08 Access Control¶
Motivation¶
Research data are among the most valuable resources in science, so great importance is attached to its protection. The aspects of data security and access rights of data management should consist of measures to protect against data loss on the one hand and measures to prevent misuse of the data on the other. Sometimes there are sensitive data that must be appropriately protected. These may be personal data as well as data whose protection has been contractually guaranteed (e.g. company secrets, commissioned research). Research results that have not yet been published also require protection.
Data may be protected by means of encryption, backups, storage on trustworthy storage devices and/or by specific regulation of access rights. The usage becomes traceable through creation and retention of log files. With all security measures, it is vital to ensure all persons who need the data for their work have access to the data. The regulation of these aspects is particularly relevant in case of inter-institutional cooperation.
It is useful to set up and document the technical and organizational measures suitable for data security, and to check regularly whether they still meet current requirements.
Encryption¶
Physical access to a computer may allow unauthorized access to data, therefore it might be necessary to encrypt the data. However, this measure only makes sense if all affected data is encrypted, including, in particular, copies and backups. To do this, all parties involved must be aware of the need for encryption and of all storage locations.
It is possible to encrypt selected storage locations or even entire data carriers. Automatic encryption solutions – using programs such as FileVault (OSX), Bitlocker (Windows) or dm-crypt (Linux) – are another conceivable option. Containers can also be used for the secure storage of data in case you do not want to encrypt an entire partition. For this purpose, we recommend VeraCrypt.
These programs must be set for all intended data storage locations. Furthermore, file encryption is an additional protective measure when uploading data into a cloud environment.
Data encryption in the cloud
If you are using a cloud storage system (e.g. UFZ-Nextcloud), the tool Cryptomator encrypts your data locally and uploads it to the cloud automatically. If you work with sensitive data (personal, etc.) in the cloud, we recommend using cryptomator.
If data is passed on by e-mail, encryption of the e-mail is recommended as well. This prevents unauthorized reading and modification of messages and attachments on their way to the recipient (end-to-end encryption).
E-mail encryption at UFZ
There are basically two recommended options to encrypt your email communication:
- S/MIME: based on a personal user certificate issued by a trustworthy authority; see instruction of the IT dept.
- GPG/PGP: Pretty Good Privacy (PGP) is a key based encryption measure; instructions for Thunderbird or Outlook
Checking the usability¶
A data backup is only helpful if data recovery is guaranteed. Sometimes files are corrupted and become defective from then on. Sometimes copying files causes errors by itself. It's a good idea to test your data recovery at the outset of the backup and at regular intervals to prevent data loss.
In addition to checking for readability, a virus check should also be performed. Otherwise, faulty files may overwrite undamaged backup files.
Password protection and access rights¶
When dealing with data worthy of protection, secure passwords should be assigned and access should be restricted to the circle of persons directly involved.
A secure password?
- The longer, the better. It should consist of at least 8 characters
- contains lower- and upper-case letters, as well as special characters and numbers
- used characters should not be next to each other on the keyboard
- the password should not appear in dictionaries.
- avoid simple passwords: 123456, password, 111111, qwerty, abc123. No Names, birthdays, terms from dictionaries, movie characters or license plates (even if written backwards)
- adding numbers or special characters to a word does not make a secure password
A secure password!
Make a sentence you can easily remember, and then make it a password.
Examples (but do not adopt these examples either, even if you really love reggae 
):
- My favorite number is 7 and I like cats. -> Mfni7&Ilc
- I don't like reggae, I love it! -> Idlr,Ili!
The assignment of authorizations determines which persons or groups of persons are allowed to access certain directories and files and with which specific rights. It is possible to assign gradual read and write rights as well as execution rights. Thus, some users only have access to view the data, while others are granted full access to the data. It is important that the assignment is well-thought-out so as not to interfere with the workflow.
If access rights are too lax, people may access sensitive data who should not be able to do so for privacy reasons. If, on the other hand, access rights are granted too restrictively, the FAIR principles are violated and subsequent use is made more difficult or even prevented.
Recommendations for a jump start¶
Jump start
Securely communicate with your project partners using email encryption Use disk or cloud encryption options to protect your data