Data access control: how to keep data safe and users happy at the same time?

According to a 2021 study, a whopping 70% of security professionals are worried about the risks poor access controls can create for organizations, including a gateway to data theft and misuse. Forty percent said they were very or extremely worried of a potential breach as a result of authorization weaknesses. No wonder, considering that nearly the same percentage reported to have experienced such an incident, while double of them struggle with identity and access management.

Why is data access management a key component of organizations’ information security strategy? In this article, we’ll guide you through what exactly data access control is and what it does as well as discuss the opportunities and challenges it holds for CIOs looking to bulletproof their data protection strategies. Plus, how to control data access with maximum security and minimal disruption to end users and everyday business operations.

What is data access control and how does it protect data?

Access control is a method of making sure that users are who they say they are and that they have the right access to company data assets. In other words, as per CSO’s access control definition , it’s “a selective restriction of access to data”, which consists of two key components: authentication and authorization.

Authentication is used to verify that someone is who they claim to be. But that's all it does, explains Daniel Crowley, head of research for IBM’s X-Force Red. To efficiently safeguard data, another security layer, authorization, is needed to determine whether a user should be allowed access.

Whenever a successful data breach occurs, access controls are among the first things that get looked into, says Ted Wagner, CISO at SAP National Security Services, Inc. Whether it’s a single case of accidental sensitive data exposure by an end user or a catalog of security lapses that opens the door to malicious actors such as the infamous Equifax breach .

When not properly implemented or maintained, the “result can be catastrophic”, Wagner warns.

Authorization vs. authentication: definitions, examples and key differences

Access authorization, according to Paul Fortier and Howard Michel’s Computer Systems Performance Evaluation and Prediction, is when the operating system determines that a process has the right to execute on a given system. The most common form of this control is the user name, which users must know and enter to log on to a computer or network.

Boston University brings booking and boarding a plane as an example of what authorization looks like in real life and how it works hand in hand with authentication to ensure maximum security.

Authentication is used when you show your ticket and ID document at the airport so you can check in your bags and get your boarding pass. For this, airport staff needs to make sure that you are indeed who you say you are, plus you have a valid ticket.

Authorization is completed when you show your boarding pass to the flight attendant so you can board the plane you’re supposed to be on. In this case, it’s the flight attendant’s job to grant you access to the plane and the resources the aircraft offers to passengers.

What is unauthorized access?

When a person gains logical or physical access to a network, system, application, data repositories or other resource without permission, it's called unauthorized access. There are several common scenarios where this might occur and none of them are good news for enterprise data security efforts. Unauthorized data access examples can go from someone unlocking a user’s computer by simply guessing their password to multi-channel phishing attacks that require months of preparation.

Data access policies: taxonomy and key considerations

Access policies are high-level requirements that specify how access is managed and who, under what circumstances, may access what information, as defined by the US National Institute of Standards and Technology. According to NIST Special Publication 800-192, such policies can be application-specific or govern user actions within a single unit or the entire organization based on need-to-know, competence, authority, obligation and conflict-of-interest considerations. Whatever the scope of the access controls policy, its provision should be in line with the business objectives, risk tolerance and organizational culture.

Not to mention its regulatory landscape. Some access control requirements are prescribed by international, national, local or industry laws, regulations or standards, such as the GDPR, HIPAA, CCPA or PIPEDA. For example, under the HIPAA minimum necessary standard, covered entities’ policies and procedures must define the people or classes of people within the organization who need access to patients’ protected health information to carry out their jobs, the exact categories or types of protected health information needed as well as the appropriate conditions to such access.

Several types of access control policies exist, falling into one of two categories: discretionary or non-discretionary. The former is primarily associated with identity-based access control methods, while the latter typically refers to rule-based access control examples.

RBAC, DAC, MAC: three main types of access control, explained

1. Role-based access control (RBAC)

This access control mechanism is widely used to restrict system and resource access based on individuals’ and groups’ roles and responsibilities rather than their identities. The model builds on a complex structure of role assignments, role authorizations, and role permissions developed using role engineering, TechTarget explains.

