Information sharing butts heads with information security
Agencies weigh the need to share information and the need secure it
Walk into a Homeland Security Department office and you might see something that seems wasteful: employees with two, three and, in some cases, even four systems sitting on their desks. The reason: Every military service and federal agency has multiple networks. Anyone who needs access to information on a specific network needs a dedicated connection to keep servers and data safe from prying eyes.
“While it’s inefficient, there is some information that must be kept secure, and there’s really no secure way to share data across disparate networks, even within the same agency,” explains Kent Schneider, president and CEO of AFCEA International, a nonprofit communications, IT, intelligence and global security membership association serving the military, government, industry and academia.
In fact, in the era of WikiLeaks and advanced persistent threats, the industry, looking to root out inefficiencies and tighten security, is calling for a revamp of this system — specifically, a secure file-sharing system that allows agencies to share data across networks while ensuring that recipients and senders are actually who they say they are. Such a system, say experts, would lead to increased levels of information sharing, innovation and cost savings.
“If there was a way — over social media or another method of network communication — to establish momentary trust, I could go anywhere and create any transaction, and you as the provider of the information could verify me and my attributes and decide if you wanted to share it with me,” says Schneider.
There are already some organizations that are doing part of this well. The Defense Department, for example, introduced its Defense Cross-Credentialing Identification System (DCCIS). This smart card serves as an identification and access method for DOD computer systems and networks, allowing active military personnel, reservists, employees and defense contractors to sign in securely from wherever they are around the world.
“What the infrastructure does is allow it to be used at the point of transaction similar to ATMs or credit cards,” explains Schneider. “It positively identifies that individual and can encrypt information sent by him or her and add an electronic signature. The tool allows people making decisions to make good decisions about whether or not to allow access.”
Can you hear me now?
But this type of system doesn’t scale externally. Although DCCIS is beneficial when DOD employees and contractors communicate within their own network, it doesn’t help for those who need to communicate across agencies or with those in the private sector. And although there are no fewer than five national-level programs under way to establish identity and attributes, none are synchronized.
“A lot of people are working on the problem, but it’s going to be hard to get widespread information sharing without a single national or global identity program,” says Schneider. That is why many people are going around their security policies and sharing data using services such as Google Docs, Ge.tt and Dropbox to disseminate information in what they think is a secure manner.
The problem with this type of data sharing, says Roger Entner, an analyst and founder of Boston-based research firm Recon Analytics, is that even commercial sites aren’t necessarily secure. Most can be — and many have already been — compromised. In addition, the sites introduce some serious issues when it comes to ownership and acceptable use.
“File-sharing services are really convenient for people who need to move things around in what they think is a secure way, but if you upload something to many of these services, the files become legally theirs,” he says. “People don’t understand that these sites have user agreements that give them indefinite, unlimited global licenses to store and possibly use whatever you store on the sites.”
Until there is a universal DCCIS-type system, there are better options, says Graham Titterington, a principal analyst and security expert at research firm Ovum. He suggests starting internally with a document rights management system that will attach permissions to files and a strong encryption implementation. The rights management will make sure only specific departments or personnel titles have access to particular files, and the encryption will protect the files while they are in transit.
“Administration is very important, though,” he cautions. “Defining access rights should be done by the information owners — the individual business managers who can specify policies. Also, every organization needs a secure place for storing the keys and someone or a group of people who can define each person’s needs so there’s no data leakage.”