Exporting Passwords for Secure Offline Access

PAM360 provides multiple export options for secure offline access and safekeeping of password information.

  1. The basic option is to export password information such as resource name, account name, and passwords in plain text to a spreadsheet.
  2. The more secure option is to export the passwords to an encrypted HTML file.

    Note: In addition, PAM360 allows auto-synchronization of the encrypted HTML file to users' mobile devices through integration with cloud storage services which include Dropbox, Box, and Amazon S3 services. For more info about how to enable cloud storage option for users.

In both the above options, you can export the resources, accounts and passwords for offline access. Administrators can decide which option should be used in their organization. In addition, the export can be enabled or disabled for specific users or user groups based on requirements. However, before configuring user-specific settings for export, the feature should first be enabled globally for all the users.

At the end of this document, you will have learned the following:

  1. Steps to Configure Settings Globally for Export/Offline Access
  2. Steps to Export Resources
  3. User-Specific Settings for Export/Offline Access

1. Steps to Configure Settings Globally for Export/Offline Access

  1. Navigate to Admin >> Settings >> Export / Offline Access.

  2. In the dialog box that opens, different options related to password export will be displayed.
  3. By default, two options - exporting passwords in plain text to .xls and exporting passwords to an encrypted HTML file, will be enabled to all users and administrators. You can disable these options by deselecting the respective check-boxes.

    1. Exporting resources in plain text to an .xls file

      This option will allow the users and administrators to export resource details in plain text to a spreadsheet. However, in the Export / Offline Access UI window, you'll find another option "Include passwords in plain-text in the exported file". You can disable this option globally prevent passwords from being printed in plain text in the .xls file. Another option "Include files stored under FileStore, KeyStore, LicenseStore resource types and files stored under file-based additional fields" allows you to choose whether files can be included while exporting in plain text.

    2. Note: If the administrator has enabled encryption for all export operations across PAM360, the XLS file will be exported with password protection. The user has to supply the encryption passphrase everytime that they need access. They can view or copy the passphrase by logging in to PAM360, clicking the My Profile icon on the top right corner and selecting Export Settings from the drop-down menu.


    3. Exporting passwords as an encrypted HTML file
    • You can export passwords as an encrypted HTML file so as to view the passwords even when there is no internet connection. This offline option is very secure. The contents of the file will be encrypted using AES-256 bit algorithm with the passphrase that the users will be required to provide prior to exporting the passwords. PAM360 does not store this passphrase anywhere and we recommend you to not store / write it down anywhere either. The HTML file cannot be opened without the passphrase. In case you forget the passphrase, you can export another HTML file. Your passphrase could be up to 32 characters long, including blank spaces.
    • To ensure that users set strong passphrases for their HTML file, a complexity policy is set by default if the encrypted HTML option is enabled. The default policy will be Offline Password File. To change this policy, you can select any of the other three default password policies of PAM360 or the custom policies created by you, if any. You can select the desired policy in the Encryption Passphrase Policy field in the Export Passwords UI window.
  4. Inactivity logout: You can also specify the inactivity log out time period in minutes, after which the user will be automatically logged out from the offline file while viewing the passwords in the browser. You can specify the timeout period against the text field Allowed Inactivity Period.
  5. Once you have enabled/disabled various export options based on your organization's requirements, click Save.

The settings will then take effect globally for all users and administrators in PAM360.

2. Steps to Export Resources

The passwords can be exported by users and administrators as per settings configured by the PAM360 Administrator.

To export resources, navigate to Resources >> Export

Option 1 - Exporting resources in plain text to a spreadsheet

To export resources in plain-text, click the button Export present in the Resources tab and select In Plain-Text from the drop down.

The resources are exported to a file and it is shown as a pop-up. Save the file in a secure location in (.xls) format.

Option 2 - Exporting resources as an encrypted HTML file

To export resources as an encrypted HTML file,

  1. Click the button Export present in the Resources tab and select As Encrypted HTML from the drop down.
  2. In the dialog box that opens, specify a passphrase in accordance with the password policy enforced by your administrator. The passphrase will be used for encrypting (AES 256) the HTML file for offline access.

  3. You can also open the file in any web browser by simply providing the same passphrase. PAM360 does not store the passphrase anywhere and so if you forget the passphrase, you cannot open the file. And we also recommend you not to store or write down the passphrase anywhere.
  4. Confirm the passphrase and enter a reason for exporting the passwords.

The resources are exported to a file and it is shown as a pop-up. Save the file in a secure location in (.html) format.

3. User-Specific Settings for Export/Offline Access

To restrict certain users from having one or all the password export options to allow only specific users to have this permission, user-specific settings can be changed by navigating to Users tab, selecting the desired users for whom settings should be changed, and clicking on More Actions >> Change Offline Access Settings. Alternatively, you can also carry out changes for an individual user by clicking on the User Actions icon against that specific user and selecting Export / Offline Access from the dropdown.

3.1 Imposing restriction for users

You can also impose granular restriction for the users while enabling/disabling export password options.

  1. When allowing users to export passwords in plain-text, you can enforce them to specify a reason for exporting. The reason entered here will be recorded as an audit trail. In addition, you can just allow the users to export the resource name and user account details alone, but prevent them from exporting the passwords in plain-text.
  2. In the case of exporting passwords as an encrypted HTML, for security reasons, administrators can enforce automatic reset of the exported passwords after a specific time period.
  3. In case of auto-synchronization of the encrypted HTML file to users' mobile devices, administrators can enforce automatic deletion of the HTML file from the users' devices after a specific time period. There is also an option to automatically reset the exported passwords immediately after deletion of the HTML file from users' devices.

3.2 Least privilege model for security reasons

For security reasons, PAM360 adopts Least privilege model for users. For instance, let's assume that a particular user is part of three user groups and there is group level restrictions for one of the groups - the members of the group are not allowed to export passwords in plain text. In the above scenario even if the user has permission to export passwords in plain text at individual level, the restriction imposed on one of the groups in which the user is part of, will take precedence. This rule applies for all type of restrictions as explained above.

 

Top