Our auditors have raised concerns that Sage passwords do not meet what they would consider best practice.
Their best practice would be:
Minimum password length of 8 characters
Maximum password age of 60 days
Number of passwords remembered 12 - 24
Some form of complexity requirements on the password e.g. mix of upper and lower case and special characters
Multi or two factor authentication
Their preferred option is the multi factor authentication.
Guest
I think your auditors should be more concerned about the OBDC Widows App.
All SAGE users have ‘granted permissions’ to the SAGE data share folder, meaning raw SAGE data can be accessed via the windows ODBC app using the standard Sage Users Login credentials.
The raw data files can only accessed if the individual has been granted permission to these folders. THIS IS NOT CORECT – ODBC does enforce some access rights, but it only checks the access rights for the first table query. For example, if a user using ODBC query customer data tables, they can then query all other subsequent tables they don't have permissions for i.e. Bank account tables!
The way I see it is that ODBC data tool is no longer fit for purpose. ODBC is called ‘OPEN DATABASE CONNECTIVITY’ which is exactly what it is OPEN.
In this modern data secure age - SAGE should find another secure way to interact with sage data or produce its own secure version of data connector. and and should be developing their own secure version ODBC for data connectivity, which is secure and meets company, corporate and shareholders security needs and expectations.
The very fact that data access can happen outside an API or SDK call is a security and stability risk on its own.
Sage has millions of customers and I wonder how many company directors or shareholders would be happy with the knowledge that staff could with some knowledge, their own basic Sage50 login and a standard windows app could gain full unauthorised access to sage tables containing all company data , including bank balances!