"The tool is so intuitive – I think you can show most data controllers how it works in ten minutes."
The question posed by employees at the branch touched on a sensitive issue: Who is able to view our payslips and the logs of our performance reviews in the central file system? The IT staff at Deutsche Flugsicherung (DFS), based in Langen near Frankfurt, looked long and hard to find the exact answer. The plethora of rules on data access were hidden too deeply within the system, Jörg Kundler says. As Head of Business IT, he oversees all computer systems at DFS that are not directly involved in flight operations. The IT department decided to simplify and decentralise user rights management.
"In future, the respective data controller will be able to display all access rights at the push of a button, and edit them as well", Kundler explains. At present the software, which will also provide these options to average computer users, is being introduced gradually: first for the more IT savvy group leaders in the hope that their enthusiastic reports will whet the appetites of more sceptical colleagues. Kundler himself has just assumed the responsibility of administrating access rights for the roughly 80 employees in his area. If a new colleague requires read or write access, Kundler need only drag the employee's name across the relevant directories, confirm it and type a brief explanation of the change – and he's done. User rights are a fundamental issue when setting up any computer network: Who is allowed to see which sections of the directory tree, who may read the files stored there and who may edit them?
Upon hearing the words "data security", many people think first and foremost of outside threats. However, in about half of the cases where companies have suffered losses inflicted by electronic means, the culprits were their own staff, the "e-crime study 2010" of auditor KPMG found. Data theft headed the hit list.
This problem is exacerbated because many employees are able to access data not just from their desk, but also from home offices and smartphones. Therefore, a restrictive access rights policy is indispensable for information security. Much is at stake: Leaving staff might download customer databases or other company secrets onto a USB stick – their new employer might thank them for it. Brazen employees might even rewrite instructions, and subordinates seeking revenge might manipulate financial statements. In addition, legal consequences loom if a lax assignment of rights infringes statutory provisions, such as those on data protection or bank secrecy. "As much as necessary, as little as possible", is the maxim of the German Federal Office for Information Security on access rights.
For this reason, when changing any rights it is necessary to observe a workflow consisting of application, approval and implementation. The results: waiting times for users, and with 6000 employees throughout Germany lots of tedious routine work for admin staff. Then there are basic weaknesses. Nobody complains of having too many privileges, and so when someone is relocated, for example, it is easy to forget to revoketheir access rights. "Interns can be extreme cases, moving from one department to the next and ending up with access to everything," Schanz says. In addition, some directories have been orphaned and nobody feels responsible – such as when projects have been concluded. Mid 2011, Alexander Schanz and his colleagues began the search for a software that would solve these problems.
Only German providers were considered: "There are US products, but their background is different", Schanz explains. "They include monitoring employee activities, which is barely compatible with German employment protection legislation." Domestic manufacturers of rights management and provisioning solutions include Beta Systems, Econet, Parks Informatik and Tesis Software. After several product presentations, at the end of 2011 DFS opted for the solutionfrom Protected Networks. List price: 35 euro per administrated user plus 500 euro per fileserver. These rates are similar to those of the competitors. In addition, 20% of the initial cost is charged annually for updates and extensive support. On top of this are the costs for its rollout; Deutsche Flugsicherung remains silent about the exact figure.
So far, about 15 person-days have been incurred. "The project has now reached what is probably the most exciting stage," says Arne Vodegel, account manager at Protected Networks. "The new transparency on rights is something people need to learn to deal with." Customers often subsequently adapt certain structures and processes. Schanz is very pleased with the new solution. "The tool is so intuitive – I think you can show most data controllers how it works in ten minutes." Interns can now be granted access rights that will expire at set times. The programme itself manages technical details such as group memberships and read access for superordinate directories.. "Actually, it's us admin staff that experience the most issues with the interface, because we tend to take a very complex approach to access rights."
But the software is not just making administrators happy, as it frees up time for more demanding tasks. The internal audit department is also thrilled, claims Schanz – the programme ensures unambiguous responsibilities while also automatically documenting who accessed which data and when. Ultimately, the tool can even help to optimise structures, as it allows a comparison of the operation methods employed at different locations.
Who is able to view our payslips and the logs of our performance reviews in the central file system?
"In future, the respective data controller will be able to display all access rights at the push of a button, and edit them as well."