Account Sharing
Summary
Do not share accounts, because:
- The one approving MFA is personally liable for the actions of others
- It increases the risk for phishing attacks
- You are not compliant with your GDPR and ISO27001 requirements
- Audit/logging requirements
- Ensuring only authorized users have access
- It is easy to invite individuals to your workspace (and remove them)
Personally liable
It is possible to get an @mydre.org account created that is not a user account but more like a group account by providing not a user email address but a group email address. However, MFA must be enabled and this is done on the phone of an individual.
The person who approves MFA access becomes liable the moment they press approve.
Increase the risk for phishing attacks
Obtaining a username and password is not too difficult; especially when it is a 'shared account'. Since in a shared account you cannot see who logs in, for all you know a non-authorized person is making an attempt.
The person who approves MFA access becomes liable the moment they press approve.
ISO27001 & GDPR Compliance
Access control and audits are an essential part of ISO27001 & GDPR Compliance.
The benchmark is industry practice and if technical measurements are affordable and workable. From that point of view, anDREa sees no valid case for using a 'group account'; in fact, the MFA makes a group account less workable than an individual account. Since getting an individual @mydre.org is fast, there is no reason not to have it.
Another requirement is that people no longer needing to have access to data, should not have access to the data. This is only possible to guarantee with individual accounts.
Getting an @mydre.org account is easy
To invite a member to a Workspace this requires:
- A person mandated to invite people to that Workspace
- The invitee must have an @mydre.org username
- Getting an @mydr.org username requires submitting a ticket
- Any valid email address and having a mobile phone to use
- If needed, the creation can be expedited
- Once created, that user can be invited to any of the Workspaces on myDRE.org
Related Articles
anDREa FAQ
First version: 2021-12-09 Last updated: 2024-03-10 Last change: Added Overview Agreements and User Training links Introduction This FAQ is a comprised out of links to other articles related to a particular topic. Contact details Contact information ...A.14.2.1 Secure development policy
Version: 3.0 Valid until: 2025-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Sarang Kulkarni Johanna Hakonen Initiation document 2022-07-07 1.1 Edward Robinson ...Data Protection Impact Assessment (DPIA)
First version: 2021-05-13 Last updated: 2024-03-07 Last change: Added link to NEN-7510 article. Introduction anDREa is committed to the GDPR. The purpose of this document is to describe anDREa’s Data Protection Impact Assessment (DPIA). The template ...Cost analysis export
Introduction As an organization that is customer of anDREa, you would like to have access to the costs that are generated by the resources (VMs, OSDisks etc.) in your subscription. The Cost analysis tab is available in the Azure Portal for ...Who/what is License Administrator / licenseadmin@mydre.org?
From time to time it is important that the VMs are started to fetch and install updates, or add functionality provided by anDREa. The anDREa development team uses an account called License Administrator (with username licenseadmin@mydre.org – this is ...