Cybersecurity is evolving. In government, it’s no longer enough to set up firewalls and defend a perimeter; today, security needs to travel with content and information wherever it may go. This next step in security is commonly referred to as data-centric security. Sensitive content is routinely exchanged between government, industry, and the supply chain – a complicated extranet environment in itself. Security needs to travel with content – from creation, to collaboration, to consumption – in the form of perpetual information protection. Data-centric security should be the default approach in the public sector, especially to protect personally identifiable (PII) or classified data that will inevitably be on the move in today’s interconnected and mobile world.
However, the journey to complete data-centric security is rigorous and challenging. To simplify the steps needed to master this approach, Adobe has identified and simplified the steps to the three key dimensions to data protection. Across these three elements lie the fundamentals of preventative security, detective tools, and continuous monitoring, which helps agencies achieve security throughout the content lifecycle. This holistic approach helps organizations meet the policies and objectives set forth in the Cybersecurity National Action Plan (CNAP) and OMB Circular A-130.
To fully enable data-centric security, the organization must ensure security is addressed as part of the creation, storage, collaboration, and consumption processes of the content lifecycle.
- Content Management – Secure digital asset management must be built in to applications where content is created for true data-centric security. This means that organizations can minimize threats by using content controls that specify which users, or groups of users, have access to digital objects in the repository. Strong data-centric security and secure content management includes the following features and capabilities:
- Strong authentication – definitively identifying users, their roles, and access rights
- Metadata – labeling and classifying content to help apply different levels of protection to categories of content types
- Object level access – defining who can access what content based on assigned permissions
- Audit logs – providing detailed record of all user and admin events, tracking internal and external sharing and more to show who is complying with regulations
- Digital Rights Management – While inter-agency information sharing is now mandated, the possibility of intentional or accidental misuse of content distribution is at an all-time high. By employing the tenets of data-centric security, administrators are better able to establish controls, monitor access, and automatically track information as it is shared outside of the organization. The following features put safeguards in place for content, wherever it travels, even inside and outside the organization:
- Persistent protection – enforces access at the file layer
- Permissions – restricts what a user can do with a piece of content, like saving or printing
- Revocation – expires and terminates user access after publishing
- Audit logs – records all valid and invalid access attempts to a piece of content for complete oversight
- Authentication – allows access to the content based on authentication mechanisms, like username and password or single sign-on (SSO)
- Continuous Monitoring – Continuous monitoring helps to reduce opportunities for insiders to, either accidentally or purposely, compromise information. Leveraging the auditing provided through content management and rights management, alerts and automated monitoring can quickly detect violations for swift action. Features of a holistic continuous monitoring approach include:
- Visualization – shows where documents are opened and accessed
- Anomalies – points out instances of high downloads, high numbers of files being opened, and high print counts
- Affinity – associates users with content and alerts admins to anomalies
- Notifications – provides real-time alerts of unusual activity
By protecting content wherever it lives and travels, agencies can further reduce the risk of unauthorized information sharing. Data-centric security helps administrators know where documents originate, where they should be going, and helps detect where information may be leaking from the enterprise. With data-centric security, organizations are better able to comply with federal policies and effectively protect PII and national security data while also defending intellectual property. For more information on how Adobe helps organizations implement these three dimensions and reach complete data-centric security, download this whitepaper.