GovLoop Pocket Guide 2016
Breaking Down What You Need to Know
As cyberthre grow in numb and sophistic agencies sho looking at fe touch every
eats mber ication, ould be eatures to level.
Foreword from Adobe In February 2016, President Obama directed his administration to implement the Cybersecurity National Action Plan (CNAP) calling for agencies to take a multilayered data protection approach to better secure the government’s most sensitive data. A key element of that strategy is data-centric security, to try to persistently protect the information throughout its lifecycle, wherever it is transmitted or stored. For government agencies, high value digital assets include everything from agency budgets, to records with personally identifiable information,
02
to homeland security information. This information can become compromised through accidents, cyberattacks, and malicious insiders illuminating the acute vulnerability of government organizations. One of the most effective ways agencies can work to avoid losses is through a three-pronged content security approach that combines content management, rights management, and data analytics. Content management applies security measures to data in the virtual file cabinet. Once content leaves a
“Data-centric security, persistently applies protection measures to information throughout its lifecycle, wherever it is transmitted or stored.” —John Landwehr Vice President and PublicSector Chief Technology Officer at Adobe
protected folder, rights management helps to persistently protect information to all of the intended destinations. The analytics can help detect unusual behavior of information and proactively alerts security operations centers when needed. Government employees work across devices so it is critical that their security solutions work across devices as well. All types of content can be found on laptops, smartphones, tablets, removable media, and cloud storage. The digital rights management aspect of security works across platforms and
devices to help ensure content security features are applied independent of devices. Employing a content security strategy that supports this flexibility allows government employees to better operate virtually anytime and anywhere. In this pocket guide, Adobe and GovLoop teamed up to discuss digital content security solutions in the public sector. You’ll be able to use this guide to help facilitate discussion around what content to apply security measures to at your agency and have a better understanding of how to do so with trusted technologies.
03
Documents go in and out of the firewall. So should your security measures. The president’s Cybersecurity National Action Plan says your agency should take information security beyond network measures — to the document itself. In addition, the Continuous Diagnostics & Mitigation (CDM) program is evolving beyond network protections to include datalevel protection as a future capability. Adobe solutions for Digital Government include features such as attribute-based access controls, digital rights management, and digital signature capabilities that can help your agency meet these policy requirements. To learn more call 1-800-87ADOBE. Getstarted started Get
Adobe, the Adobe logo are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. © 2016 Adobe Systems Incorporated. All rights reserved.
Contents
06
Foreword
02
Executive Summary
07
A Content Security Overview What’s behind the digital transformation in government? What is content security? Noteworthy compromises Rules, regulations and mandates
08 09 10 11 12
Content Security: A How-To 3 dimensions of content security programs Steps to security 6 content security best practices Industry Spotlight
13 14 16 17
What’s Ahead for Content Security
20
Cheat Sheet 3 easy ways to boost content security practices Data centric security resources
21 22 23
18
Executive Summary There’s no doubt that everywhere we go in the world today, we are fully entrenched in the digital age. Just look at the smartphone in your hand for confirmation. The federal government is feeling the effects of this change as well, and working to keep pace. Digital-first mandates from the government are driving the public sector’s move away from paper documents and toward electronic ones. From a technological perspective, the digital world is the government’s oyster. Plenty of tools and solutions are available to help this transition. But one major challenge is keeping digital content, especially sensitive information, more secure in a time of increased cyberthreats and a proliferation of ways to access this data and content. Today, security concerns must be addressed in every element of the content lifecycle. Indeed, technology is a beautiful thing, but it’s not perfect. The data and networks that work behind the scenes to make those smartphones so smart may be revolutionizing communications, business transactions and government operations, but they’re also a potential content security risk. This pocket guide from GovLoop will look at content security practices in the public sector, why it matters, government rules and regulations related to digital data and its
security and current challenges in this area. We’ll also provide tips and tricks that you can apply to help make content at your agency more secure today and in the future. Who is this guide for? Anyone who works in government. Why such a broad audience? It is because every public-sector employee needs to understand how digital transformation affects security and specifically, how to keep content safe and vulnerabilities at a minimum. After all, experts such as Dan Codling, former head of the FBI’s Computer Intrusion Unit, say that internal threats are one of the biggest content security challenges –employees who put an agency at risk unintentionally by clicking unsecured links or opening infected files, for example. Public-sector officials who are experts in content security – those responsible for applying security measures to devices and networks and the information that travels through and resides on them – will also benefit from this pocket guide. Technology and cyberthreats are constantly evolving. As a result, so are the approaches to content security. So, although this is not a new problem, the suggestions we offer to boost your existing tactics may be. We’ll kick things off with an overview of content security. 07
A Content Security Overview In this section, we’ll go over why digital transformation in government is happening now, why it is so important and how it affects security of data, what the term content security means and the three dimensions of content security.
