As the Edward Snowden soap opera continues to play out on the world stage, pundits can fill the airwaves with suppositions about personal and corporate privacy, spy tactics against presumed terrorists, and the fate of one government contractor, now encamped in Russia. In the hallways of government agencies, the conversations are more pragmatic. Security and IT professionals are asking each other how to best protect data when it is the necessary basis for employee collaboration and productivity.
Avoiding the next data leak
Like their private sector counterparts, government knowledge workers have found that Cloud and mobile technologies increase their productivity. It is easy to share a file via a commercial-grade Cloud service or download a document onto a personally-owned mobile device. It is not so easy for agencies to ban these practices. After all, the National Security Agency (NSA) prohibits most portable devices, but that didn’t protect the organization when a staffer with an agenda decided to bring a flash drive to work.
Government agencies are re-thinking how data is stored, accessed and shared on premise and in the Cloud, and with good reason. While employees might blindly trust companies like Dropbox, Box or Amazon with their data, organizations at the federal, state and local levels must limit the ability of these companies to access confidential data. Unfortunately, most Cloud storage services fail to protect data adequately or limit access to it among employees with varying degrees of security clearance.
Best practices in this area center on easy-to-use solutions that support mobile productivity and workflow and prevent data from escaping the control of IT. Achieving that balance requires organizations to wrap their data protection around individual documents, since there are now far too many free-flowing channels for IT to continue relying on castle-and-moat-style security practices. Government agencies can’t raise the drawbridge against flash drives, smartphones, tablets, personal email accounts, Cloud-based file sharing, or any number of other threats. They can, however, attach security to each file, thereby retaining the ability to limit sharing and printing or revoke access if necessary, even if a document is shared outside the organization or distributed via the Cloud.
Reclaiming public trust
The ease with which a contract employee broke the security of an agency that specializes in secrecy raises questions beyond data protection. Congress is taking a closer look at who agencies hire and whether contracting out sensitive work makes sense. Meanwhile, individuals and companies around the world are grappling with how they protect their own data in light of the leaked information about the PRISM program. However, in the IT departments of U.S. Government agencies, the most pressing decisions right now should center on adequate data protection to halt future incidents.
Imagine if the NSA had been able to wipe clean every document on Snowden’s thumb drive before he delivered the PRISM data to the press. That is the kind of data protection the government sector needs to employ if it is to begin repairing the public’s broken trust. The Edward Snowdens of history are not common, but other threats to data security are. If agencies are to protect sensitive information against everyday risks, such as erroneously sent emails, stolen or lost laptops, or unsanctioned sharing in the Cloud, they will have to change the way they approach data security, and they will have to start at the file level.