GDPR Requiring Centralized Password Management
-
@stuartjordan said in Handling DNS in a Single Active Directory Domain Controller Environment:
With GDPR centralised password management is now required, so AD could me more prevalent then a Workgroup in the UK now.
That's the first that I've heard of that. Can you provide more information on what the requirement is, and where it applies? What does "central password management" mean, for example, as a lot of things are central in one way, and not another.
For example, does AD meet the requirement? Does it still meet the requirement if you have more than one AD controller (now it is partially decentralized.) Does all passwords on all machines meet it (same as having one to one AD controllers.)
-
@stuartjordan said in Handling DNS in a Single Active Directory Domain Controller Environment:
With GDPR centralised password management is now required, so AD could me more prevalent then a Workgroup in the UK now.
I'm going to split this out, as an increased use of AD would actually do the opposite of what is expected... it would actually extremely highlight how much more commonly only one AD DC would be needed if companies are moving to AD to fulfill a legal requirement rather than a technical one. So with zero dependency on AD, the need for it to be redundant would drop massively as an average.
-
@stuartjordan said in Handling DNS in a Single Active Directory Domain Controller Environment:
How passwords are stored and reset is a critical aspect of GDPR compliance. Clients and staff members may legitimately forget or need to reset passwords for a number of reasons. GDPR requirements mean that companies must be able to demonstrate that their password reset processes and procedures are secure. Systems must be in place, for example, to prevent help desk employees that may be involved in resets from directly accessing passwords.
Workgroups handle that flawlessly, though. No reason there to consider AD, for that purpose.
-
AD is not a security mechanism, it actually puts security at more risk by aggregating and copying credentials where they don't need to be. AD is very secure, but it is not as secure as simply skipping AD. If the GDPR is about security, AD isn't the path to that. And essentially no feature of AD, in regards to passwords, is unique to centralized password storage. Anything you can do with passwords with AD, you can do in workgrounds without AD. AD may or may not be more convenient, but that's what AD is really about, making things easier for people wanting an out of the box first party solution without using third party tools or PowerShell.
-
@scottalanmiller Could you give me an example of how you would change the local admin password on each machine if this password was compromised? or if a new person has started as needs to use multiple machines? are you going to go round to each machine and create this local account?
-
@stuartjordan said in GDPR Requiring Centralized Password Management:
@scottalanmiller Could you give me an example of how you would change the local admin password on each machine if this password was compromised?
We do this today. RMM tools handle this, for example. As do remote control.
In our case, for most customers, we handle this with ScreenConnect. We can reset using the "net user" command.
If you use DevOps tools like Ansible, Chef, or SaltStack you get the same kind of capabilities, either through remote commands or by state updates. We do this for some machines, but not as commonly as using SC.
This is actually way better than AD, since AD breaks if you are not on the LAN. SC or Salt do not break. All solutions break if you are completely offline, but AD stops working under very normal, non-malicious conditions.
For most of our clients, they have large numbers of users "off LAN" regularly. Like a laptop on the road. And AD alone would not satisfy GDPR, I would assume, for normal clients.
-
@stuartjordan said in GDPR Requiring Centralized Password Management:
or if a new person has started as needs to use multiple machines? are you going to go round to each machine and create this local account?
We could, but that would not be practical. And it would not work in a "compromised" condition where GDPR would be concerned. If everything is working "perfectly", then sure, manually logging into a machine and doing it would be functional, just silly. But when compromised, we might not have a password to use to log in any longer.
This is actually another time where I like AD less. With AD, it is faster, easier and more obvious how to block the system from fixing a compromised password. With an agent based state system, you can still stop it, but you have to research how it is being done and do something specific to that technology. It's another step that takes another minute, that might be enough time to stop the hack.
-
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies, and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.
-
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies, and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.
News to me as well. But there is a lot of stuff in there that I don't understand. This is one I hadn't heard about previously.
-
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
-
@carnival-boy The basis of it is regarding personal data, but the outer layer is prevention, how are you protecting this personal data.
-
@stuartjordan said in GDPR Requiring Centralized Password Management:
@carnival-boy The basis of it is regarding personal data, but the outer layer is prevention, how are you protecting this personal data.
But you can protect equally without central management. Doesn't seem to fit.
-
@scottalanmiller Most consultants I work with don't know how to use automation tools like puppet, ansible etc.
I agree if you have an RMM tool, this could possibly work. -
@stuartjordan said in GDPR Requiring Centralized Password Management:
@scottalanmiller Most consultants I work with don't know how to use automation tools like puppet, ansible etc.
Sure, but there is a REALLY simple answer there... don't work with consultants who lack the skills to do their jobs proficiently. Using AD as a crutch because "the consultants we hire only use expensive tools because they aren't qualified to find and use the best tools for us" is a very bad reason to use it.
Not that AD is bad, it's not, it's great. But using AD because the person advising lacks the skills to give advice is a horrible reason to end up with it.
-
@stuartjordan said in GDPR Requiring Centralized Password Management:
@carnival-boy The basis of it is regarding personal data, but the outer layer is prevention, how are you protecting this personal data.
Maybe. But AD is GDPR compliant. It's a secure system, designed with security in mind, at least as far as GDPR is concerned. Using Post-It notes for password management might break GDPR regulations, AD won't.
-
@carnival-boy This is what I'm stating, using AD for GDPR compliance
-
@carnival-boy said in GDPR Requiring Centralized Password Management:
@stuartjordan said in GDPR Requiring Centralized Password Management:
@carnival-boy The basis of it is regarding personal data, but the outer layer is prevention, how are you protecting this personal data.
Maybe. But AD is GDPR compliant. It's a secure system, designed with security in mind, at least as far as GDPR is concerned. Using Post-It notes for password management might break GDPR regulations, AD won't.
He's not saying that AD is a problem, but the solution. My point is that AD is secure, but no more secure than not using AD. AD adds ease of use, but always adds some tiny risk.
-
@dustinb3403 said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
Don't store sexual orientation in AD. Have processes to remove accounts for ex-employees in a timely manner. Job done.
-
@carnival-boy said in GDPR Requiring Centralized Password Management:
@dustinb3403 said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
Don't store sexual orientation in AD. Have processes to remove accounts for ex-employees in a timely manner. Job done.
I don't think anyone actually thinks AD is a problem. The question is just "how much of a requirement is it"?
-
@carnival-boy said in GDPR Requiring Centralized Password Management:
@dustinb3403 said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
Don't store sexual orientation in AD. Have processes to remove accounts for ex-employees in a timely manner. Job done.
storing sexual orientation in AD would be a bit weird lol...