问题
I would like to log the following in my telemetry for diagnostic and usage purposes:
- Azure Subscription ID
- AAD Tenant ID
- AAD App Client ID
Should I treat them as secrets/PII and hash/encrypt them?
(it goes without saying I will not be retaining the client secret in any way shape or form)
回答1:
Ultimately, you should determine what to log and how, from a compliance/privacy/security perspective, based on official and compliance/privacy/security reviews and certifications within your company or by 3rd parties.
That disclaimer aside:
- Tenant ID and App Client ID aren't generally considered PII nor secrets.
- Not PII because, by themselves, they won't tell you who the user is.
- Not secrets because they are very easy to obtain. Anyone attempting to log in to your application will be exposed to these as they are included in the authorization request.
- Azure Subscription ID isn't generally considered PII though depending on your sensitivity, could be considered a secret
- Not PII because, by itself, it doesn't tell you who the user is.
- Could be a secret because it's not easily available publicly to everyone. Could be considered NOT a secret because nothing can be done with it without also having a token from an authorized user or application.
Do note that some companies and privacy reviews often consider these 3 data points as Organization Identifiable Information (OII) and sometimes have policies for handling those (less stringent that PII though).
来源:https://stackoverflow.com/questions/45661109/are-azure-subscription-id-aad-tenant-id-and-aad-app-client-id-considered-secre