<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-forward-container">
<table class="moz-email-headers-table" width="1" height="88"
cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT"><br>
</th>
<td><br>
</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT"><br>
</th>
<td><br>
</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT"><br>
</th>
<td><br>
</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT"><br>
</th>
<td><br>
</td>
</tr>
</tbody>
</table>
<br>
On 6/9/2019 5:46 PM, Ángel wrote:<br>
<blockquote type="cite">(snip)<br>
Your problem then is that you are dancing at their song.<br>
<br>
You are the one contracting their services. Require that they<br>
authenticate you against your LDAP server. Or that they provide
a way to<br>
administratively access their account files read-only. Or that
you can<br>
reset their password if needed. Or that they provide a report of
their<br>
activity.<br>
Any of them would serve your need, and they aren't weird
requests at<br>
all.<br>
Just as you are required to audit your employee action, you can
pass<br>
that requirement down to your providers that they provide you
the needed<br>
resources for auditing.<br>
</blockquote>
Ángel, I love the idea of making the corporate credit unions,
payroll service, and the others that we need to use change the way
they do things to make them more secure. However, our David $10
million size is not big enough to make the $2-5 billion Goliaths
obey our wishes. We've tried and failed.<br>
<br>
(snip)<br>
<blockquote type="cite">Suppose one of your employees left your
company today (maybe you even<br>
fired him and he is willing to retaliate). Can you
administratively<br>
avoid that he accesses those external systems?<br>
<br>
Suppose someone accidentally published his/her credentials for
one of<br>
those systems. Can they be replaced?<br>
<br>
I think you will be able to see how "no administrative action
allowed"<br>
can be problematic.<br>
</blockquote>
You are quite correct that "no administrative action allowed" is
very problematic. What ability we do have is to lock that user
name and password so it can not be used. With some providers we
then have to go through a long process to create a new user name
access because they delete the old one. This can be a real pain
because we have to lock access whenever someone leaves for a
while, pregnancy, illness lengths. In one situation we can get the
data copied over to a new access point with the username and
password under the control of the manager/assistant manager but
then moving it back to the worker when they return costs again.<br>
<br>
(snip)<br>
<blockquote type="cite">Try at least to do so on your own systems,
and slowly reduce the usage<br>
of external passwords that need to be shared.<br>
</blockquote>
We do not have a system that can handle the finances the way we
are required by law to do. We are not rich enough to pay for the
required system as our net "profit" per year is typically less
than $65 k per year. Our total reserve assets is just over $1
million and that is needed to cover bad loans that happen when the
job market crashes.<br>
<br>
Best Wishes,<br>
<br>
Allen<br>
<br>
</div>
<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br />
<table style="border-top: 1px solid #D3D4DE;">
<tr>
<td style="width: 55px; padding-top: 13px;"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" alt="" width="46" height="29" style="width: 46px; height: 29px;" /></a></td>
<td style="width: 470px; padding-top: 12px; color: #41424e; font-size: 13px; font-family: Arial, Helvetica, sans-serif; line-height: 18px;">Virus-free. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link" target="_blank" style="color: #4453ea;">www.avast.com</a>
</td>
</tr>
</table><a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div></body>
</html>