Authentication at TSYS

• Authentication at TSYS
  • Password Security
    • General
    • Shared Passwords
    • Prviliged Accounts

Password Security

General

• Bitwarden is used to store all passwords.
• Authentication to Bitwarden is only possible with 2fa (yubikey or pin+password).
• Senior leadership uses 3fa (PIN code, yubikey, yubieky static password).
• 99% of systems at TSYS are 2fa only (Rundeck is not but is mitigated through requiring a seperate admin account (and that will soon be only via a privilieged access account model with daily expiring passwords))

Shared Passwords

We minimize the use of shared passwords. When we do use them (for example with external vendors) , We utilize bitwarden for secure storing/sharing of passwords.

Prviliged Accounts

We have a separate LDAP account from our day to day LDAP account for any privileged operations.

CEO/CTO have access to SAW-Master (secure admin workstation) CEO/CFO (and designees) have accss to FAW-Master (finance admin workstation) User Creation / Deletion We utilize Univention Corporate Server for all privileged system authentication at TSYS. It is not used for line of business applications (like discourse/rackrental/esign).

[1] is the vendor documentation on user management.

We have a number of groups defined and membership will depend on the role, access needs etc.

We use a convention of mr for mortal accounts (and later hires) and short names for early hires/immoratal accounts.

VPN Endpoint Creation / Deletion Login via RDP to pfv-rrsvr.pfv.turnsys.net as localuser Start the XCA application via desktop shortcut Copy/paste password from keepass entry XCA - Database in SAW-Master Run through csr/sign process Export key/cert Connect to https://corpvpn-r1.turnsys.net/system_certmanager.php?act=new Import the key/cert https://corpvpn-r1.turnsys.net/vpn_openvpn_export.php Select roadwarrior vpn TCP:443 Under export for the desired cert, select Standard Configuration - Archive