Data Access Controls

Transcript

Hello, my name is Patricia Musomba and welcome to this video. In this topic, we will learn about data access controls.

Access control is a key component of data security. Access controls authenticate and authorize individuals to access the information they are allowed to see and use. Data access controls should be based on the following questions:

1. Who is allowed to view/access this data?
2. Who is allowed to modify the data?
3. Under what circumstances do you deny access to a user with access privileges?

The foundation of data security is Authentication and authorization. Authentication is a way of identifying users to make sure they are who they claim to be, while authorization is the process of establishing a user’s rights or privileges. Authorization usually happens after authentication. The most common means of authentication is by the use of a password and username. For example, in a school, a teacher authenticates themselves or logs into the learning management system using a username and password. After successful authentication, the teacher is given access to the system and can perform various tasks in the system such as creation of course, uploading course materials or updating course content. This is authorization that is what the teacher is allowed to do within the system.

Authentication is achieved through the use of passwords or through biometrics.

Passwords: Passwords are used to prove that an account belongs to you. For all school systems such as learning management systems and student management systems, strong passwords should be used to log in. Strong passwords cannot be compromised easily by attackers. Strong passwords are more than eight characters long, alphanumerical and have special characters. The use of passphrases is encouraged because they are easier to remember. Another recommendation is to enable Two Factor Authentication where more than one authentication factor is used for verification. For example, once a user provides their username and password, for successful login, they also have to provide a code that is usually sent to their mobile phone or email address. This adds another layer of security.

Biometrics: Biometric authentication is a security process that relies on the unique biological characteristics of an individual. This can be implemented through facial recognition, fingerprint scanners, eye scanners or voice recognition.

How can a school implement data access control?

Schools store data both physically and digitally. For protection of physical data such as physical student records, physical security must be enforced. Physical security can be implemented using:

• Visitor management systems
• Badge systems to identify personnel
• Biometric devices to gain access into the premises
• Video surveillance for example through CCTV
• Fences and gates
• Locks
• Security guards
• Motion detectors

To protect digital data, schools can implement logical access controls. Logical access controls are used to restrict access to services and information based on a criterion determined by the administrators. The role of the user is one of the most common criteria used to implement access controls. Role-based access controls provides a user with access to the resources that enable them to perform their duties satisfactorily. For example, the role of a teacher determines what data they need access to. Data access controls are mostly implemented using permissions.

Permissions are the various access rights assigned to different users and groups of users. In an organization, groups can be based on the role of the user. For example, in learning institutions, the following groups exist; teachers, students, suppliers, and support staff. The different groups will have different levels of access in the organization’s network.

When sharing files and documents, it is important to specify the level of access the user has. A user or a group can have the following permissions:

View/Read-only: When this is enabled, the user can only read or view the file, without making any modifications. They can also copy the contents of the file. This type of permission is useful when sharing files that individuals are not allowed to change. For example, when sharing educational notes with students, share them with read-only rights enabled. To enable this on a file, right-click on a file, select ‘Properties’ and tick ‘Read-Only’. Click on ‘Apply’ to effect the changes as shown.

• Another type of permissions is Edit or Write: Users with this level of permission can edit, rename, and move files. This type of file permission is used during collaboration because colleagues can edit or modify the file to add new information or provide feedback. Files without the Read-Only property selected can be edited by others.
• Lastly, we have Execute: This is a permission used mostly with applications. Users with this permission can run a specific program or type of program file. In most organizations, users are restricted from running applications. This is a security measure to prevent them from running potentially harmful software that could have catastrophic effects in the institution’s network.

These permissions also apply when sharing documents on the cloud. Sometimes when collaboration is needed between colleagues, cloud drives can be used to facilitate this. Cloud drives offer additional storage from a cloud provider. These include Google Drive, OneDrive, iCloud and Drop Box. For example, when sharing documents on Google Drive, one can specify the rights each person has to the document. There are two types of permissions, that is Editor and Viewer.

These permissions will allow the owner of a file on the cloud to control what other people can do to the document. This protects against unauthorized access and or modification.

We have come to the end of this video. We learned about data access controls such as the use of passwords, multifactor authentication and permissions. Next, we will explore various data protection techniques.