Updated July 30, 2023

How many data breaches need to occur before companies take real preventative action? While hotel chains, retail stores, and Facebook are likely to grab headlines, companies of all sizes, across all industries, face the same threats. If you work with intellectual property, handle sensitive materials, or are subject to regulatory compliance, you need to safeguard your digital assets. 

The ideology has shifted from “if” a data breach occurs, to “when” it will occurIn 2021, more than 40 million patient records were compromised according to incidents reported to the federal governmentExacerbating the challenges faced by overcoming said data breaches, some hospitals then face legal action upon restoring their network.  

Unprepared companies find themselves on newsfeeds for both negligence in combatting a breach and the resulting punishment levied by regulating bodies. Despite this, most companies trying to manage their data are using increasingly unreliable methods such as:

  • Putting up a firewall around the application. Despite amazing progress with firewalls and network security, a malicious attack or internal leak (whether intentional or inadvertent) will result in compromised data.
  • Using an Access Control List (ACL). Sadly, this static method of protecting who can touch data doesn’t work in today’s modern, dynamic, and globally distributed environment.
  • Applying Role-Based Access Control (RBAC). Using authentication schemes, location, network, risk, and individual characteristics can work for one-time access, but today’s environment is dynamic, making RBAC impossible to keep updated.
  • Locking files. Forcing users to lock and unlock files, leaving them either unprotected or inaccessible due to being locked up. This static model is an inconvenient and precarious approach in today’s dynamic work environment.

Chasing dynamic data with static security models will not support a fast-moving company. As more data becomes available for sharing across a variety of networks, these security measures are proving ineffective at stopping data breaches. Using a network, an ACL, or RBAC simply can’t stop malicious attacks or internal threats.

Even though encryption is a common method to secure files when being shared, there is no way to securely collaborate if the data shared is encrypted. Despite encryption being an effective way to lock up data, but data needs to be decrypted to allow the recipient to access the shared file. As soon as said file is decrypted, it is no longer secure, and the data can be used or retransmitted to anyone.

Enterprise Digital Rights Management (EDRM) is essentially a policy-based technique that uses encryption to protect data persistently. It provides centralized control of access to and usage of digital information regardless of where it exists- be it inside or outside of your enterprise. EDRM systems protect enterprise information from unauthorized access, use, and distribution by applying policies to the information distributed in electronic documents. EDRM policies selectively prevent document recipients from specific use activities like copying, printing, forwarding, cut & paste, and expiration. Policies can be updated or revoked even if the document has been distributed outside the enterprise. In doing this, EDRM protects data against theft, misuse, or inadvertent disclosure, and mitigates the business, legal, and regulatory risks of collaboration and information exchanges with partners and customers.

A Perfect Match

The paradigm is shifting to Attribute-Based Access Control (ABAC) to redefine data protection. ABAC was developed to address the most stringent security requirements of the most important government entities on the planet. ABAC is the platform of choice for the US DoD, the UK MoD, and has quickly become a NIST standard.

According to NIST SP 800-162, ABAC is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes.

EDRM powered by ABAC will now offer even greater flexibility to be used by a broader audience while solving a larger scope of commonly faced business problems. ABAC based policy is dynamic by nature as it is derived from existing identity data including user roles, assignments, and attributes. The policy is associated with what you are, not who you are, which is ideal for dynamic environments. At its basic level, ABAC uses an ‘IF/THEN/AND’ model to protect the data itself. This model is then applied to data via policy, checking attributes and applying the appropriate permissions (aka “digital rights”). As a result, EDRM can be easily deployed across enterprises with a small number of dynamic policies without complex encryption key management, resulting in a significant reduction of management costs.

Protection Regardless of Location

Imagine a US State Department official carrying a laptop into a foreign country notorious for its ability to hack and steal data from the open web. This official heads into a Starbucks, opens his or her laptop, and connects to the public Wi-Fi. It’s hard to argue that this may be one of the easiest ways for data to be compromised, but if this official’s data is protected with EDRM, data safety is assured regardless of how open the network may be. Regardless of the location, data that is protected with EDRM guarantees appropriate access or denial of access. 

ABAC policy puts the encryption and safety measures with the data itself inside EDRM, ensuring that even if hacked or flat-out stolen (e.g., a thumb drive stuck into the side of a laptop), EDRM prevents the data from being compromised and utilized outside of its intended use. 

Live Inside the Data Itself

Attributes are the foundation of ABAC. Factors such as program, citizenship, location, clearance level, even time of day, can be used to protect the data. If the user violates any parameter, the ability to access is lost.

Continuing from the above example about an official opening his or her files in a Starbucks in Slovakia, the policy may allow this user to access the data based on multi-factor authentication, United States location, and clearance level. The fact that the official is trying to access the data in another country violates the policy, which then denies access to the data and reports the attempted use to the policy management system. All elements of the policy must be met. This official could make a copy of the files or drop it into his or her personal email as attachment, but the encryption stays with the files itself prevents their ability to access it and protects the information.

Moving information around the globe on a second-by-second basis while maintaining control of the intellectual property or sensitive data is more important than ever. An ABAC system can be set up as a centrally located security measure, independent of people, geography, and network perimeter security, and provide a single data safety infrastructure around multiple applications. Users will have persistent rights management regardless of the application they use to access ABAC-encrypted data.

When you apply policy, encryption, and metadata as the safeguard to protect data inside EDRM, companies can seize control of their data and prevent a breach from internal or external threats. The Department of Commerce has made this a mandatory practice and the adoption is spreading throughout several governmental and military agencies.

There isn’t an industry that couldn’t benefit from implementing an ABACand EDRM solution, especially in a world where data is dynamic, information moves across the world in real-time, and breaches can ruin a company’s reputation and trustworthiness. With EDRM powered by ABAC, organizations can automate the protection of files and data shared, allowing for the safeguarding of their crown jewel, trade secrets, and business critical data.