OTTAWA — As Canadian governments move to connect more of their IT systems, they must be mindful of “the challenge of the weakest link” in security regimens, according to the czar of the federal government’s Secure Channel program.
“As we interconnect our systems, we have to recognize that we’re coming at security from different perspectives, even different maturity levels,” said Michael de Rosenroll, director general, strategic infrastructure services sector, information technology services, Public Works and Government Services Canada.
De Rosenroll discussed IT security under a shared services model at a panel discussion this week at the professional development forum at GTEC Week, an annual conference and exhibition for public sector IT professionals. He’d earlier delivered a keynote speech on shared services and the Secure Channel program.
Joining De Rosenroll on the panel were Michael Devaney, deputy chief of information technology security for the Communications Security Establishment; Pierre Boucher, assistant senior director, architecture, standards and engineering with Treasury Board of Canada Secretariat; and Michael Baker, director general, public safety interoperability directorate, Public Safety and Emergency Preparedness Canada.
“We use the word ‘security’ very loosely,” de Rosenroll said. “Security is almost meaningless,” applying as it does to a herd of disparate disciplines – access control, identity, authentication, privilege, authorization and many, many more.
“There’s no way anyone can be an expert in all of these disciplines.”
Further complicating the matter is the fact that from the enterprise perspective that’s guiding the evolution of public sector IT, security isn’t the only viewpoint. De Rosenroll cited the example of a common defence against denial of service attacks that involves a user reading a fractured set of letters that can’t be screen-scraped by software and entering it as an access code. It works – “but think of how that affects the visually impaired,” he said.
Panelists favoured an “all-risk” approach, in which security, accessibility, privacy, availability and other risks are considered in the equation. They also agreed there were cultural issues to deal with – security being a departmental issue with a tendency to develop vertical silos. An integrated system requires more trusted sharing of information within and across communities, Devaney said.
Baker said that required horizontal management of initiatives across organizations that share common goals.
“We have to make sure the right information gets to the right people at the right time,” Baker said. This calls for a more collaborative culture, a shift from the “need-to-know” orientation to a “need-to-share” orientation.
A shared services regimen isn’t simply a way to contain spiraling IT costs, Devaney said. Of the 72 per cent of Canadians with home Internet access, 90 per cent expect to use the Internet to deal with government. Through Secure Channel, 129 client organizations and 130 services are available to online users 24×7.
“Government is open on weekends by virtue of the Internet,” Devaney said, and citizens shouldn’t have to deal with government in a fragmented way – hence the need to share services and data across departments.
“We’re the government. We know when you turn 65,” Devaney said. Instead of waiting for a pension application, “we should be sending you a birthday card. Maybe with a CPP cheque.”
But as more information is consolidated, its protection becomes more critical. “If you put more eggs in one basket, you elevate the risk,” Devaney said.