With so much at Stake, It’s Critical Agencies Keep their Digital Content Secure
by Jacob Rosen
posted on 03-19-2015
By John Landwehr, Vice President and Public Sector CTO, Adobe
As government rapidly becomes digital-first, sensitive documents increasingly exist in a digital format. Everything from the federal budget and new bills to social security records with personally identifiable information are stored digitally, with new content being created every day.
“The paper to digital transformation has been very successful for the government for a number of years,” says John Landwehr, vice president and public sector chief technology officer at Adobe. “There’s an increasing amount of digital content, and that content includes everything from privacy-related information from the public to intellectual property and homeland security information.”
That’s why it’s especially important for agencies to know their digital content is secure. Government needs the assurances that files, websites, apps and databases are safe from both internal and external threats.
“A lot has certainly been invested over the years to fortify the perimeter of a lot of organizations, but yet there are still ongoing incidents that take place which could be insider attacks, accidents or a number of different ways that sensitive information gets compromised,” Landwehr says.
With the need for content security more important than ever, we sat down with Landwehr to discuss how agencies can develop comprehensive plans for securing their digital content. Landwehr has extensive experience helping agencies create secure content, and offers insight on how to work with cybersecurity procedures and compliance programs to improve security, efficiency and usability.
Q: In your experience, what steps can agencies take to secure their digital content?
A: I typically talk about the three dimensions of information protection.
The first to mention is an organization has some sort of content management system or repository of electronic documents where they’re, say, managing their forms that they receive. A lot of these systems have access control on them, determining who can open up what folder and view what files over the network. So that’s the first dimension: protections that sharepoint and other kinds of management that systems provide.
But, one of the gaps that remain is that once content leaves that protective folder and goes out to desktop computers or to mobile devices, it’s no longer protected. So that’s where we see the second dimension of technology: rights management, that is able to persistently protect information independent of storage, independent of transport, and after it leaves a protected repository. Anywhere that, say, an electronic form with your personally identifiable information (PII) goes, it always makes sure that only the authorized people can view it. And if the file goes someplace that it shouldn’t, and that person attempts to log in and view the content, even though that file may be on their computer, it won’t open because of the rights management system enforcing access down to that file layer. This is, of course, based on sophisticated encryption technology.
Then the third dimension is being able to look for unusual behavior of protected documents. So, if somebody were to only on average print five documents a day, and one day they printed 500 that could generate an alert. Or let’s say somebody went into the content management system and downloaded 100 forms at once but didn’t view any of them right away—that would seem to indicate that somebody’s trying to take a bunch of documents someplace they shouldn’t. That’s where this third dimension of advanced analytics ties in—to be able to look at current content consumption patterns and discover what may be unusual or suspicious activity.
Q: As agencies increasingly operate across multiple platforms, what can they do to make sure everything’s safe?
A: Digital rights management works across platforms and devices, from servers to desktops, to iPhones and iPods and androids. It runs across platforms independent of storage, transport and device. You can have a file emailed to you that has sensitive content in it, and then that file can be viewed on your tablet, smartphone or desktop. It’s a way of securing content independent of the device.
Q: How should agencies go about combating insider threats?
A: The short answer is that they should look at the three dimensions of information protection. That’s a great way to have a security system that can protect against a variety of concerns—whether it’s accidents or intentional accessing of information. By protecting the content, whatever the content or content type happens to be, you protect it and have a system in place that expands on the capabilities a content management system provides, which is what Adobe does with the Adobe Experience Manager. Then even if the document were to inappropriately go somewhere, it would have extra protections.
Q: A common critique of cybersecurity is that it reduces usability. Would steps should agencies take to ensure that security does not impact productivity?
A: When it comes to securing digital content, if you don’t make it easy, people won’t use it, and that’s not good from a security perspective. That’s also where some automation can help. For example, we can protect the documents in Microsoft Office, as soon as you create a new document. It can automatically have as security policy applied to it limiting access to agency personnel, so even if it were to end up on the Internet, only employees could open it. We can actually automate this as part of increased security and ease of use.
Q: Where do compliance programs like FedRAMP come into all of this?
A: FedRAMP is a great program that’s been put in place to make it easier for agencies to acquire and procure cloud-based solutions, knowing that these solutions have been through a rigorous security process.
As government is looking to utilize more cloud services, they can trust that what they’re buying has undergone significant scrutiny. Compliance programs also provide efficiency for the government, so that each agency buying the same cloud service doesn’t have to redo all the work that’s already been done from a security assessment perspective. It offers significant cost savings and efficiency and the ability to deploy cloud solutions quickly and easily.
Q: Finally, how can agencies prevent threats from becoming crises?
A: It’s important for agencies to know what is sensitive in an organization, know who’s supposed to have access to this information and understand how to protect this information. Having automated systems in place as much as possible helps, and certainly it’s good to have an incident response plan, so that you can gather as much information as possible to confirm what may have happened, what may be affected and who may be affected along the way. The quicker that organizations can move on that information, the better the chance of identifying the issue and being able to correct it as quickly as possible.