In a recent keynote address, Thomas Bossert, Assistant to the President for Homeland Security and Counterterrorism, emphasized the importance of shared services to the nation’s cybersecurity strategy. Cybersecurity itself may become a shared service.
As government moves to shared services models, either from public sector or commercial providers, will security be sufficiently implemented to ensure the protection of systems, processes and data? Whether shared services are hosted within your own data center or elsewhere, end-to-end protection of data and information across the entire value chain is critical. Secure adoption of shared services requires understanding the full ecosystem of data, systems and security, regardless of the provider.
The whole value chain includes each provider’s domain and the gaps created as well. In terms of infrastructure, most organizations have focused on point solutions for cybersecurity over the years. That means there are gaps between products, internal vs. external infrastructure, data centers, networks, and providers. Understanding governance, data and supporting infrastructure is extremely important to bridge these gaps. For example, as the personnel system becomes the primary repository for identity (unique person), each Shared Service may issue a credential for that identity, and the system may then bind entitlements (permissions) to the credential. So the ability for an individual to access the financial system, which may be provisioned by a provider outside the requesting agency, depends on establishing a chain of trust between each of these functions and organizations.
Governance is important because each component, segment and provider organization may have differing missions and responsibilities. Protections are aligned with the specific mission, such as military, law enforcement, or intelligence. This may mean not only a need to protect personally identifiable information (PII) but also evidence, or sources and methods. Each of these require specific functions and capabilities to provide security, from creation to storage to transport to processing to reporting.
Data is the connective tissue in shared services. Data and security controls must be applied at the appropriate layer of the architecture to enable end-to-end protection, especially when shared services are implemented across systems and providers. Planning for shared service security is critical because the data may be dispersed across systems, devices and physical locations.
The Federal Risk and Authorization Management Program (FedRAMP) controls and accreditation have been a good start in defining and implementing common infrastructure and general software controls. But, FedRAMP can’t provide the needed security between systems and data inherent in shared services, especially when using multiple providers. Securing the gaps between the parts of the ecosystem provides the glue for shared services. With increasing complexity of various functions provided via shared services from a variety of sources, agency customers need to take on the responsibility to carefully detail security requirements based on insight into the specific need. As an example, when DHS released its requirements for a CDM shared services architecture, they identified security requirements that included recommended NIST controls and then layered on additional NIST high and cloud controls.
When implementing shared services, data and mission owners may perceive loss of control. Classically, on premise systems are predicated on information residing inside agencies’ four walls. As organizations have expanded geographically and virtually, those walls have been maintained by perimeter security and identity management. Security controls must be applied within those somewhat porous boundaries to protect the information within. However, data security isn’t solved by simply adding encryption. As data traverses boundaries, protection and provenance must be preserved, requiring modern controls to secure these modern architectures.
When using shared services, government customers should view as mission critical the responsibility for securing the whole value chain and learn to identify and “mind the gap(s)” that may jeopardize data security. So, a detailed understanding of data needs for each component and provider making up the value chain is crucial for secure, cost-effective shared services.
This content is made possible by our sponsor. The editorial staff of Government Executive was not involved in its preparation.