Exporting Passwords for Secure Offline Access
PAM360 provides multiple export options for secure offline access and safekeeping of password information.
- The basic option is to export password information such as resource name, account name, and passwords in plain text to a spreadsheet.
- The more secure option is to export the passwords to an encrypted HTML file.
Note: In addition, PAM360 allows auto-synchronization of the encrypted HTML file to users' mobile devices through integration with cloud storage services which include Dropbox, Box, and Amazon S3 services. For more info about how to enable cloud storage option for users.
In both the above options, you can export the resources, accounts and passwords for offline access. Administrators can decide which option should be used in their organization. In addition, the export can be enabled or disabled for specific users or user groups based on requirements. However, before configuring user-specific settings for export, the feature should first be enabled globally for all the users.
To configure the settings globally,
- Navigate to Admin >> Settings >> Export / Offline Access.
- In the dialog box that opens, different options related to password export will be displayed.
- By default, two options - exporting passwords in plain text to .xls and exporting passwords to an encrypted HTML file, will be enabled to all users and administrators. You can disable these options by deselecting the respective check-boxes.
- Exporting resources in plain text to an .xls file
This option will allow the users and administrators to export resource details in plain text to a spreadsheet. However, in the Export / Offline Access UI window, you'll find another option "Include passwords in plain-text in the exported file". You can disable this option globally prevent passwords from being printed in plain text in the .xls file. Another option "Include files stored under FileStore, KeyStore, LicenseStore resource types and files stored under file-based additional fields" allows you to choose whether files can be included while exporting in plain text.
Note: If the administrator has enabled encryption for all export operations across PAM360, the XLS file will be exported with password protection. The user has to supply the encryption passphrase everytime that they need access. They can view or copy the passphrase by logging in to PAM360, clicking the My Profile icon on the top right corner and selecting Export Settings from the drop-down menu.
- Exporting passwords as an encrypted HTML file
You can export passwords as an encrypted HTML file so as to view the passwords even when there is no internet connection. This offline option is very secure. The contents of the file will be encrypted using AES-256 bit algorithm with the passphrase that the users will be required to provide prior to exporting the passwords. PAM360 does not store this passphrase anywhere and we recommend you to not store / write it down anywhere either. The HTML file cannot be opened without the passphrase. In case you forget the passphrase, you can export another HTML file. Your passphrase could be up to 32 characters long, including blank spaces.
To ensure that users set strong passphrases for their HTML file, a complexity policy is set by default if the encrypted HTML option is enabled. The default policy will be "Offline Password File". To change this policy, you can select any of the other three default password policies of PAM360 or the custom policies created by you, if any. You can select the desired policy in the "Encryption Passphrase Policy" field in the Export Passwords UI window.Inactivity logout
You can also specify the inactivity log out time period in minutes, after which the user will be automatically logged out from the offline file while viewing the passwords in the browser. You can specify the timeout period against the text field "Allowed Inactivity Period".
User-specific Settings for Export / Offline Access
To restrict certain users from having one or all the password export options to allow only specific users to have this permission, user-specific settings can be changed by navigating to Users tab, selecting the desired users for whom settings should be changed, and clicking on More Actions >> Change Offline Access Settings. Alternatively, you can also carry out changes for an individual user by clicking on the User Actions icon against that specific user and selecting Export / Offline Access from the dropdown.
Imposing restriction for users
You can also impose granular restriction for the users while enabling/disabling export password options.
- When allowing users to export passwords in plain-text, you can enforce them to specify a reason for exporting. The reason entered here will be recorded as an audit trail. In addition, you can just allow the users to export the resource name and user account details alone, but prevent them from exporting the passwords in plain-text.
- In the case of exporting passwords as an encrypted HTML, for security reasons, administrators can enforce automatic reset of the exported passwords after a specific time period.
- In case of auto-synchronization of the encrypted HTML file to users' mobile devices, administrators can enforce automatic deletion of the HTML file from the users' devices after a specific time period. There is also an option to automatically reset the exported passwords immediately after deletion of the HTML file from users' devices.
Least privilege model for security reasons
For security reasons, PAM360 adopts "Least privilege" model for users. For instance, let's assume that a particular user is part of three user groups and there is group level restrictions for one of the groups - the members of the group are not allowed to export passwords in plain text. In the above scenario even if the user has permission to export passwords in plain text at individual level, the restriction imposed on one of the groups in which the user is part of, will take precedence. This rule applies for all type of restrictions as explained above.
Steps to export resources
The passwords can be exported by users and administrators as per settings configured by the PAM360 Administrator.
To export resources, navigate to Resources >> Export
Option 1 - Exporting resources in plain text to a spreadsheet
To export resources in plain-text,
- Click the button "Export" present in the Resources tab and select "In Plain-Text" from the drop down.
The resources are exported to a file and it is shown as a pop-up. Save the file in a secure location in (.xls) format.
Option 2 - Exporting resources as an encrypted HTML file
To export resources as an encrypted HTML file,
- Click the button "Export" present in the Resources tab and select "As Encrypted HTML" from the drop down.
- In the dialog box that opens, specify a passphrase in accordance with the password policy enforced by your administrator. The passphrase will be used for encrypting (AES 256) the HTML file for offline access.
- You can also open the file in any web browser by simply providing the same passphrase. PAM360 does not store the passphrase anywhere and so if you forget the passphrase, you cannot open the file. And we also recommend you not to store or write down the passphrase anywhere.
- Confirm the passphrase and enter a reason for exporting the passwords.
The resources are exported to a file and it is shown as a pop-up. Save the file in a secure location in (.html) format.