Three Dimensions of Information Protection

January 17th, 2014

by John Landwehr, VP Government Solutions, Adobe

Accidents, malicious insiders, and cyber-attacks have demonstrated the need to better protect sensitive information across organizations and industries– especially when related to personally identifiable information, intellectual property, and national security.  Numerous security products and services are available and frequently used by organizations to address these concerns.  However, these solutions primarily provide isolated capabilities for securing storage, transport, role-based access, and monitoring.  This isolation leaves gaps in coverage where sensitive information continues to leak, and not be detected quickly.

Looking at content security in three interconnected dimensions is a new approach to persistently protecting sensitive information throughout the information lifecycle.  It provides a real-time combination of preventative and detective controls that start with the repository of information, but continues to protect and monitor the content independent of any subsequent storage and transport.

The first dimension is implemented within content management systems.  Here the traditional authentication, authorization, and auditing capabilities are utilized to restrict what content is visible and available to only those users who need to know.  If a user doesn’t have a valid authentication credential, they cannot access the repository.  The credential could be passwords, or better yet – multi-factor one-time passwords, PKI, or other authentication schemes.  When the user does present a valid credential, they can only see authorized content for their account.  Audit logs are able to keep track of all logins and content access.  The challenge is that once the content leaves the repository – it is no longer tied to those systems for any subsequent authentication, authorization, or auditing of content access.

Adding the second dimension builds upon the first by integrating rights management technology to protect the content within the content layer itself.  Rights management continues to enforce the authentication, authorization and auditing on that file, everywhere it goes.  When an authorized user downloads content from the repository and forwards it on to subsequent users, they will not be able to view the content unless they are properly authenticated and authorized to do so.  This is enforced by encrypting the content and providing secure viewing capabilities which can further restrict printing, modification, and even clipboard access to the content.  If someone doesn’t have authorization to view content, they cannot do so – even if they somehow obtained the file.  This works for content both inside and outside organizations.

The third dimension unifies the first two with a common continuous monitoring and analytics capability.  The audit logs of the content management and rights management systems are integrated to provide an ongoing view of any potentially malicious or otherwise unauthorized access to content.  For example, the system can identify excessive downloads and printing as well as indicate when unauthorized users are attempting to access sensitive content.

By integrating these three technology areas together, there is real-time protection and detection starting with content authoring, through any storage, to all forms of distribution, and then consumption across devices.  If your organization is looking for ways to increase information protection, hopefully the integration of these three dimensions will be valuable to you.  Adobe has developed this integration as part of our Adobe Experience Manager and Analytics solutions.