“It’s one of the great paradoxes of our time that the very technologies that empower us to do great good can also be used to undermine us and inflict great harm.” —Barack Obama Addressing to the audience at the Cybersecurity and Consumer Protection Summit at Stanford University in February 2015.
08
What is behind the digital transformation in government? The private sector is driving the public sector’s digital transformation. At least that’s the short answer. More specifically, commercial entities have wowed customers with advancements in the digital world, such as personalizing their experience and providing interactive services (think: Amazon and Netflix). It makes sense, then, that government constituents expect the same types of experiences when dealing with government agencies. They want a relevant and engaging experience with their government agencies right from the start. In addition, citizens now expect government agencies to offer their services not only just digitally but also in mobile-friendly formats. Some are already doing this. Take California, whose residents can renew their driver’s licenses online. But looking into the future, the licenses themselves may be digitized, eliminating traditional cards. The desire to improve the citizen experience is real: Citizen satisfaction with federal services declined for the third consecutive year, down 0.8 percent to a score of 63.9 on a 0 to 100 scale, according to a January American Customer Satisfaction Index report. According to a recent Gallup survey, government is
ranked last in customer service compared with other industries, such as businesses and pharmaceuticals. Only 28 percent of respondents viewed government favorably. Yet, according to a Forrester report, 81 percent of citizens believe government agencies should be using technology to improve the functionality of online services. Promoting digital services in government is therefore, essential. To meet these demands, in 2014 President Obama established two agencies aimed at pushing digital innovation at federal agencies. The General Service Administration’s 18F came first – in March 2014 – and the Office of Management and Budget’s U.S. Digital Service followed five months later. Despite their common goals, the agencies have different means to the ends. 18F partners with agencies and offers hands-on help, while USDS provides more of a consultancy role. The digital transformation shows no signs of slowing down. As more content is offered this way, it becomes increasingly important that security practices are in place.
09
What is content security? As government rapidly becomes digital-first, sensitive documents obviously exist in a digital format. Everything from the federal budget and new bills to Social Security records with personally identifiable information are stored digitally, with new content being created every day. Content security refers to the security of the data itself, which has also been called data-centric security. As attacks have evolved, so have our defenses. From network-based security (mitigating attacks from outside the firewall) to device-based security (mitigating attacks to our hosts), content-security adds a new layer of defense at the data-level, to help protect our most sensitive data.
What exactly is confidential or private data?
Content security has been top of mind for citizens and government officials alike, especially since the news broke in 2015 that breaches at the Office of Personnel Management put the personal information of 21.5 million people at risk. Although that is the best-known example of content insecurity in recent years, OPM is not alone in cleaning up post-compromise messes. Here’s a look at notable hacks in 2016:
1
Simply put, it’s information that deserves protection so as not to harm an individual, business, government entity or country. Examples include: • Names, birth dates, Social Security numbers and other personally identifiable information • Financial information • Health data • Information related to the military and national security • Intellectual property 10
Hacking group AnonSec stole data from a NASA drone and published 250 gigabytes of data, including information on more than 2,400 employees.
2016 noteworthy compromises Data Breaches Total number: In Government:
657 47
Records Affected Total number:
28.6 M
In Government:
12.2 M Source: Identity Theft Resource Center’s 2016 Data Breach Category Summary. September 8, 2016
2
3
A hacker targeted FBI and Homeland Security and published on Twitter the contact information for 20,000 and 9,000 employees, respectively.
News came out that a 2015 hack of the Internal Revenue Service put more than 700,000 taxpayer accounts – including Social Security numbers – at risk.
11
Rules, regulations and mandates Although laws and policies on data and content security are intended to ease implementation and buffer protections, they are another stumbling block at times. Here are just some of the requirements federal agencies must meet:
Federal Cloud Computing Strategy Issued in 2011, this encourages agencies to consider cloud-first when it comes to data. Digital Government Strategy Launched in 2012, this directive pushed agencies to think open and digital. Cybersecurity National Action Plan Launched in February 2016, it proposed a $3.1 billion Information Technology Modernization Fund and created the new position of Federal Chief Information Security Officer.
12
Federal Risk and Authorization Management Program FedRAMP makes using the cloud easier for government agencies by standardizing the security assessment, authorization and continuous monitoring for cloud products and services.
