The back story to this is that a British politician (Damian Green) is presently in hot water for allegedly accessing porn on his gov PC. U.K> politician https://twitter.com/NadineDorries recently tweeted :
“ Nadine Dorries
✔ @NadineDorries
My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!
10:03 PM – Dec 2, 2017 “
So Nadine is implying it could have been someone else on his PC using his identity.
So should politicians share passwords? What are the problems with doing so? So what about your own staff?
Well it seems the practice is widespread -read here for example: https://www.troyhunt.com/the-trouble-with-politicians-sharing-passwords/?utm_source=DBW&utm_medium=pubemail
It’s an interesting read, and certainly points out that the expediency for users to share a workload but it has plenty of downsides in accountability and auditing of actions.
I see little excuse for sharing security credentials in UK government – there are other solutions to handle this issue.
I am more sympathetic in real time environments, like hospitals, where the login process might literally cause a death in the event of a delay.
Authentication aside we often share data among individuals inside of an organization. Outside of sysadmins, not be many people really understand or consider who should have access, let alone who does have access, to some data.
Over time organizations tend to lean towards allowing an ever-growing number of people having access to data in file shares. Knowledge gives power to take decisions- functional silos are out ….but segmentation of duty, compliance, are the other side of the argument. In these days of self serve internet access and social connectedness people expect access to information.
While we might prevent database access and grant/revoke this at times, the output from our systems also often ends up in Excel sheets or other files, fg hard copy print out, and people that do not have direct access still see the data.
People may leave data lying around on desks or tacked to a wall or on printer, or just on screen in an open plan office to be viewed by passers by. Many do not log off or shutdown their pcs at night. Why? They have never been trained or told to do so, and there is no management oversight to enforce it.
The trend to BYOD means data leaves your premises and then you have no control over it. Removable usb devices, 0r just uploads to one drive or emails to a hotmail account are all possible holes in your security defences.
Credentials on a post-it stuck only your monitor? Server rooms that are not locked?
It’s not just your co-workers, but also janitorial staff, tradespeople, and others likely wander regularly through your office spaces.
Security is a tough battle, and most of the time we don’t need much more than good passwords. Most people don’t have the time or inclination to deal with their own data, much less yours. However, when an attack is targeted on your organization, from outside or within, it’s extremely difficult to ensure your data won’t get lost or corrupted.
There is no magic bullet. There are good reasons to limit access to data on our systems, not the least of which is auditing and accountability. Beyond that, inculcate users to exercise judgment about with whom they may share or to whom they expose reports and other data.
