In a previous article on the GovCyberHub, I wrote about the Zero Trust model for security. There are many areas of cybersecurity that complement the Zero Trust model – and data security is one.
Outside of the IoT world, the goal of cybersecurity is to protect data. The Zero Trust model recognizes this, and focuses on keeping security close to the asset, and portable. Data security, then, encompasses a wide range of technologies and software: data-loss prevention (DLP) systems; encryption in its many shapes and sizes; file integrity monitoring; data sanitization, and so on.
Let’s focus on one: Information Rights Management (IRM), also known as Enterprise Rights Management, Intelligent Rights Management, or Digital Enterprise Rights Management.
IRM products let users encrypt a document, and control access to a document, no matter where the document happens to be at any time. Even when a file has left your hands, it is still possible to control what people do with it. IRM features include:
- Granting or revoking privileges remotely
- Specifying an expiration date
- Limitations on viewing and printing
- Prohibition of cut-and-paste or screen shots
- Limiting access by IP address
- Remote deletion
- Tracking file access (legitimate or not)
- Constraints on how often users can view a file, or even the times of day they can use it
A key element is…the encryption key (pun intended). For government use, an IRM system must have FIPS 140-2 certification, which means that it uses an approved method of encryption, namely AES-256 (a very strong method). Encryption/decryption keys must be available to those using the file, and an IRM system must be able to transmit keys securely, and do so without interrupting or slowing things down.
The traditional notion of a network “perimeter” is largely gone, or going away soon. By intent or design, data travels to untrusted locations – places with “zero trust.” Security that stays with the data, down to the file level, is one important way to keep data safe in a hostile environment.