Passwords should be stored encrypted, using two-way encryption so that they can
be unencrypted. Passwords will be sent out to users using unencrypted email.
Although this is a cringe-inducing security faux pas, having a relatively open
security model is absolutely necessary in the fast-paced, unpredictable, fluid,
and dynamic environment of disaster recovery.
Because the extra-system security model is relatively open, the scope of the
system should never extend into areas of Long Term Recovery (LTR) such as case
management, which may require social security numbers, medical information, and
other personal information. The system should always engage in data
minimization practices, and confine itself to stages of disaster recovery that
do not require sensitive combinations of personal information that would create
undue risk to the client's if lost or stolen.
The extra-system security relies on contextual integrity: We must rely upon
users to be responsible with their organizational passwords, and expect that
they'll be passed around in unencrypted email to organizational members.
Experience has shown that this is a reasonable security model given the type of
work the system is designed to do, especially when combined with other security
practices, such as minimal vetting, and fire-walling access to information
based upon organization.
Encrypting passwords while at rest is therefore not a waste of time, because
the at-rest encryption is designed to obviate risks of a different type-- not
social engineering risks, but risks that the technological system will be
overcome by a determined adversary, who would be able to access all plain-text
passwords.
The encryption key should be stored separately and backed up regularly
Original issue reported on code.google.com by v...@aarontitus.net on 1 Jan 2013 at 5:58
Original issue reported on code.google.com by
v...@aarontitus.neton 1 Jan 2013 at 5:58