domain controller in the cloud for small office?
-
@mike-davis This is what we're meant to be doing before mainstream media makes it popular
I don't have a sample policy but that should be easy to change. Take the requirement for complexity away, give users more characters to use (unicode), require slightly longer password lengths (10+ for example) and enforce 2FA through physical keys if possible (not sms or app based to remove social engineering aspect of obtaining a code), check passwords against dictionary words.
There's a lovely 2011 study from CMU Of Passwords and People: Measuring the Effect of Password-Composition Policies that goes on to say quite a lot supporting the NIST publication
- "Less predictably, basic16 proved better than the comparable strength comprehensive8 in several respects."
- "The comprehensive8 policy condition proved by far the most difficult, as only 17.7% of users in this condition could create a password in one try. By contrast, 52.7%, 56.6%, 88.6%, and 84.8% of participants in the basic16, dictionary8, basic8, and basic8survey conditions respectively created an acceptable password in one try."
- "A significantly greater proportion (50%) of comprehensive8 participants stored their passwords than in all other conditions; and basic16 participants were significantly more likely to store (33%) than basic8 and basic8survey participants (26% and 17% respectively)"
-
@mike-davis said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
@mike-davis do you have an hhs.gov or gpo.gov link to where it mentions the requirement for passwords to be changed?
From what I understand §164.308(a)(5)(ii)(D) requires you to define the password policy. Since the "best practice" in many circles was to change your password every XX days in case someone observed your password, many places still have it in their policy to change passwords every 90 days.
It was only last year that mainstream media ran that article that explained that a longer pass phrase is better than a short complex password, but getting organizations to change their policies doesn't happen quickly.
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
Having a policy that just that says, we will make users have a password and advise them to never share with anyone sounds so much simpler.
-
There's a follow up study to that other one I linked to from the same/similar group of people at CMU: Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms
-
@mike-davis said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
@mike-davis do you have an hhs.gov or gpo.gov link to where it mentions the requirement for passwords to be changed?
From what I understand §164.308(a)(5)(ii)(D) requires you to define the password policy. Since the "best practice" in many circles was to change your password every XX days in case someone observed your password, many places still have it in their policy to change passwords every 90 days.
It was only last year that mainstream media ran that article that explained that a longer pass phrase is better than a short complex password, but getting organizations to change their policies doesn't happen quickly.
Do you have a sample policy (or just that part) that you could share to replace the complexity and change requirement?
That's been very well known in IT for a very long time that that mass media backwards security policy was wrong. Sure, in Hollywood they are still just figuring that out, but in IT it's been understood that rapid password changes were a direct attack on security for a decade or more. Really, ever since they were first implemented. That there are things like minimum password change lengths and stuff like that are actually demonstrable proof that the system was known to be flawed in that way. So that goes back to 2000 at a minimum in the official MS documents.
-
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
HIPAA just requires "good practice", nothing specific.
-
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
-
@dashrender I'm not trying to understate it, just using the HIPAA terms, it's either addressable or required. definitions of the terms
-
@dashrender said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
Can you go above and beyond?
-
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
Can you go above and beyond?
I feel like this is a trick question.
-
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
Can you go above and beyond?
I feel like this is a trick question.
Well, it's a trick requirement, right? HIPAA has cross purposes if they require that insecure methods be used. Are you allowed to secure the environment more than that, or does HIPAA actually require below minimum industry bar security?
-
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
Can you go above and beyond?
I feel like this is a trick question.
Well, it's a trick requirement, right? HIPAA has cross purposes if they require that insecure methods be used. Are you allowed to secure the environment more than that, or does HIPAA actually require below minimum industry bar security?
Do you have an example of an insecure method being required in HIPAA? If so, please provide it. The law itself doesn't stipulate what type of password policies to have, only that you have a policy. It doesn't stipulate that you have AV, but you must have a policy about AV.
-
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
Can you go above and beyond?
I feel like this is a trick question.
Well, it's a trick requirement, right? HIPAA has cross purposes if they require that insecure methods be used. Are you allowed to secure the environment more than that, or does HIPAA actually require below minimum industry bar security?
Do you have an example of an insecure method being required in HIPAA? If so, please provide it. The law itself doesn't stipulate what type of password policies to have, only that you have a policy. It doesn't stipulate that you have AV, but you must have a policy about AV.
So you are saying that they have an addressable policy, meaning that they accept excuses for not having a policy?
-
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
Can you go above and beyond?
I feel like this is a trick question.
Well, it's a trick requirement, right? HIPAA has cross purposes if they require that insecure methods be used. Are you allowed to secure the environment more than that, or does HIPAA actually require below minimum industry bar security?
Do you have an example of an insecure method being required in HIPAA? If so, please provide it. The law itself doesn't stipulate what type of password policies to have, only that you have a policy. It doesn't stipulate that you have AV, but you must have a policy about AV.
So you are saying that they have an addressable policy, meaning that they accept excuses for not having a policy?
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason. And you addressed it. Now that said, I have no idea if that type of addressing will be acceptable to the auditors or not.
But of course you can go way over the top - Installed AV on the endpoints and the edge of the network for business locations, etc.
-
@dashrender said in domain controller in the cloud for small office?:
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason.
That addresses why their policy states that they don't have AV. It does not state why they can't afford to have a policy.
-
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason.
That addresses why their policy states that they don't have AV. It does not state why they can't afford to have a policy.
You want a policy about why a policy isn't better than it is.. now that seams reaching. Are you saying an auditor can ask (demand really) to know why they can't afford it?
-
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason.
That addresses why their policy states that they don't have AV. It does not state why they can't afford to have a policy.
They do have a policy, the policy is to not have AV. Well - at least I hope they took the 5 seconds it takes to write that policy.
But that's what we were discussing, why the policy was addressable. In what condition could you excuse not having a policy?
-
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason.
That addresses why their policy states that they don't have AV. It does not state why they can't afford to have a policy.
They do have a policy, the policy is to not have AV. Well - at least I hope they took the 5 seconds it takes to write that policy.
But that's what we were discussing, why the policy was addressable. In what condition could you excuse not having a policy?
You've lost me - HIPAA says have an AV policy - such policy exists - it states, - the company will not have AV. period, end of line. If you want, I suppose a reason for this policy being what it is could be included as a note on said policy, but the reasoning itself is not part of the policy.
-
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason.
That addresses why their policy states that they don't have AV. It does not state why they can't afford to have a policy.
They do have a policy, the policy is to not have AV. Well - at least I hope they took the 5 seconds it takes to write that policy.
But that's what we were discussing, why the policy was addressable. In what condition could you excuse not having a policy?
You've lost me - HIPAA says have an AV policy - such policy exists - it states, - the company will not have AV. period, end of line.
I thought that the policy type was "addressable" meaning that they could make an excuse for not having a policy. That's what I am discussing.
-
@larsen161 said in domain controller in the cloud for small office?:
@dashrender I'm not trying to understate it, just using the HIPAA terms, it's either addressable or required. definitions of the terms
@scottalanmiller the answer on this link explains it pretty well i think