Update on direction to enable access to web services

September 13, 2018

It’s been roughly 3 months since we released the Policy Implementation Notice (PIN) on the Policy on Acceptable Network and Device Use (PANDU), so I figured now would be a good time for an update on how this exercise is going across the Government of Canada (GC).

For the most part, I have to say that the PIN was well-received. I wasn’t shocked that it would be well-received by end users, but I’m pleasantly surprised by how many security practitioners have accepted it in short order. I fully acknowledge that this is a significant shift for web filtering practices, pivoting from a “prevent” posture to more of a “monitor/detect” posture, but I’m encouraged by the progress made to date.

Implementation progress

Of course, that doesn’t mean that every GC department has fully implemented this direction. While we do have some very progressive departments (such as Public Services and Procurement Canada, Transport Canada and Natural Sciences and Engineering Research Council of Canada) that are already there thanks to mature awareness programs and monitoring tools, others are still working towards that goal. On the positive side, the vast majority of departments have opened full access to social media sites (e.g. Facebook, Twitter, LinkedIn), which is a great first step to encourage more public engagement. When it comes to collaboration sites (e.g. Google Docs, Trello, Slack - sites that are so important in our efforts to collaborate outside of the federal government), progress isn’t as universal. Even though a good portion of departments have opened full access to these sites, there are still some that are hesitant, often citing “increased risk of data loss” as a reason for blocking.

Dealing with the risk

Now, I certainly can’t deny that there is a risk of a user accidentally posting something sensitive on one of these sites. But, as I mentioned in my previous blog, that risk will always exist when connected to the Internet. Blocking a handful of legitimate collaboration sites does not change that, and in fact, only encourages users to find their own solutions, which introduces even more risk.

Of course, some departments have higher risk profiles than others, and that’s perfectly understandable. Some may need to augment their monitoring or data loss prevention tools before opening these sites up. Others are developing tailored guidance and awareness/training programs for their employees to ensure they know how to use the tools properly. Increased investment in people, process and technology to enable a more user-friendly experience is always a good thing. The bottom line here is that the goal of security is to enable the business; if the business has a need to collaborate externally, then it’s our job to invest and enable that activity to take place in a secure fashion.

Changing the culture

We’re not all the way there yet with PIN implementation across the board, but we’ll continue to work with departments to provide advice and guidance to help them get there. The one thing this PIN has certainly done in all departments is enable more conversation, and that alone goes a long way towards changing the culture of security in the GC to be more user-focused. Starting with an attitude of “open by default” and using rationale to block (instead of blocking by default and using rationale to open) creates an environment that encourages more risk-based analysis, which is really what security should be about. At the end of the day, security practitioners have to remember that users aren’t coming into work with the primary goal of bypassing security, and similarly, users have to remember that security practitioners aren’t coming into work with the primary goal of shutting everything down. Both are just trying to do their jobs.

In the case of this particular PIN, the sooner we can enable more dialogue between the two sides, the sooner we can establish more effective relationships and collaboration between domestic and international partners. If we truly want to become global digital leaders, this is a key first step.

Imraan Bashir

Imraan Bashir
Senior Director, Cyber Security, Chief Information Officer Branch, Treasury Board of Canada Secretariat

Imraan leads the team responsible for providing leadership, direction and oversight for cyber security for the GC enterprise at large, enabling the secure delivery of programs and services to Canadians. He is a vocal member of the GC security community, advocating for practitioners to take a more balanced risk-based approach to security, with focus on enabling business outcomes. Imraan is a staunch believer of #pragmaticsecurity, and can be found often ranting about this on Twitter.

Add new comment

Rules of Engagement

We look forward to hearing from you. Your ideas and feedback are central to the development of both the Open Government portal and the Government of Canada’s approach to Open Government.

While comments are moderated, the portal will not censor any comments except in a few specific cases, listed below. Accounts acting contrary to these rules may be temporarily or permanently disabled.

Comments and Interaction

Our team will read comments and participate in discussions when appropriate. Your comments and contributions must be relevant and respectful.

Our team will not engage in partisan or political issues or respond to questions that violate these Terms and Conditions.

Our team reserves the right to remove comments and contributions, and to block users based on the following criteria:

The comments or contributions:

  • include personal, protected or classified information of the Government of Canada or infringes upon intellectual property or proprietary rights
  • are contrary to the principles of the Canadian Charter of Rights and Freedoms, Constitution Act, 1982
  • are racist, hateful, sexist, homophobic or defamatory, or contain or refer to any obscenity or pornography
  • are threatening, violent, intimidating or harassing
  • are contrary to any federal, provincial or territorial laws of Canada
  • constitute impersonation, advertising or spam
  • encourage or incite any criminal activity
  • are written in a language other than English or French
  • otherwise violate this notice

Our team cannot commit to replying to every message or comment, but we look forward to continuing the conversation whenever possible. Please note that responses will be provided in the same language that was used in the original comment.

Our team will reply to comments in the official language in which they are posted. If we determine the response is a question of general public interest, we will respond in both official languages.