Overview

PAM

The aim of the PAM project is to consolidate accounts (such as database credentials) into safes which will be managed by a secure product. The product that’s been selected to do this is Cyberark Privilege Cloud. This project is aimed at securing human access patterns to systems such as databases and VM’s.

People looking to access sensitive systems will do so through Privilege Cloud.

You can access Privilege Cloud at https://tufts.cyberark.cloud/privilegecloud

To sign in use your UTLN followed by @tufts.edu

Open

Safes

Secrets are stored in safes. The spreadsheet linked below outlines the safes that we’re currently using and their associated AD group used for granting access.

Adding secrets

To add secrets, go to the accounts view and click Add Account

Open

Select Windows as System Type

Select Tufts Windows Desktop Local Accounts platform for basic secrets. This platform type allows you to specify usernames and passwords that won’t be rotated.

If a system has the ability for rotating of passwords, you should work with the IAM to create a platform type that will facilitate that.

Select a safe

Provide the secret information (Address can be anything)

Secrets Management

For non-human access to systems, the product Cyberark Conjur has been selected for secrets management.

You can access Conjur at https://tufts.cyberark.cloud/secretsmgr

The sign in for Conjur is the same as Privilege Cloud above.

Resources

• PAM Spreadheet: A listing of users, safes, accounts and applications for Data Strategy

Diagram