Usability vs. data protection:
Does authorization management always have to be so complicated?
Does authorization management always have to be so complicated?
Mobile working and the increasing networking of company data are making the issue of data protection increasingly important. At the same time, known hacker attacks and data breaches are increasing the pressure on companies. The precautions to protect sensitive customer data are becoming ever stricter and more complicated. However, the more elaborate the measures, the more difficult it is for employees to comply with them.
Systems should therefore fulfill a dual function: The simpler and more comprehensible the implementation, the more likely it is to protect against data leaks and attackers. In most cases, the topic of data protection remains the sole responsibility of IT administration, although everyone should think about it and must handle data conscientiously while working.
But which data must be protected?
Every company has a lot of data: Customer data, stored work processes, employee lists and company secrets. Some of this data requires more protection, others less. You should therefore aim to prioritize them. Which data is in daily use and which should be easily accessible to everyone?
Classifications make it possible to categorize data into different risk levels. Company secrets and personal data, for example, must be protected to a much greater extent than the brand of the office furniture ordered or the slides from the last online conference.
The need-to-know principle is suitable. In principle, you should check who needs access to all data. Is the knowledge that can be gained from the data really important for the employees’ work? The need-to-know principle is suitable for this, according to which only those employees who really need it are granted access rights.
In the case of highly sensitive data, you should also check whether a protection instruction has been issued.
In order to protect data, this restriction of usage rights is unavoidable and is therefore implemented in almost all organizations. However, this very fact often complicates employees’ work processes: If authorizations are missing, the first step is to go through the IT department. In turn, the IT department must first determine who is responsible for the data in the specialist departments. At the same time, there is a lack of transparency as to who is authorized where.
As a result, authorizations are quickly assigned according to the scattergun principle, data is copied to public areas or the revocation of rights that are no longer required is often neglected. Recertifications recommended by auditors, in which data controllers have to check the rights situation at regular intervals, often mean frustration due to additional work and mountains of paper full of complex matrices.
How can the complexity be mastered?
Those who assign authorizations according to the need-to-know principle run a significantly lower data protection risk. It is advisable to proceed as transparently and intuitively as possible: With a self-service and automated implementation approach, these processes can be placed in the hands of the users and carried out without IT administration. If authorizations are missing, they can be requested from the data controllers in an easy-to-understand manner and without technical details. Once approved, the changes are automatically implemented in the target system.
Data- and user-centered evaluations enable a transparent presentation for technical laypersons. The use of time limits and the regular review of authorizations prevents an uncontrolled spread of authorizations and helps you to comply with all legal requirements.
Each access authorization also statistically increases the risk of a successful cyberattack from outside, which can be reduced by controlling the number of authorizations. The automation of authorization management creates security and minimizes the risk of data leaks. At the same time, usability is increased to the extent that employees are involved in the process transparently and intuitively.
