Insider threats: Taking the fight to the document level

Steve Gottwals, Technical Director of Security Solutions, Adobe November 25, 2015 

The threat to Department of Defense documents is persistent, eminent and evolving. According to the Identity Theft Resource Center’s Data Breach Report, there have been 51 breaches this year in the government — including the military — that exposed more than 33 million documents to security vulnerabilities. This drastic uptick from last year is evidence that data breaches are growing in effectiveness. Although the response to this increased risk has been to boost high-level encryption, this is not the comprehensive silver bullet solution that some may believe it to be. High-level encryption alone still leaves multiple avenues of attack open to cyber criminals, and the most dangerous among them is the insider threat.

Agencies need to be more proactive in securing and monitoring their sensitive documents. The best way to do this is to adopt a defense-in-depth approach, applying encryption and other security solutions all the way down to the document level. With document management technology and monitoring analytics, agencies can more effectively protect their content through its entire lifecycle. User-based encryption, specifically Digital Rights Management (DRM), is a perfect example of a solution that extends cyber protections to the document level. Because DRM-based encryption is focused on the specific user and grants access only to the person that needs it, DRM continually protects sensitive information no matter where it goes or how it is stored. By encrypting the entire file, any user that seeks to obtain access must first go through an authentication process, even if trying to access the document outside of an agency system. Even failed authentication attempts at viewing the information will be detected. In an absolutely worst-case scenario, the document can be revoked entirely, which effectively acts like a remote shredder.

Building on extending protections within the document repository, organizations can further minimize insider threats by controlling access to sensitive information with an attribute-based access control (ABAC) model. ABAC is a powerful concept that relies on restricting access to specific information, providing an extra level of protective controls. This approach allows agencies to control their information security and authentication with surgical precision, barring unauthenticated users from viewing specific elements — paragraphs, images, videos, titles and bullet points — of a document. Since each object is distinctly tagged with a security marking, users or groups of users will be limited to viewing only those items or portions of documents they are authorized to see, depending on their individual security attributes, such as clearance level, environmental variables or physical location.

In guarding against insider threats, the last factor that agencies must account for is the human factor. By utilizing behavioral analytics, agencies will gain the ability to examine the profiles of users who access protected information, including what content they are accessing, how often they are requesting access to said content, and actions they are taking with that content after obtaining access. This provides a baseline behavioral model, which can then be used to detect anomalies in usage patterns that may be indicative of a potential insider threat. This is a superb tool for preventing data compromise in the first place, but in the event that an agency’s information is compromised, behavioral analytics will also aid in determining if certain sensitive documents may have been exposed due to security gaps.

As cybersecurity continues to be one of the predominant focuses for improvement in the DoD, agencies must always be looking for solutions to bolster their current security posture. Today, the most impactful opportunities to do this are centered on implementing stronger measures to manage documents and data rights. As targeted threats increase in scope and severity, these protective safeguards are an imperative for insider threat prevention and should not be missing from any agency’s arsenal.