Protecting High Value Assets with Data-Centric Security

By John Landwehr, VP and Public Sector CTO

Achieving Defense in Depth by Protecting Data Independent of Storage and Transit

This week, the President directed his Administration to implement a Cybersecurity National Action Plan (CNAP) calling for agencies to take a multi-layered data protection approach to better secure the government’s most sensitive data. A key element to any multi-layered cyber security strategy is “data-centric security,” which consists of protecting the native file format itself; this ensures that data remains secure wherever it travels or is stored.

Recent White House cybersecurity policies and congressional legislation support this position by compelling federal agencies to implement capabilities to “protect high value assets and sensitive information” and to “encrypt or otherwise render indecipherable to unauthorized users the data…stored on or transiting agency information systems” within the next year. Section 406 of H.R. 2029, the Cybersecurity Act of 2015, includes “information security management practices” such as “ digital rights management” as a capability that federal agencies must report on utilizing “to monitor and detect exfiltration and other threats.”

We agree with OMB and Congress. A systematic approach to data-level protection is critically needed across the federal government to control the distribution and prevent the unauthorized alteration or disclosure of high value assets. Federal agencies need to implement data and document protection capabilities, such as digital rights management (DRM), to safeguard and ensure that all high value documents and digital assets are persistently protected independent of storage and transport. While protection at the network level remains essential, adding protection at the data and document level is critical to achieving defense in depth.

Since 1994, Adobe has been helping customers protect sensitive data and documents. Today, we continue to do so through robust DRM technologies and real-time data analytics that provide detective and preventive controls to help ensure complete document and data security.

Three Aspects of Data-Centric Security with DRM

Adobe DRM solutions provide owners of digital content the ability to dynamically control the use of that content in three ways:

1. Authentication—Ensuring only the intended recipient can open and view the content
2. Authorization—Defining what the recipient is allowed to do with the content, like printing or copying
3. Auditing—Continuously monitoring what the recipient has done with the content

Authentication

Keeping unauthorized users from accessing secure content is the first line of defense in the Adobe DRM solution. Authors associate access controls lists (ACLs) to a document that determine who can open and view the content. This can be based on passwords, public key infrastructure (PKI), single sign-on (SSO) and network address.

Authorization

The second line of defense is proactively restricting what recipients can do with content. For example, the Adobe DRM solution enables authors to set specific permissions for recipients that vary from read-only access to allowing the recipients to print, copy, extract contents, modify the document itself, or even save the document to an independent device and securely access it offline. These controls can be directly linked to enterprise attribute based access control (ABAC) information associated with recipients.

Authors can also leverage more advanced security features, including:

• Expiration—Setting expiration dates after which the content cannot be opened
• Revocation—Remotely revoking permissions for specific recipients
• Versioning—Specifying and tracking which version of a document a recipient has accessed, and revising or revoking access to older versions, even if they are outside the firewall
• Watermarking—Digitally “watermarking” content so that it is clearly labeled to display specific information, such as the document owner or approval status.

Auditing

The final line of defense is continuous monitoring of information systems for unusual and suspicious activity. With Adobe solutions, agencies can generate reports on how sensitive information is used. If they suspect that someone is using files inappropriately, they can revoke that recipient’s access to the files.

Learn more at ADGA

With the continuous rise in the number and sophistication of cyber attacks, federal agencies need to act now to improve protection of sensitive information. Adobe DRM solutions empower federal agencies to use, manage and control sensitive data and apply tailored policies that are designed to enable persistent protection. With Adobe solutions, agencies can control access to high value assets anytime and anywhere, regardless of where the information is stored or how it has been distributed.

If you’d like to learn more, please join us at the 7th Annual Adobe Digital Government Assembly on February 24, 2016 at The Renaissance Hotel Downtown in Washington, D.C.