Securing Digital Content Beyond Your Network by GovLoop

Securing Digital Content Beyond Your Network INDUSTRY PERSPECTIVE

Securing Digital Content Beyond Your Network 1

Executive Summary One of the greatest challenges agencies face in their digital transformation journeys is securing electronic content, particularly sensitive information, in a time of increased cyberthreats.

For agencies trying to thwart these diverse and persistent threats, the road ahead may seem long and difficult. But there are practical steps agencies can implement to enhance their approach to security.

This is a shift in focus for agencies that have previously prioritized securing networks and devices over data. But the old way of operating is no longer tenable. The proliferation of mobile and internet-connected devices has made it easier for employees to access information anytime, anywhere and from any device. These same devices can pose major risks if they’re operating on government networks without first being properly secured and configured.

GovLoop partnered with Adobe to take a deep dive into the challenges and opportunities that agencies face as they look to secure digital content beyond their network. In this report, you’ll hear from Steven Gottwals, Technical Director for Security Solutions at Adobe Federal, as well as Nick Wagner, Information Technology Officer with the International Monetary Fund (IMF), and James Quinn, Lead System Engineer for the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation program, who spoke at the 2017 Adobe Digital Government Symposium.

Ultimately, it’s not the device that hackers are after. They are on the hunt for government data. That is why agencies need a data-centric approach to security that prioritizes the integrity of and access to their data, regardless of where that data is located. It only takes one click on a malicious file to expose your agency’s most valued digital assets to bad actors. But external threats aren’t the only risks that agencies must defend against. Insiders can also misuse their privileged access to IT systems or “accidentally” leak sensitive data for personal use or financial gain.

These technology experts share specific case studies on how they approach digital security at their organizations, the issues they face, and steps they took to enhance cybersecurity.

Industry Perspective 2

Protecting Digital Content in an Era of Inevitable Attacks According to the 2017 Data Breach Investigations Report, 81 percent of all security incidents in the public sector occurred because of cyber espionage, miscellaneous errors and privilege misuse. These incidents can include an employee innocently failing to dispose of documents correctly, losing a laptop during travels, or even intentionally taking confidential information for personal use or monetary gain. Of course, there are millions of malicious foreign attacks as well, according to Gottwals. Cyberattacks are constant, and U.S. government agencies and private firms are primary targets. The data breach report also noted that 62 percent of the sources behind public-sector incidents are external threats. Personal data and secret information rank highest on the list — at 41 percent — for the types of data that are compromised in a breach. Nearly half of attacks against the public sector that resulted in confirmed data disclosures were state-affiliated, the report found. Yet more than 60 percent of government breaches that are uncovered have gone undetected for years, according to the data breach report. Some breaches can be determined in a matter of days with the right security tools and experienced professionals in place. But in other cases, investigations take months or years, only to yield insufficient details for remediating problems. A February 2017 report by the Government Accountability Office (GAO) puts into perspective the ongoing security struggle that agencies face. Not only are government information systems and networks inherently at risk, but they are also highly complex.

“This complexity increases the difficulty in identifying, managing, and protecting the myriad of operating systems, applications, and devices comprising the systems and networks,” the report found. “Compounding the risk, systems used by federal agencies are often riddled with security vulnerabilities — both known and unknown.” Many older government systems were not designed to meet today’s stringent digital security requirements. In addition to ensuring that internal systems are secure, agencies must also assess the security practices of third-party vendors that host their content. It is not a matter of if, but when a cyberattack will occur. This way of thinking forces agencies to thoroughly examine the human, technological, and process-based vulnerabilities that will likely be exploited. To help agencies hone their digital security practices, the public sector needs better data-security monitoring to manage content across devices and inside/outside the firewall.

Securing Digital Content Beyond Your Network 3

5 Tips for Improved Digital Asset Security Data breaches can happen anywhere, at any time. Organizations need solutions that deliver more comprehensive protection — beyond network and device-level measures. Content-centric security protects data at the document level, so it stays with your sensitive information no matter where that information goes.

Gottwals highlighted five in-house steps government agencies can take to help create a stronger line of defense from unknown cyberthreats:

1. Know what data to protect. We all create or interact with documents that need to be consumed, collaborated on, and shared. But which documents are sensitive, who should have access to them, and what security measures can be implemented to protect them? Depending on your business, this decision could include documents that contain personally identifiable information, intellectual property or national security information. To get started, agencies should begin with a small project, and address the questions above before expanding to more complex projects.

2. Install a multilayered protective measure. A digital rights management (DRM) system is one example. DRM is a content-based security measure that allows you to dynamically grant access to a document to only those who need it. Users must go through an authentication process before accessing any file. This works by encrypting files at the document level. With DRM, you can audit document interactions in one panel to see when a user has accessed, printed, closed or modified the document. You can prohibit the ability to print or modify documents, or set expiration dates for opening documents. Because the protection is dynamic, you can remotely change access policies throughout your workflow.

3. Invest in attributebased access control (ABAC). This helps insulate your network from hackers by placing protections on a group of files in a repository. You do this by tagging your sensitive data with certain security attributes. For example, paragraphs, images, videos, titles, and even bullets points can be assigned multiple security attributes — like classification level, International Traffic in Arms Regulations (ITAR) requirements, and environmental variables. When users log on to view the file, certain portions can be redacted dynamically, allowing them to see only the portions they are authorized to see.

4. Continuously monitor breach activity with analytics. In most cases, it takes attackers just minutes to compromise systems. It can take much longer, however, for an organization to discover that a breach has occurred. It’s important for your government organization to have a real-time analytics platform in place that can continuously detect potential breaches inside and outside your firewall. This includes continuous monitoring of content that your teams create, collect and disseminate.

