The report in January 2013 of a lost portable hard drive containing personal information of 583,000 students from the Human Resources and Skills Development Canada office caused the public to be concerned about the security of their personal data. The usual responses for better network security and firewall would not have prevented this incident.
Reinforcing the firewall and bolstering the network is all well and good – assuming the data stays within the network. As the government workflow becomes more mobile and USB keys and laptops are part of workers’ everyday devices, the question that should be top of mind is not only “how to improve network security,” but how to better protect mobilized data.
Improving rights management protocols around data is quickly becoming critical to protect Canadians’ sensitive information. For example, Adobe has been working to better secure PDFs by providing users the ability to encrypt, track, and allow specific individuals access to files as they leave the server with Acrobat XI’s rights-management offering.
The rights-management offering for PDF is designed to allow the data to be encrypted against a server, which then holds onto the encryption key. To open the file outside of the network, the person opening must authenticate with the server. The document author also has the ability to revoke access by changing permission dynamically – essentially creating a layer of defence around each piece of data.
Additionally, the new security protocols provide an audit trail to better understand who is using the information. Using geo-location and analytics machines, the sender can now see where documents are being opened and if someone has tried to open a document multiple times and failed, and adjust access as need be.
Rights-management protocols are an invaluable tool for protecting mobilized data, but ultimately the most effective method is having a sound security strategy that includes the three C’s: collaboration, communication and cacotopia (aka Murphy’s Law).
Collaboration between the public and private sectors is a smart step to improve the government’s IT security. From the design and development phase to everyday use of programs and data, the government has much to gain from working with the private sector. Leading companies like Microsoft, RSA and Adobe are constantly on the cutting edge of data security. By looking to the private sector as partners and tapping their collective expertise, the government can ensure the highest level of security is being employed, regardless of whether the data is inside or outside of the network.
The second pillar to an effective security strategy is communication. Open communication between the government and private sector during the software/application development phase is critical to ensure that data security protocols created by the government and its partners meet the government’s needs today as well as tomorrow. Just as critical is clearly communicating the security protocols to government workers around the steps needed to take to help mitigate risk of data leaks.
The final pillar is cacotopia (or Murphy’s Law) – hoping for the best, but planning for the worst. Adopting the mentality that the breach or leak has already occurred will force the government and its partners to think of new ways to protect sensitive data – both inside and outside the network. By assuming that confidential data will somehow get outside the firewall, new protocols will be developed at the operating system and application level.
Whether incorporating the latest rights management protocols or developing a security strategy that follows the three C’s, the key to securing information is to remain vigilant. In the coming years, the public and private sector workforce is only going to become more mobile – transporting data on everything from a smart phone to a tablet or USB keys – meaning more potential for leaks. Taking the steps now to better understand and communicate potential vulnerabilities and how to best mitigate them to the partners and workforce, will mean a more secure future for Canadians’ information.