A common topic in our blog is the threat that insiders pose to an organization’s sensitive data. Why? ‘Insider threats’ continue to pose the biggest threats to intellectual property (IP) and military secrets. Insiders, including contractors, need access to sensitive information to do their job, but to what extent? How can we prevent sensitive information from being exfiltrated by malicious insiders? To address this threat, organizations need to balance the need for access with controls on what can be done with that data once access is granted.
Theft of IP and Military Secrets Continues to be a Challenge
In November 2022, Quadrant Magnetics and three contractors working at the company were charged with sending export-controlled defense-related technical data to China, as well as illegally providing the U.S. Department of Defense with Chinese-made parts for military equipment. The charges involved violations of the Arms Export Control Act, wire fraud, and smuggling.
The indictment alleges that between January 2012 and December 2018, the defendants allegedly conspired to send 70 technical data drawings of U.S. military parts to an unspecified company in China. The technical drawings, which were the property of two unnamed U.S. companies, related to parts for U.S. military aviation, submarines, radar, tanks, mortars, missiles, infrared and thermal imaging targeting systems, and fire control systems.
The theft of IP and military data like this continues to plague organizations large and small, impacting both enterprises’ and Defence agencies’ ability to retain their competitive and military advantage.
9 Essential Access and Handling Questions for IP and Military Secrets
Organizations need to assess what data an employee needs to access to do their job. But it doesn’t stop there. They also need to determine what a user should be able to do with that data if they are granted access to it.
The key questions your IT and information security teams should be asking when determining sensitive data policies include:
- Where is sensitive data stored and collaborated on? One or multiple systems?
- What is the sensitivity level of the document? Is it classified or controlled unclassified information (CUI)?
- Do any regulatory policies apply to it? (e.g., GDPR, ITAR, CMMC, DISP, etc.)
- Are any visual markings required? (e.g., sensitivity level, header/footers, CUI designation indicator labels, portion markings)
- Who has access to sensitive data? Should they?
- If they should, then what should they be able to do with it?
- Edit or get a read-only version?
- Copy and paste content?
- Print it?
- Save it?
- Download it?
- What about sharing it? With whom?
- How should documents be shared?
- Can it be sent as an email attachment?
- Should provide a link to a secure file-sharing site instead?
- Does the file need to be encrypted?
- Do you need to audit sensitive data access and handling?
A Data-Centric, Zero Trust Approach is the Answer
You may be wondering why insiders are able to steal information so easily in the first place. Quite simply insider threats are not a use case that most traditional security tools are designed to address. To achieve the level of granular data security needed, a more modern approach to information access and sharing using a data-centric, zero trust approach is required.
Zero trust is a security framework that requires all users, whether inside or outside the network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted access to networks, applications and/or data.
While many zero trust technologies focus on the network and application layer, adopting a data-centric approach is the best way to address both enterprise and military data security challenges. Attribute-based access control, also known as ABAC, is the best data-centric model for this.
Instead of segmenting access to data by role or classification, ABAC allows for multi-level security by segmenting access to the data by evaluating a combination of attributes. Using ABAC, organizations can granularly microsegment access to individual data assets based on user (e.g., country, clearance, nationality), environmental (e.g., device, location, IP), and data attributes (e.g., sensitivity, classification).
An ABAC-enabled approach provides real-time contextual data security that automatically adjusts access rights based on the conditions at the time of access. It’s a far more effective approach than giving someone carte blanche access because their role dictates access should be given to an asset no matter the circumstances.
Don’t Stop at Just Restricting Access to IP and Military Secrets
archTIS’ information security technologies go a step further, using ABAC policies to also apply granular controls on how users can interact with data once access is granted. For example, a restricted read-only view of the document can be presented to prevent users from copying, pasting or downloading sensitive information.
Dynamic watermarks can be automatically applied to stamp documents with custom information about the users accessing the document, apply visual markings required for classified and controlled unclassified information (CUI), remind users about the sensitivity of a document, and ultimately track the leak point if a document is shared in an unauthorized manner. It can also dynamically apply encryption if the conditions indicate that it is needed.
These are just a few of the ways archTIS information’s security products are enhancing the protection of sensitive information. Kojensi and NC Protect not only ensure that just authorized users can access information – they also control what they can do with the data once access is granted.
Security is always a balancing act. archTIS’ ABAC-powered solutions give enterprises and the Defense industry the ability to balance the need for access with granular controls to keep IP and military secrets from landing in the hands of competitors and/or foreign adversaries.