DHS Continous Diagnostics & Mitigation (CDM) Program Provides a government-wide acquisition vehicle to deploy critical cyber security tools and services to federal, state, local and tribal government entities. DHS’s Einstein Program This helps agencies manage risk by detecting and blocking attacks and by sharing threat information.
Content Security: A How-To So clearly applying content security measures is important. But how do you do that? It’s not enough anymore to put up a firewall and call it a day. Agencies use a variety of devices such as desktops and mobile devices that run on different operating systems – Android, Apple iOS and Microsoft Windows come to mind. There’s also the issue of legacy systems that don’t work well with newer ones. Sorting out all these inconsistencies is a first step toward improving content security programs.
“The laborious task of actually cleaning out your problems, updating your system, making sure everything’s current is not very glamorous, it’s not high-level security, but it’s the basic nuts and bolts you need even to get an adequate level of security,” Michael Chertoff, former DHS Secretary and Co-Founder of the Chertoff Group, told Federal News Radio in July.
In addition to myriad technologies, agencies are also contending with a wide variation in the types of cyberthreats. Common ones are distributed denial-of-service attacks, phishing and sniffing. Hackers use each differently to wreak havoc on networks or to collect data, and agencies need to be prepared to defend against all of them. At the same time, however, there is no such thing as absolute protection. As a result, agencies need to be ready to respond when an attack happens.
13
3 dimensions of content security programs
1
Content management systems
Now we know what content security is, the type of content that is particularly important to protect, and where the motivations for digital transformation came from. Next, let’s break down content security features so that we can build robust security strategies. Content security practices can be broken into three dimensions:
14
Content management systems or e-document repositories that manage incoming requests for information through access controls that restrict who can open and view files. Features of good content management tools include strong user authentication and authorization; object-level access, which assigns permissions to a class of object types or a specific object; and audit logs showing records of all user and admin events. Perhaps the most important element, however, is metadata, the classification of data, and its management, which is crucial to managing content. A built-in metadata feature lets agencies collect information, and then the automatic tagging of workflows and user interface capabilities let users add meaningful metadata to stored assets.
“Agencies must keep in mind that applying security measures to digital content must be easy, and that’s where automation helps.” —John Landwehr Vice President and Public-Sector Chief Technology Officer at Adobe. March 19, 2015
2
Rights management Rights management, which is the ability to use encryption technology to help protect information independent of storage and transport and after it leaves a specified repository. This helps prevent someone who shouldn’t view certain information from being able to open a document or file. It should work across platforms and devices, helping to secure content anywhere it goes. Specifically, rights management encompasses persistent protection, enforcing access at the file layer; permissions that restrict what a user can do with the content; revocation, which can be set to make content inaccessible after a set date; authentication mechanisms such as username and password combinations, public-key infrastructure and single sign-on. Audit logs are important here too to show all valid and invalid access attempts, plus who did what with the content and where.
3
Consumption management Consumption management, or continuous monitoring, which watches for unusual patterns or anomalies associated with protected documents. For instance, if an employee usually prints an average of five documents per day and suddenly prints 500, that should generate an alert. Visualization is one monitoring method. It lets users see where documents are opened. Affinity is another element, associating users with content, and real-time notifications let administrators know when something seems awry.
15
Steps to security At this point, we have already provided several tips for shoring up security processes. The three dimensions of content security and compliance with regulations and policies will certainly help. Additionally, agencies are responsible for their own
counsel when creating security programs. Though this isn’t legal advice, we provide four more steps recommended by Steve Gottwals, Technical Director of Security Solutions at Adobe Systems Federal:
#1
#2
#3
#4
Know what data to protect
It takes multilayered protective measures
Use analytics
Educate
Agencies are dealing with vast amounts of data that grow exponentially every day. Not all of it needs the same level of protection. Take an inventory of your data and rank it according to risk levels. That way, you can focus resources and protection efforts on the most critical information.
As with cybersecurity in general, there’s no silver bullet for content security practices. Instead, taking a layered, defense-indepth approach that leverages technologies like digital rights management, attribute-based access control and continuous monitoring of data can help you build a robust program.
To stay aware and continually monitor breach activity, Realtime analytics is an advantage because in 93 percent of cases, it takes attackers minutes or less to compromise systems (according to a Verizon report) but it can take organizations weeks or more to discover the breach. It’s important to find anomalies to typical behaviors and uses quickly so you can respond more quickly.
