Two More Ways to Secure Data: Audit Trails and Role-Based Permission
In a previous post, we walked through three key starter questions to ask when it comes to navigating sensitive data security terrain. We called those starter questions because as you can imagine, data security is a deep, complex topic that requires ongoing practice and vigilance. There are two other tactics that come in handy for securing data.
The first is making sure there are user-friendly audit trails. The second is limiting users’ access to different data types using a role-based permission system. We’ll walk through what we mean by both of those concepts using Approvd, a project management tool created at The SilverLogic.
Meet Approvd
Around 2013, after collaborating on projects with several clients who were working with scrappy budgets, we recognized a need to be able to break down projects from phases into features, and allow clients to asynchronously collaborate on and approve work on an extremely granular level. This allowed projects to move forward without a lot of lead time, gave the client what they needed piece by piece, and allowed them to better manage cash flow.
Just like many of our clients, we started off using Google Sheets to go from opportunity to execution, but – besides being difficult to work with on mobile – Sheets was so flexible that the pro became a con: Sheets became a pain to maintain and was vulnerable to mistakes. From there, we, of course, built custom software to address the need.
How Approvd helps us with user-friendly audit trails
First, what are audit trails?
Put simply, these are a record of changes made to something in an application. For example, if you’re asked to sign something in DocuSign, you see your signature and the date in the interface. Elsewhere behind the scenes, there is a changelog that has a date/time stamp with your IP address indicating something happened to a document.
In Approvd, once a client approves a deliverable, the client and Product Owner are emailed with the Acceptance Criteria in place at the time of the approval. Digital signoffs and any comments made are recorded in a log with a user stamp and date/time-stamp. Additionally, there is a version control log that tracks the history of each issue, edit-by-edit.
Great, so what does this have to do with data security?
When you have a log of every action taken, you can much more easily audit, for example, suspicious activity. Just like in finance, this ability to inspect helps build trust. For our clients, seeing the audit log meant that if they were ever unsure about a difference in what was estimated (i.e. a feature versus a bug) to what they’re being asked to approve now, they can see the change log in a friendly user interface. Here’s an example:
Getting a proper audit trail system into place is a simple idea, but it’s quite complex to program. Although custom software that includes audit trails can be a large investment, the ability to create and nurture trust with your users – as well as trace suspicious activity back to a particular person or machine – is worth it.
How we manage role-based permissions in Approvd
Okay another tech term: what are role-based permissions?
This term refers to a security model in which an IT or software administrator can restrict or grant access to certain parts of a system or tool based on an employment type, role within an organization, a set of responsibilities. It’s also possible to set role-based permissions on just certain parts, or objects, in an IT system or software tool.
For example, while configuring your email on your work computer, you may have noticed that you bump into certain things you can’t change or click, and an instruction to call your administrator for help. You’ve found a limit to your particular role’s permissions.
In Approvd, for every new project, members can be invited as one of a specific set of roles:
- Analyst
- Client
- Dev
- Owner
- Reporter
- Requestor
As you can imagine, the client role will not be able to do the same things as, say, the Owner or Analyst. Permissions are a standard way to ensure that a business’ data is handled by the right people, with the right skills, at the right time. Much like data security itself, there is a lot more to say about role-based permissions, but for now, we want to make sure you know this is one more way you can design your business operations to protect your data, your clients’ data, and build trust.
Your Turn
We used Approvd as a case to illustrate two more data security tactics because it’s an interesting tool. It’s not strictly a B2B or B2C software application; we use it as an internal business tool but we expose part of it to our clients, aka consumers (the C in B2C).
What other tools have you come across where you’ve noticed (or could imagine) the audit trail or role-based permissions? How does the presence of these two tactics influence your perception of data security?