GDPR Requiring Centralized Password Management
-
@scottalanmiller said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
@dustinb3403 said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
Don't store sexual orientation in AD. Have processes to remove accounts for ex-employees in a timely manner. Job done.
I don't think anyone actually thinks AD is a problem. The question is just "how much of a requirement is it"?
Sure. I understand. But I think any standard, encrypted credentials management system is GDPR compliant. So Workgroups are fine.
-
@carnival-boy Only if you have some kind of password policy automation in place, like Scott has stated, using tools like puppet.
-
This steps into the Devops kind of arena I personally think though.
-
I think a better question is why is AD the only point of scrutiny being discussed here? What about the plethora of HRM software that integrates with multiple tools.
Allowing HR personal to enter pii data and automating their account creation? Personally I'd prefer if HR managed account creation and closure, only having IT intervene to fix problems.
-
@carnival-boy said in GDPR Requiring Centralized Password Management:
@scottalanmiller said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
@dustinb3403 said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
Don't store sexual orientation in AD. Have processes to remove accounts for ex-employees in a timely manner. Job done.
I don't think anyone actually thinks AD is a problem. The question is just "how much of a requirement is it"?
Sure. I understand. But I think any standard, encrypted credentials management system is GDPR compliant. So Workgroups are fine.
That's exactly what I was thinking. Microsoft is careful that the "default" is quite secure. Would be weird if Windows wasn't GDPR compliant without an add-on!
-
@stuartjordan said in GDPR Requiring Centralized Password Management:
@carnival-boy Only if you have some kind of password policy automation in place, like Scott has stated, using tools like puppet.
Is that true? Because US Federal recommendations on password policy aren't aided by AD. So what is considered "industry standard good policy" is also what you get with "no policy". So even free extra tools aren't necessary.
-
@stuartjordan said in GDPR Requiring Centralized Password Management:
This steps into the Devops kind of arena I personally think though.
Sure, but if you consider Devops the baseline (it isn't but only because people haven't adjusted yet) then recommending AD would equally be seen as crossing into the snowflake arena. Both are "adding an outside component" to manage something, just one in a snowflake model, one in a devops model. Have to choose, and one choice isn't default and one weird.
-
@dustinb3403 I agree with this, I've seen one type of HR software copying data from one program to another using plain text files, might as well not of even had passwords on the software login screen.
I've got a client that I've warned, that has POS program that writes data to an access backend database with the access database fully open... I stated to him as well, might as well not have a login screen for the POS software. I've emailed his software developer and asked him to sort this out.
-
@dustinb3403 said in GDPR Requiring Centralized Password Management:
I think a better question is why is AD the only point of scrutiny being discussed here? What about the plethora of HRM software that integrates with multiple tools.
Because it's what we are concerned about. What does the GDPR force us to do in terms of password management, and does it create risk and cost we aren't thinking about?
-
We already know GDPR rules are a bit weird. Anything that contains data of a EU citizen has to be housed in the EU. OKAY. . . but I'm a global company with offices in XYZ and Bunghole, Faring.
You're law means I can't setup an AD server here, right? Which means I can't do business here.
The law in general wasn't built with security in mind, but in keeping skeletons in the closet.
-
That's not true @DustinB3403
-
@carnival-boy said in GDPR Requiring Centralized Password Management:
That's not true @DustinB3403
For example, you can house the data in the US. But are generally still covered by the GDPR. I'm an EU citizen, but my data is often in the US, it's no problem.
-
I've have not studied GDPR in detail but I'm familiar with other European directives and regulations.
It's a lot about having processes in place. For instance if we are to protect access to sensitive information we must know what information is sensitive and who has access. And someone has to have the responsibility of making sure only the people that needs access have access. And we have to know who accessed what information and when. And we have to protect the information against threats and someone has to have that responsibility as well. And all these processes and procedures have to be documented and on a regular basis the company and 3rd parties have to check that they are in compliance.
These are the type of things you'll see in the law - not should I use product X or Y or that AD is okay but XYZ is not...
-
@pete-s said in GDPR Requiring Centralized Password Management:
I've have not studied GDPR in detail but I'm familiar with other European directives and regulations.
It's a lot about having processes in place. For instance if we are to protect access to sensitive information we must know what information is sensitive and who has access. And someone has to have the responsibility of making sure only the people that needs access have access. And we have to know who accessed what information and when. And we have to protect the information against threats and someone has to have that responsibility as well. And all these processes and procedures have to be documented and on a regular basis the company and 3rd parties have to check that they are in compliance.
These are the type of things you'll see in the law - not should I use product X or Y or that AD is okay but XYZ is not...
I don't think he was suggesting that AD was required itself. Just an "AD like product". But I think it might be a lot less "looking like AD" than people would guess.
-
Also, companies have to make sure they are compliant but it's not until something happens, like a data breach, that the authorities want to check what you have done to be compliant. If they find out that you did in fact not follow the GDPR you risk heavy fines.
This of course makes everyone and their grandma offer products and services and tout their GDRP compliant products.
-
@pete-s said in GDPR Requiring Centralized Password Management:
Also, companies have to make sure they are compliant but it's not until something happens, like a data breach, that the authorities want to check what you have done to be compliant. If they find out that you did in fact not follow the GDPR you risk heavy fines.
This of course makes everyone and their grandma offer products and services and tout their GDRP compliant products.
There is a LOT of money in GDPR FUD these days. Same with HIPAA in the US.
-
This is the GDPR. You can check yourself what it says. It's only 88 pages.
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=ENEvery countries in the European Union are required to make it national law.
-
@pete-s said in GDPR Requiring Centralized Password Management:
This is the GDPR. You can check yourself what it says. It's only 88 pages.
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=ENEvery countries in the European Union are required to make it national law.
Yeah, I've read most of it. But anything 88 pages is long enough to make creating FUD pretty easy to do.
-
@scottalanmiller said in GDPR Requiring Centralized Password Management:
@pete-s said in GDPR Requiring Centralized Password Management:
This is the GDPR. You can check yourself what it says. It's only 88 pages.
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=ENEvery countries in the European Union are required to make it national law.
Yeah, I've read most of it. But anything 88 pages is long enough to make creating FUD pretty easy to do.
Yeah, FUD is how the big boys make their money. If it's not fear, uncertainty and doubt then it's complexity. Make something that could have been simple, as complex and convoluted as possible so that you absolutely need lots of consultants and experts helping you. Which of course the supplier can offer. And finish of the cocktail of deception with a big chunk of vendor lock-in on top.