“Every public-sector employee has a duty to protect their organization’s proprietary information. Instead of mass-emailing a list of rules to employees, it is more effective to teach them face-toface and share real case studies of how one innocent, wrong action (or inaction) could lead to millions of wasted tax dollars. Trainings on what a suspicious email looks like, how to back up and protect data properly and ensuring papers are properly shredded are just a few ideas to get you started,” Gottwals said.
66 %
Security incidents in the public sector Stemmed from miscellaneous errors, insider and privilege misuse and physical theft and loss. Source: 2016 Data Breach Investigations Report
16 12
6 content security best practices 1
2 3 4 5 6
First, understand what data is most important. Typically, it’s content that involves personal information, finance and health information, in addition to anything that could put national security at risk. Even agencies that aren’t usually associated with cybersecurity, such as the Agriculture Department, have many petabyes of confidential data.
Determine how much data you can encrypt. Note: Public-facing agencies may be more limited.
Determine the best method to help protect your content. This could mean using encryption or role- or identitybased restrictions.
Understand who is accessing your networks, what they’re looking at and where the data resides and moves to. Continuous monitoring can do this automatically and flag anomalies, helping you to be aware of potential problems more quickly.
Conduct frequent audits of agency compliance with federal mandates and regulations. The government issues new guidelines and rules frequently. Staying in accordance with them can be its own challenge, but they’re designed to make you more secure in the long run.
Conduct frequent audits of agency compliance with internal policies verifying that they jibe with agency mission. It’s not just about meeting others’ demands.
17
Industry Spotlight An Interview with Jeffrey Young, Multi-solution Architect at Adobe
Government agencies have instituted various security measures to control their networks and access to their files, but what happens when one of those files is removed, whether maliciously or unintentionally, from those existing access controls? Security measures are needed for protecting and tracking electronic documents that contain sensitive information, but it’s equally important to enable flexibility and ease of use for those with authorized access. That’s where Digital rights management (DRM) comes in. DRM is a systematic approach to copyright protection for digital media, the purpose of it being to help prevent unauthorized redistribution of such media and restrict the access and permissions on their content. In an interview with GovLoop, Jeffrey Young, Multi-Solutions Architect at Adobe, a digital experience and creative technology company, explained how agencies can take advantage of DRM technology to better secure digital documents while maintaining positive user experience. “DRM is bringing the security protections down to the content and user level while being able to determine user access at the time of opening the document,” Young explained. But for government, DRM means more than just copyright or unauthorized distribution. It can also be critical to the safety and security of the public.
18
“Citizens have entrusted a lot of data to government organizations,” Young said. “We’re talking about personal information, as well as classified documents and high-value assets. So, we need to make sure agencies do a good job to persist the security protections wherever the document resides.” Many agencies have traditional solutions and network security systems in place that can put access controls around digital files. However, such solutions often fail to protect a file when it leaves the safety of the agency’s content management system or firewall. Additionally, traditional content management systems often simplify security to access, whereas, DRM provides granular permission features (print, copy, modify, etc.) per document, per user. DRM technology monitors a digital document even after it’s sent outside of an agency’s content management system. Such technology can also be implemented to encrypt files at rest with encryption that will go wherever the document travels. When the user opens the document, DRM technology authenticates and dynamically authorizes the user to see what permissions he/she may have for that particular document. The right DRM technology can also help enable collaboration and seamless document sharing while keeping security measures in place. This makes it easier for users to access content or make adjustments regardless of where they are or what device they’re using.
“You can have a document with security measures in place using your current enterprise technologies while being able to collaborate with no detriment to the user experience.” —Jeffrey Young “You can have a document with security measures in place using your current enterprise technologies while being able to collaborate with no detriment to the user experience,” Young said. Additional features of this technology include: • Document encryption: Help protect PDF and Microsoft Office documents with encryption that conforms to federal standards. • User authentication: Work within your existing user authentication measures to validate user’s identity • Security integration: Interface with existing authorization systems dynamically as the policy decision point (PDP). • Confidentiality settings: Define what users or groups can do with documents, such as copy, edit, print, or view offline. • Dynamic policies: Change security policies at any time, even after the documents have been distributed. • Mobile access: Allow mobile users to access PDF documents with their mobile apps and devices. To take full advantage of Adobe DRM and analytics solutions, government agencies need to efficiently identify the digital assets they need to protect.
Young suggested the following first steps to help agencies get started: 1. Determine: a. A subset of users. b. An authentication methodology. c. An approach to applying protection measures to existing and new documents. 2. Identify and protect a set of documents within the subset of users and determine permissions accordingly, whether by classification, groups, stages in the document collaboration process. 3. Observe the document event data. Every time a document is opened, printed, or modified, agencies can track real-time events being sent back to the DRM server. Those realtime events can then be viewed through an existing analytic engine or DRM web interface. 4. Review the user experience with the users. Determine the best method of implementation for the existing document workflows. With the right tools, an agency can take steps to secure its content through its life cycle. DRM technology helps enable government to simultaneously step up protections against cyberthreats and hackers, while also allowing enhanced collaboration among government employees. Best of all, the user experience remains smooth.
