Enabling #GCdigital with pragmatic security
Governments today function through constant communication and collaboration with external partners. We’re long past the days of building programs behind closed doors. Being able to work the community where they are, using the tools they use, is fundamental to the #GCdigital and #opengov agendas, and the cyber security team I lead is trying to make that easier.
Since I started working in cyber security, I was told that cyber practitioners are supposed to be “business enablers”. We’re supposed to understand user and business needs, and identify controls that will help our colleagues achieve their goals securely.
That sounds great in theory but, in practice, this doesn’t always seem to be the case. Cyber security practitioners are often put in the difficult position of balancing risk and functionality, and tend to be looked at as the “no” people, or the people that prevent you from getting a job done because the risk is too high. While we may want to be business enablers, it’s also our job to ensure the continued protection of our information holdings. This can certainly be a tall order, however, we have to find a way to transition to a place where we can balance business objectives and business innovation with an appropriate level of risk.
A case for change
A good example of this need for a change in thinking is website access on government computers. The debate over which websites we are allowed to access from our work devices has gone on for years, but has come to a head recently with the increased use of social media and web-based collaboration tools like Google Docs, Slack and Trello for work purposes. For a long time, Government of Canada departments and agencies blocked these sites, often citing “potential security risk” as the reason.
Now, there are plenty of good reasons to block certain websites from work devices. Illegal or criminal activity? Definitely. Known malicious sites? Absolutely. But, blocking a site because there is a risk that someone might post something sensitive? That could be almost any website.
I hear this argument on a daily basis. “We have to block Twitter because someone might post something sensitive on there”. Or, “we have to block Google Docs because someone might upload a sensitive document”. Or, “we have to block Slack because someone might say something wrong in a chat channel”. Well, here’s the thing…whether you block these sites or not, those risks exist every day with everything else Internet-based that we use, whether it be email or the comment section of your favorite news website. The only way to truly eliminate this risk is to disconnect from the Internet completely…and we all know that’s not going to happen.
Trust me, it’s secure…or is it?
By blocking these sites, we tend to think that the mission has been accomplished. The gate is down so no one can get around it, right? Sure, temporarily, until they work around the implemented “security”, transfer a file to their personal phone and then make the same upload they were trying to do earlier. So, if you think about it, the security posture is worse because the file transfers are happening on a network where we have zero visibility. For me, I’d rather know what’s going on than pretend it’s not happening at all.
The challenge when we prioritize potential security threats over functionality is that employees find a way to work around these controls leading to additional vulnerabilities, decreased productivity, and frustrated staff who don’t have access to the tools to do their job. At the end of the day, we need to realize that people simply want to get their jobs done and will find the necessary tools to do so whether we provide them or not. Being risk averse can actually create more risk and we need to start thinking about a different approach.
A new direction
This new approach starts with the recently released Policy Implementation Notice (PIN) on the Policy on Acceptable Network and Device Use (PANDU). When PANDU was released in 2014, it required departments to open access to the Internet, including Web 2.0 tools. Since that time, implementation has been sporadic, resulting in an inconsistent approach across the government. The new PIN provides more prescriptive direction on how departments are to configure their web filtering policies. We’re directing departments to block illegal and malicious sites, block certain streaming sites if there is evidence of significant network impact, but open the rest of the Internet up by default. You’ve heard the term “open by default” for our data before, well, why not do this for our tools as well?
Now, of course, any general Internet site is only to be used to process non-sensitive information. So, it’s on all of us cyber security practitioners to educate our users on the do’s and don’ts for these sites. Rather than blocking employees, let’s work with them, by providing training, being available for questions, ultimately enabling them to use websites properly. This will prevent the insecure workarounds, allowing them to get their jobs done easier and allowing us to ensure that all activity remains on a network that we are monitoring and protecting.
People who know me know that I’m often rambling on about #pragmaticsecurity. All that means is that we need to find ways that balance user needs with practical security measures. If we make it too difficult for them to use, believe me, they will find an alternative that will undoubtedly leave you worse off from a security perspective. We need to always be searching for that “sweet spot” for security folks and users, and we hope that this PIN is a good first step to getting there.
Senior Director, Cyber Security, Chief Information Officer Branch, Treasury Board of Canada Secretariat
Imraan leads the team responsible for providing leadership, direction and oversight for cyber security for the GC enterprise at large, enabling the secure delivery of programs and services to Canadians. He is a vocal member of the GC security community, advocating for practitioners to take a more balanced risk-based approach to security, with focus on enabling business outcomes. Imraan is a staunch believer of #pragmaticsecurity, and can be found often ranting about this on Twitter.
Anonymous Coward - August 07, 2018
It's been nearly two months since this new policy and my department (ESDC) is still blocking several of the above mentioned sites (Google Docs, Slack, Imgur (where W3C hosts a number of image files.), etc.)
So I wonder how optional this policy is. The language in this post ("policy", and "directing departments to....") makes it sound pretty mandatory. But, it still hasn't happened in my dept.
Sergio - June 25, 2018
A great piece indeed.
If government functions through constant interaction with external partners, should partners provide visibility to the government of their levels of risk?
Jamie Armstrong - June 21, 2018
Of course there is demand for web based collaboration and sharing tools across the GC and yes, certainly these can be used to facilitate and enhance our business operations But allowing “open by default” to the growing proliferation of data sharing services must be accompanied by increased investment in security tooling and capabilities to give your GC security teams accurate and real-time visibility and monitoring of their networks and endpoints so they can detect sensitive information leaving the Dept regardless of whether it is to an "approved" site or not.
Rick Labelle - June 19, 2018
Thank you for this article. I have spent most of my career in Project Management, Security and Privacy. Communicating the message of business needs directly to Security assessors has always been a challenge and I understand their position and why they say 'no'. Hopefully, the message of a balanced approach with business and security can be disseminated to our security colleagues.
Keith Douglas - June 18, 2018
What about other uses of blocking, not necessarily for security but for bandwidth reasons, say?
Imraan - June 25, 2018
Good question, Keith.
PANDU does state that the definition of 'unacceptable use' includes activity that "impacts negatively the performance of Government of Canada electronic networks and devices". If a departmental CIO sees that allowing certain sites (e.g. video streaming) is causing significant impact to the network, the PIN allows them to approve the blocking of offending sites with that rationale.
Having said that, there are often other ways to address bandwidth concerns (e.g. traffic shaping, user education/awareness), so we encourage departments to investigate those options first.
Jason White - July 20, 2018
As government departments adopt a new workplace design with fewer or no cubicle walls, more shared coworking space, etc, employees will often try to adapt by listening to music streaming services at work.
It's important that departments explicitly recognize this tradeoff and increase bandwidth as appropriate.
Anonymous - June 20, 2018
In 2018, bandwidth shouldn't be an issue. If it really does become an issue I think handling bandwidth case by case makes the most sense. Assume users won't abuse, deal with the ones that do. Oftentimes there are real business reasons for accessing high bandwidth websites that might not be immediately obvious.
Lisa Fast - June 15, 2018
Wonderful to acknowledge reality and encourage #PragmaticSecurity.
Thank You from someone who has used every online work-around we could dream up for our teams to collaborate across and within departments.