GDPR Requiring Centralized Password Management
-
@stuartjordan said in GDPR Requiring Centralized Password Management:
@carnival-boy The basis of it is regarding personal data, but the outer layer is prevention, how are you protecting this personal data.
Maybe. But AD is GDPR compliant. It's a secure system, designed with security in mind, at least as far as GDPR is concerned. Using Post-It notes for password management might break GDPR regulations, AD won't.
-
@carnival-boy This is what I'm stating, using AD for GDPR compliance
-
@carnival-boy said in GDPR Requiring Centralized Password Management:
@stuartjordan said in GDPR Requiring Centralized Password Management:
@carnival-boy The basis of it is regarding personal data, but the outer layer is prevention, how are you protecting this personal data.
Maybe. But AD is GDPR compliant. It's a secure system, designed with security in mind, at least as far as GDPR is concerned. Using Post-It notes for password management might break GDPR regulations, AD won't.
He's not saying that AD is a problem, but the solution. My point is that AD is secure, but no more secure than not using AD. AD adds ease of use, but always adds some tiny risk.
-
@dustinb3403 said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
Don't store sexual orientation in AD. Have processes to remove accounts for ex-employees in a timely manner. Job done.
-
@carnival-boy said in GDPR Requiring Centralized Password Management:
@dustinb3403 said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
Don't store sexual orientation in AD. Have processes to remove accounts for ex-employees in a timely manner. Job done.
I don't think anyone actually thinks AD is a problem. The question is just "how much of a requirement is it"?
-
@carnival-boy said in GDPR Requiring Centralized Password Management:
@dustinb3403 said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
Don't store sexual orientation in AD. Have processes to remove accounts for ex-employees in a timely manner. Job done.
storing sexual orientation in AD would be a bit weird lol...
-
@stuartjordan said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
@dustinb3403 said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
Don't store sexual orientation in AD. Have processes to remove accounts for ex-employees in a timely manner. Job done.
storing sexual orientation in AD would be a bit weird lol...
Storing it anywhere would be pretty weird.
-
@scottalanmiller said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
@dustinb3403 said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
Don't store sexual orientation in AD. Have processes to remove accounts for ex-employees in a timely manner. Job done.
I don't think anyone actually thinks AD is a problem. The question is just "how much of a requirement is it"?
Sure. I understand. But I think any standard, encrypted credentials management system is GDPR compliant. So Workgroups are fine.
-
@carnival-boy Only if you have some kind of password policy automation in place, like Scott has stated, using tools like puppet.
-
This steps into the Devops kind of arena I personally think though.
-
I think a better question is why is AD the only point of scrutiny being discussed here? What about the plethora of HRM software that integrates with multiple tools.
Allowing HR personal to enter pii data and automating their account creation? Personally I'd prefer if HR managed account creation and closure, only having IT intervene to fix problems.
-
@carnival-boy said in GDPR Requiring Centralized Password Management:
@scottalanmiller said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
@dustinb3403 said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
Don't store sexual orientation in AD. Have processes to remove accounts for ex-employees in a timely manner. Job done.
I don't think anyone actually thinks AD is a problem. The question is just "how much of a requirement is it"?
Sure. I understand. But I think any standard, encrypted credentials management system is GDPR compliant. So Workgroups are fine.
That's exactly what I was thinking. Microsoft is careful that the "default" is quite secure. Would be weird if Windows wasn't GDPR compliant without an add-on!
-
@stuartjordan said in GDPR Requiring Centralized Password Management:
@carnival-boy Only if you have some kind of password policy automation in place, like Scott has stated, using tools like puppet.
Is that true? Because US Federal recommendations on password policy aren't aided by AD. So what is considered "industry standard good policy" is also what you get with "no policy". So even free extra tools aren't necessary.
-
@stuartjordan said in GDPR Requiring Centralized Password Management:
This steps into the Devops kind of arena I personally think though.
Sure, but if you consider Devops the baseline (it isn't but only because people haven't adjusted yet) then recommending AD would equally be seen as crossing into the snowflake arena. Both are "adding an outside component" to manage something, just one in a snowflake model, one in a devops model. Have to choose, and one choice isn't default and one weird.
-
@dustinb3403 I agree with this, I've seen one type of HR software copying data from one program to another using plain text files, might as well not of even had passwords on the software login screen.
I've got a client that I've warned, that has POS program that writes data to an access backend database with the access database fully open... I stated to him as well, might as well not have a login screen for the POS software. I've emailed his software developer and asked him to sort this out.
-
@dustinb3403 said in GDPR Requiring Centralized Password Management:
I think a better question is why is AD the only point of scrutiny being discussed here? What about the plethora of HRM software that integrates with multiple tools.
Because it's what we are concerned about. What does the GDPR force us to do in terms of password management, and does it create risk and cost we aren't thinking about?
-
We already know GDPR rules are a bit weird. Anything that contains data of a EU citizen has to be housed in the EU. OKAY. . . but I'm a global company with offices in XYZ and Bunghole, Faring.
You're law means I can't setup an AD server here, right? Which means I can't do business here.
The law in general wasn't built with security in mind, but in keeping skeletons in the closet.
-
That's not true @DustinB3403
-
@carnival-boy said in GDPR Requiring Centralized Password Management:
That's not true @DustinB3403
For example, you can house the data in the US. But are generally still covered by the GDPR. I'm an EU citizen, but my data is often in the US, it's no problem.
-
I've have not studied GDPR in detail but I'm familiar with other European directives and regulations.
It's a lot about having processes in place. For instance if we are to protect access to sensitive information we must know what information is sensitive and who has access. And someone has to have the responsibility of making sure only the people that needs access have access. And we have to know who accessed what information and when. And we have to protect the information against threats and someone has to have that responsibility as well. And all these processes and procedures have to be documented and on a regular basis the company and 3rd parties have to check that they are in compliance.
These are the type of things you'll see in the law - not should I use product X or Y or that AD is okay but XYZ is not...