Most government agencies know they have to keep their guard up in order to avoid potentially devastating data breaches. But many agencies do not know the best way to protect their valuable data before an incident occurs. In order to address this, the President implemented a Cybersecurity National Action Plan (CNAP) encouraging agencies to take a multi-layered approach to protecting their data.
How exactly does a multi-layered data approach work? Kevin Brock, Cyber Risk and Public Safety Entrepreneur and John Landwehr, Vice President and Public Sector Chief Technology Officer at Adobe joined GovLoop for a recent webinar, “The Value of Data-Centric Security,” to find out.
Systems security is critical but with nefarious actors seemingly finding new and more creative ways to infiltrate systems, it often seems futile. Brock explained that “we’re moving forward at such an incredible speed; it is hard to keep up from a security standpoint.” This is further complicated with the rise of connectivity through the Internet of Things, as more connectivity allows for more potential points of attack. Perhaps most challenging is the speed and ease at which nefarious actors have been able to learn how to infiltrate systems. “You absolutely do not need a computer science degree or even a computer science background to become a hacker these days,” Brock warned.
In order to counter those trying to infiltrate systems, agencies must develop a strategy that addresses how easy it is for individuals to learn to hack and then carry out an attack. A lot of agencies allocate a lot of money to cybersecurity and call it a strategy but Brock was quick to advise that spending a lot of money on cybersecurity does not equate to a security strategy. This is clear because “we are spending more money on cybersecurity than ever but agencies are also being intruded on more than ever,” he said.
Instead of throwing money into programs and hoping something sticks, agencies must identify their vulnerabilities and where their most vulnerable data is and build a strategic response to protect these assets. Brock explained that “whether it makes more sense for your agency to focus on network protections, the work force or both, the heart of the issue is the data itself must be adequately secured.”
However, securing networks correctly is difficult because strategies that ensure security seem to be developing at the speed of light with no clear indication of which is the right one. Additionally, the threat of network intrusion is high, but its seriousness is often magnified. In order to take a more pragmatic approach to developing a security strategy, agencies must be able to separate the reality from the hype and identify the biggest threat to them based on their vulnerabilities.
A few of realities that are often misperceived include:
- The government can’t help you: Brock explained that the government consistently lags behind the private sector in systems security. This means that no matter who you are or what sector or agency you are with, you cannot rely on the government and must take personal responsibility to make sure you do not become a victim of cybercrime.
- The problem is not your network: Nefarious actors know that most agencies have taken steps to protect their networks. As a result, they are investing more frequently in social engineering techniques that target the work force. Agencies shouldn’t take security away from their networks but they also need to address their workforce as a primary vulnerability.
- Things will get worse before they get better: “Things will get better,” Brock explained. “However in order to secure the way we conduct business we are going to continue going through a rough patch before we figure it out.”
One design that is a step in the right direction of figuring out systems security is taking a three-dimension approach to security. It’s becoming evident that network security alone is not a comprehensive strategy. As a result, Adobe has introduced a more comprehensive approach that includes content management, rights management, and continuous monitoring.
The first dimension of this strategy is content management. This involves securing a network and can best be visualized as a virtual filing cabinet. This approach secures content through strong identification authentication measures, implementing object level access, and collecting audit logs. However, this dimension is not sufficient security strategy on its own. Landwehr explained, “Once content leaves the network repository or someone compromises the repository and infiltrates the content, the original user does not control the content anymore, limiting the protection the single dimension strategy can provide.”
Rights management is the second dimensions of Adobe’s strategy and involves protection at the file level, independent of other protections. These protections include limiting what the end user can do with a file, revocation options that can terminate or allow access to expire, and audit logs that record all valid and invalid access of the file. These protections are necessary because even if a repository is infiltrated, the content of the file stays encrypted itself, limiting the information a hacker could gather.
The final dimension of the three-prong strategy is continuous monitoring. The monitoring collects and analyzes data including where a document was opened, anomalies with documents including high download or print counts, and what users are opening what documents. This collection is done in real time, allowing for administrators to be instantly notified of unusual activity. “Security analytics add one final layer of protection by producing audit logs that show how and by who content is being used. So if something does go wrong, it is much easier and quicker to figure out what happened,” Landwehr explained.
Taken apart, these three dimensions are not sufficient in protecting an agencies sensitive information. However, combining them into a three-prong strategy is a start in adequately combatting cyberattacks. Looking forward, both Brock and Landwehr are optimistic that through comprehensive approaches that work to protect data, the good guys will eventually prevail and not lose the cyber war.