Governments today function through constant communication and collaboration with external partners. We’re long past the days of building programs behind closed doors. Being able to work the community where they are, using the tools they use, is fundamental to the #GCdigital and #opengov agendas, and the cyber security team I lead is trying to make that easier.
Since I started working in cyber security, I was told that cyber practitioners are supposed to be “business enablers”. We’re supposed to understand user and business needs, and identify controls that will help our colleagues achieve their goals securely.
That sounds great in theory but, in practice, this doesn’t always seem to be the case. Cyber security practitioners are often put in the difficult position of balancing risk and functionality, and tend to be looked at as the “no” people, or the people that prevent you from getting a job done because the risk is too high. While we may want to be business enablers, it’s also our job to ensure the continued protection of our information holdings. This can certainly be a tall order, however, we have to find a way to transition to a place where we can balance business objectives and business innovation with an appropriate level of risk.
A case for change
A good example of this need for a change in thinking is website access on government computers. The debate over which websites we are allowed to access from our work devices has gone on for years, but has come to a head recently with the increased use of social media and web-based collaboration tools like Google Docs, Slack and Trello for work purposes. For a long time, Government of Canada departments and agencies blocked these sites, often citing “potential security risk” as the reason.
Now, there are plenty of good reasons to block certain websites from work devices. Illegal or criminal activity? Definitely. Known malicious sites? Absolutely. But, blocking a site because there is a risk that someone might post something sensitive? That could be almost any website.
I hear this argument on a daily basis. “We have to block Twitter because someone might post something sensitive on there”. Or, “we have to block Google Docs because someone might upload a sensitive document”. Or, “we have to block Slack because someone might say something wrong in a chat channel”. Well, here’s the thing…whether you block these sites or not, those risks exist every day with everything else Internet-based that we use, whether it be email or the comment section of your favorite news website. The only way to truly eliminate this risk is to disconnect from the Internet completely…and we all know that’s not going to happen.
Trust me, it’s secure…or is it?
By blocking these sites, we tend to think that the mission has been accomplished. The gate is down so no one can get around it, right? Sure, temporarily, until they work around the implemented “security”, transfer a file to their personal phone and then make the same upload they were trying to do earlier. So, if you think about it, the security posture is worse because the file transfers are happening on a network where we have zero visibility. For me, I’d rather know what’s going on than pretend it’s not happening at all.
The challenge when we prioritize potential security threats over functionality is that employees find a way to work around these controls leading to additional vulnerabilities, decreased productivity, and frustrated staff who don’t have access to the tools to do their job. At the end of the day, we need to realize that people simply want to get their jobs done and will find the necessary tools to do so whether we provide them or not. Being risk averse can actually create more risk and we need to start thinking about a different approach.
A new direction
This new approach starts with the recently released Policy Implementation Notice (PIN) on the Policy on Acceptable Network and Device Use (PANDU). When PANDU was released in 2014, it required departments to open access to the Internet, including Web 2.0 tools. Since that time, implementation has been sporadic, resulting in an inconsistent approach across the government. The new PIN provides more prescriptive direction on how departments are to configure their web filtering policies. We’re directing departments to block illegal and malicious sites, block certain streaming sites if there is evidence of significant network impact, but open the rest of the Internet up by default. You’ve heard the term “open by default” for our data before, well, why not do this for our tools as well?
Now, of course, any general Internet site is only to be used to process non-sensitive information. So, it’s on all of us cyber security practitioners to educate our users on the do’s and don’ts for these sites. Rather than blocking employees, let’s work with them, by providing training, being available for questions, ultimately enabling them to use websites properly. This will prevent the insecure workarounds, allowing them to get their jobs done easier and allowing us to ensure that all activity remains on a network that we are monitoring and protecting.
People who know me know that I’m often rambling on about #pragmaticsecurity. All that means is that we need to find ways that balance user needs with practical security measures. If we make it too difficult for them to use, believe me, they will find an alternative that will undoubtedly leave you worse off from a security perspective. We need to always be searching for that “sweet spot” for security folks and users, and we hope that this PIN is a good first step to getting there.
Add new comment
Submitted by Lisa Fast on June 15, 2018 - 6:29 PM
Submitted by Keith Douglas on June 18, 2018 - 2:59 PM
Submitted by Anonymous on June 20, 2018 - 6:31 PM
Submitted by Imraan on June 25, 2018 - 1:31 PM
Submitted by Jason White on July 20, 2018 - 1:40 PM
Submitted by Rick Labelle on June 19, 2018 - 12:34 PM
Submitted by Jamie Armstrong on June 21, 2018 - 7:58 PM
Submitted by Sergio on June 25, 2018 - 4:49 AM
Submitted by Anonymous Coward on August 07, 2018 - 12:34 PM