Home | Community Forum | Blog

Smart Encryption — EDRM, Powered by Attribute-Based Access Control (ABAC)

How many data breaches need to occur before companies take real preventative action? While hotel chains, retail stores, and Facebook are likely to grab headlines, companies of all sizes, across all industries, face the same threats. If you work with intellectual property, handle sensitive materials, or are subject to regulatory compliance, you need to safeguard your digital assets. 

The ideology has shifted from “if” a data breach occurs, to “when” it will occurIn 2021, more than 40 million patient records were compromised according to incidents reported to the federal governmentExacerbating the challenges faced by overcoming said data breaches, some hospitals then face legal action upon restoring their network.  

Unprepared companies find themselves on newsfeeds for both negligences in combatting a breach and the resulting punishment levied by regulating bodies. Despite this, most companies trying to manage their data are using increasingly unreliable methods such as: 

  • Putting up a firewall around the application. Despite amazing progress with firewalls and network security, a malicious attack or internal leak (whether intentional or inadvertent) will result in compromised data. 
  • Using an Access Control List (ACL). Sadly, this static method of protecting who can touch data doesn’t work in today’s modern, dynamic, and globally distributed environment. 
  • Applying Role-Based Access Control (RBAC). Using authentication schemes, location, network, risk, and individual characteristics can work for one-time access, but today’s environment is dynamic, making RBAC impossible to keep updated. 
  • Locking filesForcing users to lock and unlock files, leaving them either unprotected or inaccessible due to being locked up. This static model is an inconvenient and precarious approach in today’s dynamic work environment. 

Chasing dynamic data with static security models will not support a fast-moving company. As more data becomes available for sharing across a variety of networks, these security measures are proving ineffective at stopping data breaches. Using a network, an ACL, or RBAC simply can’t stop malicious attacks or internal threats. 

Even though encryption is a common method to secure files when being shared, there is no way to securely collaborate if the data shared is encrypted. Despite encryption being an effective way to lock up data, data needs to be decrypted to allow the recipient to access the shared file. As soon as a said file is decrypted, it is no longer secure, and the data can be used or retransmitted to anyone.  

Enterprise Digital Rights Management (EDRM) is essentially a policy-based technique that uses encryption to protect data persistentlyIt provides centralized control of access to and usage of digital information regardless of where it exists- be it inside or outside of your enterprise. EDRM systems protect enterprise information from unauthorized access, use, and distribution by applying policies to the information distributed in electronic documents. EDRM policies selectively prevent document recipients from specific use activities like copying, printing, forwarding, cutting & paste, and expiration. Policies can be updated or revoked even if the document has been distributed outside the enterprise. In doing this, EDRM protects data against theft, misuse, or inadvertent disclosure, and mitigates the business, legal, and regulatory risks of collaboration and information exchanges with partners and customers. 

A Perfect Match

The paradigm is shifting to Attribute-Based Access Control (ABAC) to redefine data protection. ABAC was developed to address the most stringent security requirements of the most important government entities on the planet. ABAC is the platform of choice for the US DoD, the UK MoD, and has quickly become a NIST standard.  

EDRM powered by ABAC will now offer even greater flexibility to be used by a broader audience while solving a larger scope of commonly faced business problems. The ABAC-based policy is dynamic by nature as it is derived from existing identity data including user roles, assignments, and attributes. The policy is associated with what you are, not who you are, which is ideal for dynamic environments. At its basic level, ABAC uses an ‘IF/THEN/AND’ model to protect the data itself. This model is then applied to data via policy, checking attributes and applying the appropriate permissions (aka “digital rights”). As a result, EDRM can be easily deployed across enterprises with a small number of dynamic policies without complex encryption key management, resulting in a  significant reduction of management costs. 

Protection Regardless of Location

Imagine a US State Department official carrying a laptop into a foreign country notorious for its ability to hack and steal data from the open web. This official heads into a Starbucks open his or her laptop and connects to the public Wi-Fi. It’s hard to argue that this may be one of the easiest ways for data to be compromised, but if this official’s data is protected with EDRM, data safety is assured regardless of how open the network may be. Regardless of the location, data that is protected with EDRM guarantees appropriate access or denial of access. 

ABAC policy puts the encryption and safety measures with the data itself inside EDRM, ensuring that even if hacked or flat-out stolen (e.g., a thumb drive stuck into the side of a laptop), EDRM prevents the data from being compromised and utilized outside of its intended use. 

Live Inside the Data Itself

Attributes are the foundation of ABAC. Factors such as program, citizenship, location, clearance level, and even time of day, can be used to protect the data. If the user violates any parameter, the ability to access is lost. 

Continuing from the above example about an official opening his or her files in a Starbucks in Slovakia, the policy may allow this user to access the data based on multi-factor authentication, United States location, and clearance level. The fact that the official is trying to access the data in another country violates the policy, which then denies access to the data and reports the attempted use of the policy management system. All elements of the policy must be met. This official could make a copy of the files or drop it into his or her personal email as an attachment, but the encryption stays with the files themselves preventing their ability to access it and protecting the information. 

Moving information around the globe on a second-by-second basis while maintaining control of intellectual property or sensitive data is more important than ever. An ABAC system can be set up as a centrally located security measure, independent of people, geography, and network perimeter security, and provide a single data safety infrastructure around multiple applications. Users will have persistent rights management regardless of the application they use to access ABAC-encrypted data. 

When you apply policyencryption, and metadata as the safeguard to protect data inside EDRM, companies can seize control of their data and prevent a breach from internal or external threats. The Department of Commerce has made this a mandatory practice and the adoption is spreading throughout several governmental and military agencies. 

There isn’t an industry that couldn’t benefit from implementing an ABACand EDRM solution, especially in a world where data is dynamic, information moves across the world in real time, and breaches can ruin a company’s reputation and trustworthiness. With EDRM powered by ABAC, organizations can automate the protection of files and data shared, allowing for the safeguarding of their crown jewel, trade secrets, and business-critical data. 

To comment on this post
Login to NextLabs Community

NextLabs seeks to provide helpful resources and easy to digest information on data-centric security related topics. To discuss and share insights on this resource with peers in the data security field, join the NextLabs community.