[Cryptography] Fwd: Re: A two key file/program

[Allen Schaaf]

On 6/9/2019 5:46 PM, Ángel wrote:
> (snip)
> Your problem then is that you are dancing at their song.
>
> You are the one contracting their services. Require that they
> authenticate you against your LDAP server. Or that they provide 
> a way to
> administratively access their account files read-only. Or that 
> you can
> reset their password if needed. Or that they provide a report 
> of their
> activity.
> Any of them would serve your need, and they aren't weird 
> requests at
> all.
> Just as you are required to audit your employee action, you can 
> pass
> that requirement down to your providers that they provide you 
> the needed
> resources for auditing.
Ángel, I love the idea of making the corporate credit unions, 
payroll service, and the others that we need to use change the 
way they do things to make them more secure. However, our David 
$10 million size is not big enough to make the $2-5 billion 
Goliaths obey our wishes. We've tried and failed.

(snip)
> Suppose one of your employees left your company today (maybe 
> you even
> fired him and he is willing to retaliate). Can you administratively
> avoid that he accesses those external systems?
>
> Suppose someone accidentally published his/her credentials for 
> one of
> those systems. Can they be replaced?
>
> I think you will be able to see how "no administrative action 
> allowed"
> can be problematic.
You are quite correct that "no administrative action allowed" is 
very problematic. What ability we do have is to lock that user 
name and password so it can not be used. With some providers we 
then have to go through a long process to create a new user name 
access because they delete the old one. This can be a real pain 
because we have to lock access whenever someone leaves for a 
while, pregnancy, illness lengths. In one situation we can get 
the data copied over to a new access point with the username and 
password under the control of the manager/assistant manager but 
then moving it back to the worker when they return costs again.

(snip)
> Try at least to do so on your own systems, and slowly reduce 
> the usage
> of external passwords that need to be shared.
We do not have a system that can handle the finances the way we 
are required by law to do. We are not rich enough to pay for the 
required system as our net "profit" per year is typically less 
than $65 k per year. Our total reserve assets is just over $1 
million and that is needed to cover bad loans that happen when 
the job market crashes.

Best Wishes,

Allen



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190613/aa77900a/attachment.html>