GDPR Requiring Centralized Password Management
-
@carnival-boy The basis of it is regarding personal data, but the outer layer is prevention, how are you protecting this personal data.
-
@stuartjordan said in GDPR Requiring Centralized Password Management:
@carnival-boy The basis of it is regarding personal data, but the outer layer is prevention, how are you protecting this personal data.
But you can protect equally without central management. Doesn't seem to fit.
-
@scottalanmiller Most consultants I work with don't know how to use automation tools like puppet, ansible etc.
I agree if you have an RMM tool, this could possibly work. -
@stuartjordan said in GDPR Requiring Centralized Password Management:
@scottalanmiller Most consultants I work with don't know how to use automation tools like puppet, ansible etc.
Sure, but there is a REALLY simple answer there... don't work with consultants who lack the skills to do their jobs proficiently. Using AD as a crutch because "the consultants we hire only use expensive tools because they aren't qualified to find and use the best tools for us" is a very bad reason to use it.
Not that AD is bad, it's not, it's great. But using AD because the person advising lacks the skills to give advice is a horrible reason to end up with it.
-
@stuartjordan said in GDPR Requiring Centralized Password Management:
@carnival-boy The basis of it is regarding personal data, but the outer layer is prevention, how are you protecting this personal data.
Maybe. But AD is GDPR compliant. It's a secure system, designed with security in mind, at least as far as GDPR is concerned. Using Post-It notes for password management might break GDPR regulations, AD won't.
-
@carnival-boy This is what I'm stating, using AD for GDPR compliance
-
@carnival-boy said in GDPR Requiring Centralized Password Management:
@stuartjordan said in GDPR Requiring Centralized Password Management:
@carnival-boy The basis of it is regarding personal data, but the outer layer is prevention, how are you protecting this personal data.
Maybe. But AD is GDPR compliant. It's a secure system, designed with security in mind, at least as far as GDPR is concerned. Using Post-It notes for password management might break GDPR regulations, AD won't.
He's not saying that AD is a problem, but the solution. My point is that AD is secure, but no more secure than not using AD. AD adds ease of use, but always adds some tiny risk.
-
@dustinb3403 said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
Don't store sexual orientation in AD. Have processes to remove accounts for ex-employees in a timely manner. Job done.
-
@carnival-boy said in GDPR Requiring Centralized Password Management:
@dustinb3403 said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
Don't store sexual orientation in AD. Have processes to remove accounts for ex-employees in a timely manner. Job done.
I don't think anyone actually thinks AD is a problem. The question is just "how much of a requirement is it"?
-
@carnival-boy said in GDPR Requiring Centralized Password Management:
@dustinb3403 said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
Don't store sexual orientation in AD. Have processes to remove accounts for ex-employees in a timely manner. Job done.
storing sexual orientation in AD would be a bit weird lol...
-
@stuartjordan said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
@dustinb3403 said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
Don't store sexual orientation in AD. Have processes to remove accounts for ex-employees in a timely manner. Job done.
storing sexual orientation in AD would be a bit weird lol...
Storing it anywhere would be pretty weird.
-
@scottalanmiller said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
@dustinb3403 said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
Don't store sexual orientation in AD. Have processes to remove accounts for ex-employees in a timely manner. Job done.
I don't think anyone actually thinks AD is a problem. The question is just "how much of a requirement is it"?
Sure. I understand. But I think any standard, encrypted credentials management system is GDPR compliant. So Workgroups are fine.
-
@carnival-boy Only if you have some kind of password policy automation in place, like Scott has stated, using tools like puppet.
-
This steps into the Devops kind of arena I personally think though.
-
I think a better question is why is AD the only point of scrutiny being discussed here? What about the plethora of HRM software that integrates with multiple tools.
Allowing HR personal to enter pii data and automating their account creation? Personally I'd prefer if HR managed account creation and closure, only having IT intervene to fix problems.
-
@carnival-boy said in GDPR Requiring Centralized Password Management:
@scottalanmiller said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
@dustinb3403 said in GDPR Requiring Centralized Password Management:
@carnival-boy said in GDPR Requiring Centralized Password Management:
I don't understand what user/password management has to do with GDPR. My understanding of GDPR is that relates to restrictions on personal data held by companies,
and rules on reporting data breaches to authorities in a timely manner. Neither of these seem to relate to AD or similar services? AD doesn't even generally hold personal data.First and Last name of a person is personal data. But so is an email address, birthday, sex, sexual orientation etc.
Don't store sexual orientation in AD. Have processes to remove accounts for ex-employees in a timely manner. Job done.
I don't think anyone actually thinks AD is a problem. The question is just "how much of a requirement is it"?
Sure. I understand. But I think any standard, encrypted credentials management system is GDPR compliant. So Workgroups are fine.
That's exactly what I was thinking. Microsoft is careful that the "default" is quite secure. Would be weird if Windows wasn't GDPR compliant without an add-on!
-
@stuartjordan said in GDPR Requiring Centralized Password Management:
@carnival-boy Only if you have some kind of password policy automation in place, like Scott has stated, using tools like puppet.
Is that true? Because US Federal recommendations on password policy aren't aided by AD. So what is considered "industry standard good policy" is also what you get with "no policy". So even free extra tools aren't necessary.
-
@stuartjordan said in GDPR Requiring Centralized Password Management:
This steps into the Devops kind of arena I personally think though.
Sure, but if you consider Devops the baseline (it isn't but only because people haven't adjusted yet) then recommending AD would equally be seen as crossing into the snowflake arena. Both are "adding an outside component" to manage something, just one in a snowflake model, one in a devops model. Have to choose, and one choice isn't default and one weird.
-
@dustinb3403 I agree with this, I've seen one type of HR software copying data from one program to another using plain text files, might as well not of even had passwords on the software login screen.
I've got a client that I've warned, that has POS program that writes data to an access backend database with the access database fully open... I stated to him as well, might as well not have a login screen for the POS software. I've emailed his software developer and asked him to sort this out.
-
@dustinb3403 said in GDPR Requiring Centralized Password Management:
I think a better question is why is AD the only point of scrutiny being discussed here? What about the plethora of HRM software that integrates with multiple tools.
Because it's what we are concerned about. What does the GDPR force us to do in terms of password management, and does it create risk and cost we aren't thinking about?
