A few weeks ago, we had the opportunity to speak with Miguel Sanchez, who has worked in Information Security at Harvard University for over 10 years. He previously enjoyed LastPass as a personal user so when the university began a security initiative, he advocated to bring the tool to Harvard. It’s been 4 years since Harvard adopted LastPass in 2013, and still they continue to evolve their implementation.
Here is a snippet of our conversation with Miguel on how and why he brought LastPass to Harvard University:
What led Harvard to start using LastPass? How did you evaluate LastPass?We already had CyberArk in place for privileged accounts when we started to look at LastPass. My colleagues and I had been using LastPass personally for the past few years. After hearing about a pilot with the university, I got on a panel to test the LastPass security model and evaluate the user experience. We wanted to give people an option for password management that was Harvard-funded. A big selling point for us was the option to bundle an Enterprise site license with Premium accounts for personal users. This went alongside our security initiative by doing more than just talking about the importance of password management, but also providing an actual password management solution for the community to use.
How did the community respond to LastPass?The response is generally the same for both employees & students. People who haven’t heard about password management love the idea of it. Within the Harvard staff and students, the adoption of LastPass has been slightly different. Students haven’t been a huge focus for the university but when students find out about LastPass, they’re easily up and running.
How has LastPass helped you and your community at Harvard improve online security practices?It has helped the people who use it to become more security conscious and also somewhat helped to improve the overall security posture of the University. Within the mini-deployments, like the business school or employee credit union, they have improved their security with the use of Enterprise admin controls. These controls allow them to administer their own environment and enable group policies on their own.
What would you recommend to those who are new to LastPass?You’ll never have to remember another password again, and it makes using the internet much easier. To get new users started, I like to equate it with a 4-week workout plan. The first week you can store just one credential in LastPass and see how it starts filling it in for you. The second week you can start filling up your vault by simply clicking the ‘Add’ button that pops up when you sign into a new website. The third week you can try generating a brand-new password. The fourth week you can change your passwords to make sure they’re up to par with password security best practices. This workout plan is basically just a slow roll out of the product.
From your experience, what do people love most about LastPass?Everything. When I give presentations on general security and password managers, if LastPass comes up, there’s always a few people who say they use it, they love it, or they can’t see themselves using anything but it in the future. They like the idea of having only one password, not having to fill anything in ever again, and not having to come up with new passwords.
What’s next for LastPass at Harvard?LastPass is on our roadmap for the new year here at Harvard (our fiscal year just started in July). We want to improve our deployment plans so it’s adopted more broadly throughout the university. Specifically, we’d like to replace CyberArk, which we use for password scrambling, and move that functionality into LastPass.