When Apple and the FBI squared off this year over the unlocking of a smart phone, ordinary citizens became aware of an issue that those of us in the security industry have been dealing with for a long time. Namely, they began thinking about the balance between security and privacy.
Physical access control, automatic license plate recognition (ALPR), and video surveillance systems help keep our buildings, assets, communities, and people secure. One of the ways they do this is by collecting and storing data relating to users' identities, where people are, where they're going, and what they're doing. This data is invaluable when it comes to preventing or prosecuting illegal or threatening behavior, but what about the data collected on people just going about their daily lives?
Privacy is important. After all, we don't want just anyone to have access to our activities or identifying information. We want to be sure that data collected about us is secure. As municipalities, corporations, data centers, and highly regulated institutions like hospitals share video and other data with law enforcement, concerns about the security of our data, particularly as it relates to privacy, are rising.
And, when it comes to protecting our data, we can't just focus on threats coming from the outside. With the increased integration and collaboration between systems, there are more entities than ever interacting with our security systems and accessing privileged data. In addition to protecting access through proper authentication mechanisms, we need to ensure that we can control who sees our data and what they can do with it.
We have already discussed how encryption keeps data from being deciphered by unauthorized entities and how authentication makes sure that everyone accessing the system is who they claim to be. Now we're going to look at how authorization helps protect privacy by clearly defining how authorized personnel are given access to specific data and whether they can modify that data or system behavior.
What Is Authorization?
Authorization is the function that enables security system administrators to specify user (operator) access rights and privileges. Specifically, administrators restrict the scope of activity by:
- giving access rights to groups or individuals for resources, data, or applications
- defining what users can do with these resources.
When it comes to video footage, the ability to restrict activity and access is extremely important. Access to recorded or streamed video must be highly secure and protected to ensure privacy.
Authorization Within Security Systems
To protect the data in a security system, administrators should be able to, among other things, implement detailed user access privileges, select the information that can be shared internally with partners and authorities, and control how long data is kept. Logical partitions and privileges are just two mechanisms that make this possible.
By configuring logical partitions, administrators determine whether one or more users can actually view specific data like recorded video. If the user is not granted access to a partition, he or she will not be able to view archived video located within that partition.
The next step is to define a user's privileges. For example, although a user can view archived video, his or her privileges will determine whether he or she can export, modify, or delete that video. This ensures that recordings can only be managed by those investigators with sufficient access rights. This mitigates the risk of evidence being sent to unauthorized parties.
And, to further eliminate human error, organizations can use an LDAP server, like Microsoft Active Directory, to automatically add and remove security user accounts, grant access rights, or remove users when they are no longer working with the organization.
When administrators manage what their personnel can see and do, they are ensuring the security of the data transmitted and stored within their security system. This not only increases the security of the system as a whole, but it also enhances the security of other systems connected to it.
To sum up what we know about the security of our security, read the last post of our blog series on the topic.