Account Sharing

Account Sharing

Summary

Do not share accounts, because:
  1. The one approving MFA is personally liable for the actions of others
  2. It increases the risk for phishing attacks
  3. You are not compliant with your GDPR and ISO27001 requirements
    1. Audit/logging requirements
    2. Ensuring only authorized users have access
  4. It is easy to invite individuals to your workspace (and remove them)

Personally liable

It is possible to get an @mydre.org account created that is not a user account but more like a group account by providing not a user email address but a group email address. However, MFA must be enabled and this is done on the phone of an individual.
The person who approves MFA access becomes liable the moment they press approve.

Increase the risk for phishing attacks

Obtaining a username and password is not too difficult; especially when it is a 'shared account'. Since in a shared account you cannot see who logs in, for all you know a non-authorized person is making an attempt.
The person who approves MFA access becomes liable the moment they press approve.

ISO27001 & GDPR Compliance

Access control and audits are an essential part of ISO27001 & GDPR Compliance.
The benchmark is industry practice and if technical measurements are affordable and workable. From that point of view, anDREa sees no valid case for using a 'group account'; in fact, the MFA makes a group account less workable than an individual account. Since getting an individual @mydre.org is fast, there is no reason not to have it.
Another requirement is that people no longer needing to have access to data, should not have access to the data. This is only possible to guarantee with individual accounts.

Getting an @mydre.org account is easy

To invite a member to a Workspace this requires:
  1. A person mandated to invite people to that Workspace
  2. The invitee must have an @mydre.org username
    1. Getting an @mydr.org username requires submitting a ticket
      1. Any valid email address and having a mobile phone to use 
    2. If needed, the creation can be expedited
    3. Once created, that user can be invited to any of the Workspaces on myDRE.org 

    • Related Articles

    • anDREa FAQ

      First version: 2021-12-09 Last updated: 2024-03-10 Last change: Added Overview Agreements and User Training links Introduction This FAQ is a comprised out of links to other articles related to a particular topic. Contact details Contact information ...
    • A.14.2.1 Secure development policy

      Version: 3.0 Valid until: 2025-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Sarang Kulkarni Johanna Hakonen Initiation document 2022-07-07 1.1 Edward Robinson ...
    • Data Protection Impact Assessment (DPIA)

      First version: 2021-05-13 Last updated: 2024-03-07 Last change: Added link to NEN-7510 article. Introduction anDREa is committed to the GDPR. The purpose of this document is to describe anDREa’s Data Protection Impact Assessment (DPIA). The template ...
    • Insights

      You need a code to view details. You might need to log into a Google account (Google policies) If you have, click on the bottom right of the image next to Looker Studio the [ ] to expand full screen.
    • myDRE Insights

      You might need to login with a gmail related account and refresh the page. We can't help it, Google policies. Click bottom right of the image, next to Looker Studio the [ ] to enlarge.