It’s been roughly 3 months since we released the Policy Implementation Notice (PIN) on the Policy on Acceptable Network and Device Use (PANDU), so I figured now would be a good time for an update on how this exercise is going across the Government of Canada (GC).
For the most part, I have to say that the PIN was well-received. I wasn’t shocked that it would be well-received by end users, but I’m pleasantly surprised by how many security practitioners have accepted it in short order. I fully acknowledge that this is a significant shift for web filtering practices, pivoting from a “prevent” posture to more of a “monitor/detect” posture, but I’m encouraged by the progress made to date.
Of course, that doesn’t mean that every GC department has fully implemented this direction. While we do have some very progressive departments (such as Public Services and Procurement Canada, Transport Canada and Natural Sciences and Engineering Research Council of Canada) that are already there thanks to mature awareness programs and monitoring tools, others are still working towards that goal. On the positive side, the vast majority of departments have opened full access to social media sites (e.g. Facebook, Twitter, LinkedIn), which is a great first step to encourage more public engagement. When it comes to collaboration sites (e.g. Google Docs, Trello, Slack - sites that are so important in our efforts to collaborate outside of the federal government), progress isn’t as universal. Even though a good portion of departments have opened full access to these sites, there are still some that are hesitant, often citing “increased risk of data loss” as a reason for blocking.
Dealing with the risk
Now, I certainly can’t deny that there is a risk of a user accidentally posting something sensitive on one of these sites. But, as I mentioned in my previous blog, that risk will always exist when connected to the Internet. Blocking a handful of legitimate collaboration sites does not change that, and in fact, only encourages users to find their own solutions, which introduces even more risk.
Of course, some departments have higher risk profiles than others, and that’s perfectly understandable. Some may need to augment their monitoring or data loss prevention tools before opening these sites up. Others are developing tailored guidance and awareness/training programs for their employees to ensure they know how to use the tools properly. Increased investment in people, process and technology to enable a more user-friendly experience is always a good thing. The bottom line here is that the goal of security is to enable the business; if the business has a need to collaborate externally, then it’s our job to invest and enable that activity to take place in a secure fashion.
Changing the culture
We’re not all the way there yet with PIN implementation across the board, but we’ll continue to work with departments to provide advice and guidance to help them get there. The one thing this PIN has certainly done in all departments is enable more conversation, and that alone goes a long way towards changing the culture of security in the GC to be more user-focused. Starting with an attitude of “open by default” and using rationale to block (instead of blocking by default and using rationale to open) creates an environment that encourages more risk-based analysis, which is really what security should be about. At the end of the day, security practitioners have to remember that users aren’t coming into work with the primary goal of bypassing security, and similarly, users have to remember that security practitioners aren’t coming into work with the primary goal of shutting everything down. Both are just trying to do their jobs.
In the case of this particular PIN, the sooner we can enable more dialogue between the two sides, the sooner we can establish more effective relationships and collaboration between domestic and international partners. If we truly want to become global digital leaders, this is a key first step.