IT Security Case Study – Avoiding Password Sharing
In some offices across the University, people share their NetID passwords so that when someone is sick or on vacation, co-workers can access that person's email or documents to maintain continuity in office operations. The new Electronic Information Security policies clearly state that this should not happen, as it introduces unnecessary risk for both the individual and the University. Here is a fictitious scenario which illustrates the risks, and some alternative arrangements for avoiding or reducing those risks:
Walter was about to leave for vacation and was meeting with Susan to brief her on several things he was working on. He wanted Susan to check his email while he was away because an important invoice had not arrived and needed to be processed right away. The materials associated with that invoice were stored on his hard drive, and Susan also needed access to those materials. Walter wrote his NetID and password on a Post-It note and gave it to Susan. Walter's job requires him to have access to PeopleSoft Finance and PeopleSoft HR, and he had signed a confidentiality agreement which obligated him to not allow others to access those systems and data within them.
What are the risks or problems associated with Walter's approach?
- Many people don't realize that by giving someone else your e-mail password, you are quite literally enabling them to access and use any of the services your NetID has been authorized to use. Queen's has implemented single-sign-on, which means that you use the same password to access many services including Peoplesoft and QShare, and in some cases you are automatically connected to some services having previously entered your password. While single-sign-on is very convenient, your NetID and password are now really like a master key which opens all the doors in a building, whether you intend this or not. Essentially, when you give someone your password, they can quite literally become you.
- It is never a good idea to write your computer account and associated password, or even just your password, on a piece of paper on in an email message. Slips of paper can too easily be misplaced or fall into the wrong hands. Email messages are not a secure way to convey such confidential information.
- Walter was inadvertently violating the Peoplesoft confidentiality agreement he had signed by giving Susan his NetID password.
How could Walter and Susan handle the situation better?
Sharing Access to your Email Inbox
With MS Exchange, the Queen's email and calendaring system for staff and faculty, you can give another Exchange user access to your Inbox, or any other email folder. Before leaving on vacation, Walter can give Susan access to his Inbox by following: Sharing Your Inbox with Someone Else. From her own Exchange account, Susan accesses Walter's Inbox by following: Opening a Folder That Has Been Shared with You. When he returns, Walter has the option of revoking Susan's access to his Inbox or leaving it in place. Susan no longer needs Walter's password to monitor his email.
Most administrative areas and staff with Windows computers are already set up to use Queen's Active Directory (AD) service. Each AD user is allocated their own storage quota, and it is also possible to set up a shared folder which multiple AD users have access to. Walter and Susan can arrange through their ITAdmin Rep to have a Shared Folder implemented in Active Directory for their office. A structure of folders within that Shared Folder can be then established, and any files or all files used by more than one person can be stored there. Susan no longer needs to use Walter's computer, or his password.
For various reasons it really makes sense to store critical files that are sensitive or that others might need to use in a shared folder rather on the hard drive in one computer. With a shared folder, the data is stored in the University's secure Data Centre on servers with multiple layers of protection. The data is automatically backed up, the server software is patched regularly with recent security updates, and it can readily be shared across an office team. With this arrangement, no data is vulnerable or lost if a computer is stolen or damaged in a fire or flood.
Note: There are similar arrangements for those using Macintosh computers or who are more mobile (not connected by a cable to the Queen's network). QShare is a web-based shared files solution used in many departments as a central repository of documents and data. ITServices can help departments set up QShare shared folders space with appropriate permissions for each folder. The department's ITAdmin Rep can contact ITServices to arrange for a consultation or to have Shared folders set up.
Sharing Access to Software
A less common requirement is where one individual has software (e.g. MS Access) installed on their personal computer that others may need to use while he or she is away. It is possible to have such software set up for use by a group, but this requires some discussion and analysis. ITAdmin Reps can contact ITServices to explore this.
In rare circumstances it may become necessary to give your NetID password to another person, such as when you drop your computer off at the IT Support Centre for problem diagnosis or repair. They will need your password to work on your computer. As soon as your computer is returned to you, you should immediately change your password by following: NetID Password Change.