Anil John
Making Digital Services Secure and Trustworthy

Anil John

Hang Together or Hang Separately? U.S. Digital and Information Sharing and Safeguarding Strategies

 Tweet  Share  Share  Comment  Print  Email

Last year, the U.S. Government published both a "Digital Government Strategy" (PDF) as well as a "National Strategy for Information Sharing and Safeguarding" (PDF). Each has its own community of champions, but common and mutually supporting themes will require active collaboration and partnership across communities for both strategies to be successful in the long term.

When the digital strategy was published, the overwhelming attention was focused on near term aspects such as mobility and web APIs. That focus in some ways obscures the truly transformational aspect of the strategy, which is the introduction of a conceptual model for digital services that makes information a first class citizen.

The model acknowledges three layers of digital services; the information layer, platform layer and the presentation layer.

The information layer contains both structured information as well as unstructured information.

The platform layer includes the systems and process that manage and add value to this information.

The presentation layer defines the multiples channels by which this information can be organized, presented and delivered to customers.

The model also acknowledges that customers include both employees as well as the american people.

And last, but not least, the entire service delivery mechanism needs to have the appropriate security and privacy safeguards built in at all layers.

When looking at overarching strategies, it is important to keep in mind the real world in which the strategies need to execute. In IBM's Fast Track to the Future: The 2012 IBM Tech Trends Report (PDF), IBM identifies the four trends that are shaping our daily lives:

  1. Business Analytics
  2. Cloud
  3. Mobile
  4. Social

The change in mind-set as articulated by the digital strategy conceptual model is directly applicable to how government successfully navigates and leverages these trends.

At the same time, the IBM report also notes:

Security concerns consistently rank as the most significant barrier to adoption across mobile, cloud computing and social business. Even in business analytics, where data typically stays inside an organization's firewall, securing and controlling access to data still places as the number-two barrier to adoption.

The core message is clear: IT security is not just a technology concern; it's a broad business issue with far-reaching policy and process implications. Moving into mobile means organizations must address the increased risk of data loss and security breach, device management challenges, and complications introduced by the growing trend toward bring-your-own-device. Analytics adoption forces decisions on data privacy, retention and access control for both the raw data and derived insights. Cloud computing calls for policies on employee use of public cloud services (e.g., file-sharing services), segregation of data within shared or hybrid cloud solutions and ensuring the right data is in the right place subject to the right controls. And with social business, organizations need to consider customer privacy expectations, regulatory compliance, and employee guidelines on confidentiality, acceptable use and protecting the corporate brand.

In each area, organizations are struggling to protect what is arguably their most important asset: information

The ability to make relevant information available at the point of action while applying the appropriate privacy and security safeguards is where, I believe, the Information Sharing and Safeguarding Strategy and the Digital Government Strategy have shared goals:

Digital Government StrategyInformation Sharing and Safeguarding Strategy
  • "This approach also supports device-agnostic security and privacy controls, as attributes can be applied directly to the data and monitored through metadata, enabling agencies to focus on securing the data and not the device"
  • "We must also adopt new solutions in areas such as continuous monitoring, identity, authentication, and credential management, and cryptography that support the shift from securing devices to securing the data itself and ensure that data is only shared with authorized users"
  • "By embedding security and privacy controls into structured data and metadata, data owners can focus more effort on ensuring the safe and secure delivery of data to the end customer and fewer resources on securing the device that will receive the data"
  • "It is a national priority to efficiently, effectively, and appropriately share and safeguard information"
  • "Managing information as a national asset simultaneously demands stakeholders make it available to those who need it, while also keeping it secure from unauthorized or unintended use"
  • "As networks are consolidated and shared services are adopted, access controls must be applied on the data itself, using tags. Information tagging is an approach where standard attributes & tags are attached to a piece of information to describe it"
  • "Information tagging further assists in meeting records management requirements, responding to disclosure inquiries, integrating privacy protections, and remediating erroneous data disclosures and modifications"

Given the mutually supporting aspects of the two strategies, long term success for both will require collaboration and partnership across multiple communities which often have had differing perspectives on information sharing and protection.

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone