Sharing IT operations between government departments is gaining steam after a recent effort by the administration to encourage this collaboration. The powers that be think departments can share services and profit from it.
In a way, this shift reflects some actual compromises that get done in any governmental department’s day-to-day operations. For example, IT may be trying to achieve a worthy goal such as compliance only to learn that there are limited resources available for that initiative. Departments have an overall cap, and money used for IT or any other operational expense may come out of the funds that would otherwise be used for program fulfillment.
The push to work smarter is on.
Working Smarter With Collaboration
Sharing services aims for a cost-effective, multicustomer delivery of back-office administrative services that can include human resources, financial management and purchasing — in other words, the necessary-but-boring stuff. The Shared Services Leadership Coalition (SSLC) is an industry group that brings together companies, nonprofits and individuals seeking to advance shared services implementations in the federal government.
But the possibility of sharing threats along with the information is a concern for some companies involved in sharing services. One such company, CGI, partnered with the SSLC to present a public forum about this particular concern on June 17 in Washington, D.C. The event was titled “Share Your Services, Not Your Threats.”
“As more federal agencies share services, they need to have the policies, procedures and technology capabilities in place to assure that they are not also sharing threats,” said CGI Senior Vice President Stephanie Mango in an email. “CGI is pleased to partner with SSLC and help move this important and timely conversation forward.”
Participants at the event were:
- Carlos Solari, CIO for Mission Secure and former White House CIO;
- Tony Cossa, director of Cloud Strategy and Policy for the USDA;
- Christopher Lowe, CISO for the USDA; and
- Rich Bissonette, vice president, Emerging Technologies Practice for CGI.
The video of the entire panel session can be found here.
A Bigger Push to Share Services
Solari noted that this kind of effort had been ongoing for at least a decade, from the days when he was CIO for the White House.
“We were trying to develop capabilities and then share them with government agency A, B and so on,” he said. “Not only technology, but we eventually got to the idea, ‘Wouldn’t it be great if everyone didn’t have to run their own HR system or finance system and all these administrative systems?’ Like a lot of things in government, shared systems have been around for a while. They reinvent themselves and take on a new energy.”
He was also adamant about the future, claiming, “We can solve the security problems.”
Cossa was asked to comment about managing security for shared services. “I don’t know that it is all that different from how we manage things today,” he explained. “The differences are not in the compliance areas. How we approach the architecture, technology and controls that we use for shared services are really the critical areas. We need to approach the control from a behavioral standpoint. Who are the users? What are they doing? These have to be considered in an architecture. Applying the controls and considering where they come from is where the critical components come from. You have to think how you are sharing data while considering how you are protecting the control sets within the architecture.”
This highlights an important characteristic of shared services: Regulations are generally written assuming that there is one authority over the data, but that is not true in a shared services environment. Even though a department is a client of the shared service, each one will have its own constraints on data and how it may be shared and used.
All shared services require that the client put trust in a designated services provider. The mechanics of enforcing data rules that apply to the designated service can get interesting — perhaps interesting enough to require the installation of additional hardware. But to be able to share the services effectively, departments must do it the provider’s way. Otherwise, the associated change costs end up a line item in the departmental budget and could potentially cancel out the financial benefits of sharing services.
Challenges to the Process
How to demonstrate end-result process transparency inside the shared services environment is a challenge. The technology, processes or rule sets may not have been designed to consider the sophistication of shared services. Compliance programs require just this sort of information, so it has to be generated by someone.
The panel took a broad view of where threats lie for a shared system. They counseled that in a shared environment there is no “inside versus outside” threat evaluation since all users must be considered a threat vector. Insiders and demilitarized zones should get no special preferential treatment. The perimeter of a shared system will bypass the old constructs like firewalls, extending themselves ever outward.
When a person in the audience asked about drilling down security to the device level to mitigate a perimeter breach, Cossa’s response reinforced this concept. “A threat is not an internal or external threat,” he said. “It’s a threat. The controls are managed based on how we see the threat. There’s not a separation of that anymore. Eventually your firewall will be traversed by someone who is trying to get inside.”
Lowe agreed with those remarks. “At some point, you stop doing perimeter defense,” he said. “You need to instrument everything that is moving within your network and get some basic security telemetry back from it to know what is going on, to see if something is moving laterally that shouldn’t be moving that way. Part of that challenge is that you need to have a sense of where normal is, where the baseline is, so you can do analysis to see what has shifted off that baseline.”
He also said the USDA is working with DARPA on a big data analysis of its network to discover triggers that it should be watching. While he thinks the project shows some great promise, right now, it’s more a proof-of-concept effort.
Shared systems offer departments the promise of lowered operational expenses, but the conversion can bring its own particular problems that must be considered. But as this panel and other efforts spread the word about shared services and more departments embrace it, security frameworks and best practices could be established, smoothing the path for future participants.