it uses to support the campus.

Prior to installing the new system, the university's Central IT department had been using an in-house password management tool, but when administrators wanted to implement new features to meet the university's evolving security needs, they weighed the cost of upgrading the in-house system against purchasing an off-the-shelf password management tool. "[We concluded that] maintaining the in-house tool was not cost effective when off-the-shelf software offers better features, support and software security assurance," said Matthew Fitzgerald, senior security analyst at the university.

Searching for a Solution

The university assembled a selection committee — including IT leadership and end users from the Central IT department — to research the password management tools offered by several vendors. "The goal was to replace our password vault, enhance auditing capabilities and expand into using advanced features such as automatic password changing, password checkout workflows and launching privileged access without the end user knowing the credential used," said Fitzgerald.

The committee identified the ability to prevent pivot attacks — where an attacker gains access to one system on the network and uses it to attack other connected systems — as a key requirement for protecting the university's systems. To prevent such an attack, the university needed the ability to assign a unique password to each machine, share certain passwords between teams and automatically change passwords on a predetermined basis, according to Fitzgerald.

Regulatory compliance requirements for the university's multiple data centers also meant that IT needed to manage an increasing number of credentials effectively. Other key requirements included the ability to generate and store long, complex passwords using granular group- or role-based permissions for multiple types of systems; high availability; the ability to automatically randomize system and appliance passwords; and two-factor login authentication. On top of all of that, the tool needed to be easy to learn and use.

After evaluating its options, the committee selected Secret Server enterprise password management software from Thycotic. "Our previous tool did not have the advanced features that Secret Server offers," said Fitzgerald. "Secret Server is able to integrate with UCF’s systems and provide a level of proven security assurance on par with other major university enterprises like our own."

Implementation

The Central IT staff used Thycotic's installation and security best practice guides, as well as an in-application hardening checklist, to install the software themselves in UCF's virtualized environment, with occasional remote support from Thycotic staff. "Thycotic’s easy install process on a single machine allows any IT person to quickly launch a proof of concept," said Fitzgerald. "I like that the tool offers various configuration options that help it to install in any environment and secure the deployment."

UCF uses Secret Server to manage enterprise passwords for system, network and database administrators; application developers; security practitioners; managers; and other operational staff in the Central IT department. The software stores all of the passwords for the enterprise systems that the department uses to support the campus.

Since Secret Server manages the department's powerful privileged user accounts, the department implemented the tool's built-in support for two-factor authentication — a combination of two separate user authentication methods — for all accounts. "Once users are authenticated, they can easily search for the password they need to use and launch a session directly from Secret Server," said Fitzgerald. UCF's central IT teams also use the software to share secrets with each other within Secret Server because the password never leaves the encrypted database.

Results

One of Fitzgerald's favorite features of the software is its ability to help thwart pivoting attacks by changing all of the local server passwords to unique, complex and rotating passwords, but the new system has provided other benefits as well, he said. For example, it improved the de-provisioning process when people leave the department. Now staff can quickly search the database to identify the accounts a user has access to and reset those account passwords.

Fitzgerald said that UCF also uses Secret Server to improve its implementation of the "least-privilege" security principle, which hides passwords from junior administrators while still allowing them to elevate their privileges when necessary and launch a remote session to complete a task.

"Secret Server keeps track of all the actions a user performs in the system so we know which administrator accessed which system," said Fitzgerald. "The password checkout and approval workflows help secure privileged accounts by changing the passwords upon check-in."

Central IT plans to begin offering the Secret Server enterprise password management system as a service to other colleges and departments on campus. Fitzgerald thinks all universities should consider implementing a privileged account management tool "because most laws, regulations and security best practices, such as the SANS top 20 list of Critical Security Controls, recommend limiting and controlling privileged account use," he said.

comments powered by Disqus

Campus Technology News

Sign up for our newsletter.

I agree to this site's Privacy Policy.