The first and most important part of a comprehensive data security program is to understand clearly what is the most critical information an agency holds — the crown jewels — and having clear ownership of this data.
This clear understanding becomes even more important as data is stored in and moved between various cloud applications. And as agencies share their data through service portals and open data platforms, the need for a robust and well-managed information management system is critical.
“The first step is understanding what your most important data is, and then learning where it sits. But that’s not all,” said Glen Gooding, IBM Security Services Business Unit executive.
Gooding says, agencies need to start examining the data they have on hand — and deciding the type of information that would be most important to them.
“Government agencies might be in a better decision to decide what data is important to them than private organisations,” he said. “They just need to identify what are the so-called ‘crown jewels’ of data, and then focus in on those.”
Gooding says the trend of moving information towards cloud-based infrastructure means understanding who exactly is responsible for data security is vital.
“Once agencies determine that, they need to think about who owns it all. Is it the CIO? Is it the agency’s head? Being able to dictate or define that ownership is the next stage in the process,” said Gooding.
Information may be duplicated across a number of different databases, increasing the opportunities for corruption or leaks. “This is the dilemma we’ve got ahead of us,” he said.
Secure foundations
The Australian government’s security classification system gives guidance in identifying and grading the confidentiality requirements of information it holds. These classifications rate data from “protected” to “top secret”, and the time durations of these classifications.
While useful, the challenge lies in ensuring these guides are understood by agencies and the infrastructure is in place to certify they are consistently applied.
“We need to be able to provide an awareness and robust security controls, especially around mobile applications,” he said. This is particularly prudent as more agencies start relying on mobile applications for users to send data.
In addition are the security challenges when agencies share data and merge them into one system. For example, the integration of services into platforms such as myGov or Service NSW requires strong security strategies to cement citizen trust.
Just as banks and other corporates go to great lengths to demonstrate to customers their security measures, governments must assure citizens their data isn’t being mistreated. Banks house equally important data, but have a level of inherent trust from the public that public agencies should emulate.
“Organisations need to be transparent in the way they do things,” Gooding said. “Just as we’re quite happy to read the privacy rules or regulations on a website, that next level of detail is something that could be possible in the future.
“Potentially there could be some grounding statements that get built into the way the agencies manage data.”
Agile requires security up-front
But Gooding says there needs to be a significant change in the way government agencies view the use of this data if any permanent inroads are to be made. If large government services are going to transform the ways they use data, security must be paramount.
“In years gone by we spent a lot of time in either the public or private sector on the quickest route to market, and security was the last thing that anybody would think of,” he said.
“There would be questions about security, but it was decided to take a business risk and deploy it anyway. In an agile-based approach, you just cannot do that.”
Gooding says the huge amount of personal identifiable information in these types of systems means a focus on security and privacy needs to be built in from the very beginning of the agile development process.
“It has to be built into the process flows,” he sad. Otherwise, data transformation projects such as those seen within the ATO could have drastic ramifications if security is left behind.
“Your data is critically important, yes, but it’s the whole ecosystem that you need to look at to provide that strong foundation,” he said. “If you have that foundation in place, then the agile process is much faster.
“You can start to call on to the API economy in order to authenticate users, revoke users, and so on.”
Tapping into expertise
Crucially, Gooding says, government departments need to start partnering with private agencies if they hope to achieve any significant inroads into the transformation of data. The banks, for example, have significant experience around payments and transactions and how to provide these services securely with an easy-to-use interface.
“We’ve got to come up with ways the private sector and public sector can collaborate and learn from each other around security and the management of data digital.” he said.
By tapping this broader expertise, Gooding this will help agencies start a data transformation journey that would be more aligned to what the broader public expects.
“I think they’re going to have change the way they go about things,” he said. “Some agencies such as the NSW Family and Community Services are doing this right now — adopting application development policies influenced by agile. They’re really not far behind when it comes to bringing new technology to market.”
Joint force for the future
“We also need to come up with ways the private sector and the public sector can share security intelligence information,” he said. “Whether that be information on external attacks that are beating on the door of a bank — the same attack could target a government agency 18 months later.
“When the time comes, having that shared intelligence between public and private sector vendors — that type of collaborative understanding, could be crucial.”
While this shared discussion can clearly benefit agencies, the true benefit sits with the public. However, this also requires risk control.
“Industry collaboration means making statements about that collaboration and being proficient in managing the security controls in this country, and around the globe when partnering with government agencies.”