Using this approach, you can prescribe, for example, that confidential personnel files containing employee medical records, background check findings, form I-9s, and so on should only be available to HR staff, while making sure that attendance sheets and performance reviews remain readily available to team supervisors.

2. Discretionary access control (DAC)

In this case, the file owners or system administrators define who can have what level of access to their resources on an individual basis. Meaning that it’s up to the owner’s or administrator’s discretion who has permission to read, write, and share files. While being widely used in commercial and government sectors, it’s often criticized for its lack of central control, vulnerability to Trojan attacks, and transitive read access.

3. Mandatory access control (MAC)

A nondiscretionary type of access control, MAC relies on a central authority to give or deny access to data or network resources based on the information security clearance of the user or device that attempts to access it. This means that a user might not have permission to modify a file just because they’re the owner of it. Widely used by government and military bodies, MAC poses a stark contrast to the user-centric approach of DAC. Here, access criteria are defined by the system administrator and enforced by the operating system or security kernel.

The single biggest challenge of data access control – and how to overcome it

Once you’ve decided which route to take in setting up enterprise access controls, there’s one more factor you should definitely consider if you want to make your data protection strategy a success. That is, striking a balance between your obligation to safeguard company data assets and data consumers’ expectation to easily access and use them, whenever and wherever needed. The bad news is there’s no one-size-fits-all solution to configuring controls. The good news? There are some tried-and-tested data access control practices and principles that can help you get started.

● Use the principle of least privilege (POLP)

When you grant access based on the principle of least privilege, you only give people the minimum permission that's necessary for them to do their job. This may sound Draconian at first but if users are also given the opportunity to request access as needed, you can tweak data access controls over time to better fit organizational and staff needs and accommodate new ones.

● Monitor, monitor and monitor some more

"If people know their activity is being tracked, they're less likely to do something,” Symark’s Ellen Libenson told ESJ. Translation: audit all access on a regular basis and remind employees that their network activity is being logged and analyzed at all times. When deciding how often you should pencil in user access reviews, factor in network traffic, review scopes, and access-related risks levels.

● Even better: automate it all

Data access management isn't a one-and-done endeavor. Nor should it be a one-person show, especially for organizations with thousands of employees. Access control technology solutions can make a real difference here, allowing administrators to automate access provisioning, set up and enforce security policies, including strong authentication, and track device and user activity in one place.

Data access control in the cloud: how Tresorit's solution can help

Protect your company’s data when sharing files inside or outside your organization – and keep your assets in sight long after they’ve been shared. An end-to-end encrypted content collaboration platform, Tresorit empowers you to:

● Maximize productivity and security at the same time

Exchange files securely with external collaborators, including clients and vendors, using encrypted links. Ultra-secure share links enable zero-knowledge, end-to-end encrypted document and folder sharing with anyone in just a few clicks or taps, even if they don’t have a Tresorit account.

● Prevent data breaches due to human error and malicious attacks

Apply policy templates, including 2-step verification, IP filtering, timeout policies, and sharing policies, to a set of users, create different policies for each template and modify these policies at any moment through a single interface. Disable downloads or add watermarks to protect highly sensitive data.

● Empower your people to work securely anywhere, anytime

No matter where and when they work, team members can access the latest file versions on all mobile devices, mark files as ‘editing’, and save files for offline use. You can also decide which devices are allowed to access which files and from where users are allowed to log in to safeguard business-critical documents.

● Encrypt emails automatically in Outlook

Enable your teams to work efficiently and send encrypted emails with Tresorit Email encryption. The add-on offers a fast and easy way for users to protect their emails and replace risky email attachments with encrypted share links and password-protected files in a single click – or less.

Intrigued? Find out how your organization can benefit from Tresorit’s most-loved access control functions and newest features, including:

● Account transfer – If you’ve set up a new Tresorit account with an email address, you can easily transfer your old account to the new one.
● Folder takeover – Off-boarding and data takeover processes made faster and smoother for administrators when it comes to transferring data ownership.
● SIEM integration – Use Tresorit with Microsoft Sentinel, Splunk and other SIEM solutions without any hiccups to improve compliance and risk management.
● Feedback-sharing – Have an idea how we could make Tresorit better? Request a feature or share your thoughts with us using the Admin Center’s Roadmap feature.