Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
sdavid1
Viewer
‎09-13-2024 02:57 PM
‎09-13-2024 02:57 PM

Personal accounts in corporate password managers

I am having to entertain allowing personal credentials to be stored in the corp browser password manager. The argument is providing a secure solution is better than.... and that's about where the justification ends. My belief is that personal use computing such as browsing away or logging into personal accounts should be prohibited in corporate issued equipment. One justification I have for this is data exfil either through screen scraping or the ability for a user to upload files in browser to a non corporate data store. Storing a personal credential doesn't necessarily enable exfil but it is a means to an end.

I am looking for what is generally allowed or disallowed in your corp computing environment for personal password storage.

Reply
0 Kudos
2 Replies
dcontesti
Community Champion
‎09-13-2024 03:49 PM
‎09-13-2024 03:49 PM

So I work for a fairly large organization (300K + folks).

 

We do not allow the use of personal accounts (i.e. Hotmail, gmail, yahoo, etc.).  These are blocked using our Web filtering tools.

 

I personally believe that allowing personal accounts to be used on corporate systems is like leaving the barn door open.

 

And my boss pays me to be paranoid, so here goes:

 

1. What happens to personal accounts if someone leaves?  Are they erased?  Do you know all of them?  Are they easily identifiable?

 

2. What mechanisms are in place to stop users from transferring corporate data using those personal accounts?

 

3.What if the  personal account is "hacked" by a third party ?  What happens to your systems?

 

So I am saying I would not allow due to the risk they introduce into your environment.

 

:Look forward to what others say.

 

d

 

Reply
denbesten
Community Champion
‎09-14-2024 02:24 PM
‎09-14-2024 02:24 PM

Storing passwords in password managers is a very good idea.  Mixing personal and business not-so-much. 

 

My employer takes the stance that we need to help the employees protect their own data just as much as we charge them with protecting corporate data.  Part of this is strategy -- they want to protect their own bank account and hopefully, they can leverage that motivation into protecting corporate data.

 

As such, my suggestion is that when selecting a corporate password manager, make sure that they allow the users to have a personal vault in addition to accessing the corporate vault.  And, discuss the "separaton plan" with the vendor.  I am aware of vault vendor that even gives the former employee a complementary license for the remainder of the year.

 

One other detail to throw into the mix.  The employee's individual AD account. It is a weird mix between belonging to the company and belonging to the employee.  On one hand, the employer has an absolute right to take it away (which should be done administratively), but at the same time, you do not want it in a password manager accessible by other employees/admins as that risks non-repudiation.

Reply