Encryption on Steroids – Attribute Based Access Control (ABAC)

How many data breaches need to occur before companies take real preventative action? While hotel chains, retail stores, and Facebook are likely to grab headlines, companies of all sizes, across all industries, face the same threats. If you work with intellectual property, handle sensitive materials, or are subject to regulatory compliance, you need to safeguard your digital assets.

Pernicious attacks don’t always come from the outside. According to JAMA Internal Medicine, 53 percent of the 1,138 instances of a data breach at medical facilities they analyzed originated from inside the organization. Overall, 15.1 million patient records were compromised in 2018, a near three-fold uptick from 2017.

Unprepared companies find themselves on newsfeeds for both negligence in combatting a breach and the resulting punishment levied by regulating bodies. Despite this, most companies trying to manage their data are using increasingly unreliable methods such as:

  • Putting up a firewall around the application. Despite amazing progress with firewalls and network security, a malicious attack or internal leak (whether intentional or inadvertent) will result in compromised data.
  • Using an Access Control List (ACL). Sadly, this static method of protecting who can touch data doesn’t work in today’s modern, dynamic, and globally distributed environment.
  • Applying Role-Based Access Control (RBAC). Using authentication schemes, location, network, risk, and individual characteristics can work for one-time access, but today’s environment is dynamic, making RBAC impossible to keep updated.

Chasing dynamic data with static security models will not support a fast-moving company. As more data becomes available for sharing across a variety of networks, these security measures are proving ineffective at stopping data breaches. Using a network, an ACL, or RBAC simply can’t stop malicious attacks or internal threats.

The paradigm is shifting to Attribute-Based Access Control (ABAC) to redefine data protection. ABAC has been developed to address the most stringent security requirements of the most important government entities on the planet. ABAC is the platform of choice for the US DoD, the UK MoD, and has quickly become a NIST standard.

At its basic level, ABAC uses an ‘IF/THEN/AND’ model to protect the data itself. This model is then applied to data via policy, checking attributes and applying the appropriate permissions (aka “digital rights”).

A Starbucks in Slovakia

Imagine a US State Department official carrying a laptop into a foreign country notorious for its ability to hack and steal data from the open web. This official heads into a Starbucks, opens his or her laptop, and connects to the public WiFi. It’s hard to argue that this may be one of the easiest ways for data to be compromised, but if this official’s data is encrypted via ABAC, data safety is assured regardless of how open the network may be. Regardless of the location, encrypted data is protected by an ABAC schema that guarantees appropriate access or denial of access.

ABAC puts the encryption and safety measures inside the data itself, ensuring that even if hacked or flat-out stolen (e.g., a thumb drive stuck into the side of a laptop), the encryption prevents the data from being compromised and utilized outside of its intended use.

Live inside the data itself

Attributes are the foundation of ABAC. Factors such as program, citizenship, location, clearance level, even time of day, can be used to protect the data. If the user violates any parameter, the ability to access is lost.

Continuing from the above example about an official opening his or her files in a Starbucks in Slovakia, the policy may allow this user to access the data based on multi-factor authentication, United States location, and clearance level. The fact that the official is trying to access the data in another country violates the policy, which then denies access to the data and reports the attempted use to the policy management system. All elements of the policy must be met. This official could copy/paste the information into a separate application or right into their personal email address, but the encryption inside the data itself prevents their ability to access it and protects the information.

Moving information around the globe on a second-by-second basis while maintaining control of the intellectual property or sensitive data is more important than ever. An ABAC system can be set up as a centrally located security measure, independent of people, geography, and network perimeter security, and provide a single data safety infrastructure around multiple applications. Users will have persistent rights management regardless of the application they use to access ABAC-encrypted data.

When you put the encryption inside the data and metadata itself, companies can seize control of their data and prevent a breach from internal or external threats. The Department of Commerce has made this a mandatory practice and the adoption is spreading throughout several governmental and military agencies.

There isn’t an industry that couldn’t benefit from implementing an ABAC solution, especially in a world where data is dynamic, information moves across the world in real-time, and breaches can ruin a company’s reputation and trustworthiness.

Protecting Intellectual Property for Product Lifecycle Management (PLM): The Right Way to Do Rights Management

Beyond Cyber-Hacking: The Growing Threats of Internal Theft and Data Mishandling

Designers and manufacturers of high tech products and services, particularly in aerospace and defense, have always spent huge amounts of money to protect intellectual property (IP) from loss and leak. The bulk of security efforts typically focuses on the growing threat of external intrusion from outside the company, particularly from overseas cyber-hackers. This focus is not surprising given the media attention on high profile cyber-hacking incidents, especially the details divulged by the Snowden documents. NSA documents reveal a huge amount of data related to defense technologies being stolen: the equivalent of five Libraries of Congress (50 terabytes). more “Protecting Intellectual Property for Product Lifecycle Management (PLM): The Right Way to Do Rights Management”

My SharePoint Rights Management Wish List

By Yann Lejas, Director of Sales Engineering at NextLabs |

Most enterprises are using browser-based applications, such as Microsoft SharePoint, to store and share documents and files with their colleagues, business partners, and customers. This platform presents certain advantages: it makes information easy to share and quick to transfer. Digital documents can be accessed anywhere, any time and from pretty much any device. more “My SharePoint Rights Management Wish List”

CAD Under Siege with Persistent Threats that Require Persistent Protection

by Andy Han, Senior VP of Products & Engineering at  NextLabs and Jason Enzweiler, Senior Product Manager at  Siemens

Increasing intellectual property threats, globalization and collaborative product development have something in common: the need for premium protection of intellectual property.   Intellectual property is estimated to represent 70% of a company’s assets and around 6% of this is stolen each year (reference theregister.co.uk). more “CAD Under Siege with Persistent Threats that Require Persistent Protection”