Industry Perspective 4

5. Stay vigilant. Prevention is always the first line of defense, and it starts with equipping employees with the right resources and training to help protect the agency. As cyberattacks become more common, it is important to remain vigilant and ensure all stakeholders are actively protecting the public’s most sensitive information. “Every public-sector employee has a duty to protect their organization’s proprietary information,” Gottwals said. “Instead of mass emailing a list of rules to employees, it is more effective to teach them face to face and share real case studies of how one innocent, wrong action — or inaction — of an employee could lead to millions of wasted tax dollars.” Training on what a suspicious email or SMS phishing scam looks like and how to properly back up and protect both digital and paper files are just a few ideas to get you started. In the next section, you’ll learn how the IMF and DHS are implementing these security measures to protect their digital data on premises and in the cloud.

Case Studies: How IMF and DHS Secure Data in the Cloud

International Monetary Fund

Homeland Security Department

Prior to implementing Adobe solutions, the IMF required two-factor authentication — but once that requirement was met, user actions were not closely monitored or restricted. “The right people were getting in, but you didn’t know what they were doing once they got in,” said Nick Wagner, Information Technology Officer with the IMF.

As the Lead System Engineer for DHS’s $6 billion Continuous Diagnostics and Mitigation (CDM) program, James Quinn has visibility into the government’s strengths and weaknesses when it comes to cybersecurity.

Moving to a DRM system changed that. The IMF now has more visibility into what people are doing with sensitive documents, including accessing and printing them. Wagner said DRM was helpful in protecting confidential and strictly confidential documents, and it also allowed the agency to revoke user privileges or access to documents. When the IMF made the decision to implement Adobe Experience Manager, it was the first time the agency had ever adopted a Platform-as-a-Service solution. To ensure the enterprise content management solution ran optimally, the agency used Adobe Managed Services to maintain its cloud environment. But getting to that point wasn’t easy. “It was a project within itself to get to the cloud,” said Wagner, who is responsible for the IMF’s extranet environment and supporting technologies like Experience Manager. Wagner also runs the extranets associated with the IMF. The IMF has an executive board that handles the daily activities associated with the fund, and the extranet supports their activities. One purpose of the extranet is to publish important, time-sensitive documents about different countries. “If anyone gets access to [the documents] before they get published, people can use that information to do all sorts of things,” Wagner said.

According to Quinn, one of the biggest challenges for agencies is they don’t know what specific assets they have, so they can’t properly protect them. One of the benefits of CDM is it empowers agencies to identify and address the most serious security issues first. “As the program progresses, you have to understand what is happening on network,” Quinn said. In Quinn’s experience, agencies often knew they had important data in some form on their system, so they categorized the entire system as high impact. “That usually meant you didn’t end up protecting the data,” Quinn said. “It just meant you spent a lot more money building a bigger, harder system.” Quinn sees the biggest shift in cybersecurity as moving from a process of checklists to an integral part of how agencies do business. That’s why CDM is promoting the use of security practices like encryption, which will help agencies use DRM and benefit from the use of secured cloud services. Quinn touted the use of digital signatures to securely complete mundane tasks like document signing and strengthen the use of cloud services. “The cloud will be useless unless you know that the people who are sending things have trusted signatures and that the people who are doing things have been granted the appropriate roles,” Quinn explained.

According to Wagner, the first step in rolling out secure solutions in the cloud is working closely with the information security team. Ensure that proper groups, including legal advisers, are informed about the move to cloud, and that they understand what security measures are being implemented.

Securing Digital Content Beyond Your Network 5

How Adobe Can Help Secure Your Digital Content Adobe can help governments at all levels secure their digital data. With Adobe solutions, you can see where documents are opened and receive real-time alerts of irregular activity like high download or print counts. This way, your organization can respond swiftly — before any issues become a critical threat to your agency’s infrastructure or reputation. One example of the Adobe approach to data security involves encrypting files or documents at the file format layer, not only when data is at rest or in transit. This ensures that documents are encrypted — regardless of where they’re located. “We then take that document and tether it back to a server, so when you open it you are authenticated — and the server decides if you are allowed to have access and decrypt the document,” Gottwals said. “At the server level, agencies can make changes when they want. They can add or remove someone from the document, give them rights to print the document, or revoke access all together.” Other benefits include the ability to create an audit trail of who accessed documents and from what IP address. Adobe Experience Manager is designed to protect sensitive content persistently and dynamically, independent of storage or transport. Together with Adobe Analytics, agencies can continuously monitor document interactions and alert security staff about potential breaches.

Industry Perspective 6

Conclusion As agencies expand their use of digital services and data, cybersecurity is paramount. Employees at all levels will play an active role in ensuring that content is secured, whether it’s on an agency’s network or stored in the cloud. To make digital security a priority, agencies need a thorough plan that prioritizes data rights management, continuous monitoring, analytics, and a sound understanding of what data actually exists. This data-centric approach to cybersecurity will help ensure that government services are secure and available to meet the needs of citizens today and in the future.

Additional Resources Data Breaches — Costly Impact Vs. Proactive Security Webinar: Protecting High Value Assets with Digital Rights Management

About GovLoop

About Adobe

GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government.

Adobe’s trusted and proven enterprise solutions enable next-generation digital government. We help government agencies modernize service delivery while reducing cost to serve, and processing time all while delivering remarkable digital experiences.

For more information about this report, please reach out to info@govloop.com.

To learn more visit www.adobe.com/government.

Adobe and the Adobe logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Securing Digital Content Beyond Your Network 7

1152 15th St. NW Suite 800 Washington, DC 20005 P: (202) 407-7421 | F: (202) 407-7501 www.govloop.com @GovLoop

Industry Perspective 8