19
What’s Ahead for Content Security Content security is a challenge that will be ongoing, especially as the Internet of Things gains traction, connecting billions more devices to the internet all the time. The information provided here lays a good foundation for a solid content security plan, but officials will have to be ready to constantly tweak and evolve security from here on out as well as implement their own legal counsel. Cybersecurity has evolved in three stages, Chertoff said. It began with perimeter defense, essentially building a moat or a wall around the perimeter. But agencies found that people still got in through the front door by using legitimate credentials and accidentally or purposely compromising data or by stealing credentials. That led to the development of network security, which is about monitoring who’s on the network and where they’re going. But that still left the data itself waving in the wind. That led to today’s focus on data, or content, security. The other two are still necessary for a robust security defense but methods such as encrypting data in transit 20
and at rest and identity- and role-based management are increasingly important. “This is the next evolution of where security goes,” Chertoff said.
“In the old days, you knew if someone wasn’t at their workstation, you knew it wasn’t them. Now that’s no longer relevant anymore.” He lauded recent government efforts to improve protections, such as the 30-day cybersprint in 2015, but he added that new threats and solutions will continue to arise. “The trick is going to be to take care of the basic blocking and tackling, which is not glamorous, even while you keep your eye on the possibility of a Hail Mary pass or something really extraordinary to get you a touchdown,” Chertoff said.
Cheat Sheet This takeaway section will give you steps for being more savvy about content security at your agency, and resources for further reading. Here are some questions to ask about your agency’s current content security approach.
1
2 3 4 5 6
What’s our process for inventorying data and prioritizing it based on sensitivity and potential costs if it’s lost?
Do we know who is accessing our data and networks and what they’re looking at? How often do we monitor this, and who is responsible for responding to problems?
Are we automatically applying security policies to data so that they’re embedded from the get-go?
How often do we revisit our content security policies, and is that schedule frequent enough to keep our most valued information safer?
We’re content with our current risk management strategy, but are we prepared to respond to a cyber incident when one occurs?
Do we have a communications plan in place for sharing information internally and externally? How will we assuage fears, offer help to those affected and maintain our overall reputation?
21
3 easy ways to boost content security practices
22
Refresh employees on security
Activate automatic controls
Try a cybersecurity sprint
Refresh employees on cybersecurity policies and how to be smart technology consumers. For instance, remind them not to click on links in emails from suspicious senders.
Activate automatic controls so that they’re applied to data without requiring a human to take or remember that extra step. Streamlining security practices makes it more usable and helps avoid creating latencies or productivity lags.
Try a cybersecurity sprint that targets a specific area of content security and require that organizations within the agency prove adherence to policies.
Data centric security resources
Here are some links to get you up to speed on content security. Interview with Michael Chertoff and John Landwher [Federal News Radio] Digital Government Strategy [White House] Cybersecurity Strategy and Implementation Plan [White House] Digital Strategy: Delivering Better Results for the Public [CIO.gov] Cybersecurity National Action Plan [White House] With so much at Stake, It’s Critical Agencies Keep their Digital Content Secure [Adobe] Cyber Defense: How to Protect Your Most Valued Digital Assets in 2016 [Adobe]
23
Thanks to Adobe for th support in producing th public-sector resource.
24
heir
his or
About Adobe Adobe enables next-generation enterprise digital government services with trusted, proven, and integrated enterprise solutions that help drive agency efficiency, deliver remarkable experiences, and protect missioncritical data. Learn more: adobe.com/industries/government.html
About GovLoop GovLoop’s mission is to inspire public sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering crossgovernment collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to the public sector. For more information about this report, please reach out to info@govloop.com
The digital age is upon us, and this creates new innovations and openness but also leads to security concerns. It’s no longer enough for government agencies to only apply security protections to their perimeters. As cyberthreats grow in number and sophistication, agencies should be looking at protections to cover every level. This guide covered the basics of what’s driving the digital content transformation in government, helps with guidelines to help you prioritize what content needs the greatest protection, and suggests some tools that can help make your fortress stronger.
1152 15th St. NW Suite 800 Washington, DC 20005 P (202) 407-7421 F (202) 407-7501 www.govloop.com @GovLoop