Are Azure Subscription ID, AAD Tenant ID, and AAD App Client ID considered secret/PII?

安稳与你 提交于 2020-01-22 09:47:27

问题


I would like to log the following in my telemetry for diagnostic and usage purposes:

  • Azure Subscription ID
  • AAD Tenant ID
  • AAD App Client ID

Should I treat them as secrets/PII and hash/encrypt them?

(it goes without saying I will not be retaining the client secret in any way shape or form)


回答1:


Ultimately, you should determine what to log and how, from a compliance/privacy/security perspective, based on official and compliance/privacy/security reviews and certifications within your company or by 3rd parties.

That disclaimer aside:

  • Tenant ID and App Client ID aren't generally considered PII nor secrets.
    • Not PII because, by themselves, they won't tell you who the user is.
    • Not secrets because they are very easy to obtain. Anyone attempting to log in to your application will be exposed to these as they are included in the authorization request.
  • Azure Subscription ID isn't generally considered PII though depending on your sensitivity, could be considered a secret
    • Not PII because, by itself, it doesn't tell you who the user is.
    • Could be a secret because it's not easily available publicly to everyone. Could be considered NOT a secret because nothing can be done with it without also having a token from an authorized user or application.

Do note that some companies and privacy reviews often consider these 3 data points as Organization Identifiable Information (OII) and sometimes have policies for handling those (less stringent that PII though).



来源:https://stackoverflow.com/questions/45661109/are-azure-subscription-id-aad-tenant-id-and-aad-app-client-id-considered-secre

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!