Privileged Access Management at Columbia

BeyondTrust Password Safe

BeyondTrust Password Safe is an enterprise password vault that enables controlled access and auditing of privileged accounts and passwords. Columbia University Information Technology is deploying this service.

Top Features and Capabilities of Password Safe

  • Continuous Automated Account Discovery and Auto-Onboarding
    • Use a distributed network discovery engine to scan, identify, and profile all assets (hosts). Dynamic categorization allows the auto-onboarding of accounts into Smart Groups for efficient management.
  • Secure SSH Key Management 
    • Automatically rotate SSH keys according to a defined schedule and enforce granular access control and workflow.
    • Use private keys to securely log onto Unix/Linux systems through the proxy, with no user exposure to the key and with full privileged session recording.
  • Application-to-Application Password Management 
    • Eliminate hard-coded or embedded application credentials through an adaptable API interface that includes an unlimited number of Password Caches for scalability and redundancy.
  • Enhanced Privileged Session Management
    • Live session management enables true dual control, enabling admins to record user activity and lock and document suspicious behavior. 
  • Adaptive Access Control 
    • Evaluate just-in-time context and simplify access requests by considering the day, date, time, and location when users access resources to determine their authorization to access those systems.
  • Advanced Privileged Threat Analytics 
    • Measure asset characteristics and user behaviors from one day to the next, assessing the scope and speed of any changes to alert you to suspicious deviations.

FAQs on Password Safe

To limit access to critical assets and automatically randomize and manage passwords/credentials.

Initially, CUIT staff who have Highly Privileged administrative accounts that are distinct from their UNI accounts. For example, on AD-managed hosts, the accounts named “AD_user name” will be in scope for this service.

Yes, we are rolling this out initially for Enterprise Systems but will work with other groups in future phases.

You must have an administrative account in Privileged Identity, and you must be an administrator or have administrative credentials for the systems you intend to manage with Privileged Identity.

Windows (local and active directory accounts), Linux (root) server hosts within our Network Infrastructure, Service Accounts, and Scripts with hardcoded passwords.