CIOs Must Balance Cloud Security and Customer Service

When CIOs in the federal government talk about their customers, they are often referring to the nontechnical employees within their agencies.

So, like their colleagues in the private sector, federal CIOs face the challenge of rolling out user-friendly applications and services, while at the same time ensuring that those products are secure enough to meet government standards and can stand up to an ever-more varied and sophisticated body of threats.

Cloud Brings New Expectations of IT Services

The government’s ongoing shift to the cloud has created a special set of challenges around that balancing act, particularly as employees grow more resistant to access and device limitations in the workplace, according to senior IT officials speaking at a panel discussion hosted by Federal News Radio yesterday.

“Customer expectations are higher now,” said Shawn Kingsberry, CIO of the Recovery, Accountability and Transparency Board. “Everyone’s so mobile, and at home they do so many things and have access to so much information, the expectations in the office are even higher when you look at the services that have to be delivered.”

The government’s shift to the cloud is already well underway. In response to a series of directives, dating from the Obama administration’s cloud-first policy, agency and department CIOs have been moving systems to the cloud, often beginning with back-office processes like email and Web hosting, but increasingly making the move with more heavyweight, mission-critical applications.

Security is often cited as among the chief barriers to the government’s further adoption of cloud technologies. A fundamental friction arises in the push for more open, collaborative services that can better support business objectives and an increasingly mobile workforce that can seem at odds with a traditional, locked-down security posture.

[Related: Government Networks Unprepared for Cloud, Big Data Transitions]

“It’s that balance that you have to get,” Kingsberry said. “You want to deliver the service, but there are tradeoffs.”

Those challenges can be more acute when dealing with sensitive types of data or in environments that call for heightened security, such as the military or intelligence communities. Cmdr. Cayetano Thornton, deputy director of the Health Information Technology Directorate for the Defense Heath Agency, a new agency set up to improve health care delivery to the various branches of the military, operates in a world where those concerns intersect.

“If you ask the security bubbas, they would lock everything down, but that prevents us from delivering quality health care,” Thornton said.

Adding Finer Controls to Who, What and Where of Data Access

You can expect a more nuanced, situational security framework that would move beyond the traditional models of role-based access and network perimeters. The “three-dimensional” view of security and access controls they described would take a more fine-grained approach to who should be able to retrieve certain types of information that would consider factors such as the time of day of the request, location and device being used.

[Related: Government IT’s Move to Cloud Slowed by Security Concerns, Misconceptions]

A law enforcement official, for instance, would be expected to run regular background checks on individuals associated with an investigation. But what happens when he uses that access to run a check on the boy his daughter has started dating?

Dan Doney, chief innovation officer with the Defense Intelligence Agency, suggested agencies adopt a “continuous compliance monitoring” framework that would add context to the security protocols in place to record and set controls for who is accessing which applications and under what circumstances.

“Coupled with the speed and the agility of cloud is the need to have continuous oversight of what’s going on,” Doney said. “Roles alone are not enough to protect this data.”

[Related: Government CIOs Eye Business Apps in Cloud Transition]

The panelists also stressed that CIOs consider a similar level of differentiation when evaluating what level of security to apply to various types of data.

It “depends on the categorization of the data,” Kingsberry said. “Because there’s a price to pay” with heightened security, he added, which “is not necessarily monetary,” though cost is certainly a factor. But added layers of unnecessary encryption can also impair productivity when access to non-sensitive data is tightly restricted.

That approach argues for a thorough appraisal of agencies’ data assets, resulting in tiered classifications dictating what information is subject to encryption while in transit and at rest, and where access controls need to be the strictest.

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow Kenneth on Twitter @kecorb. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.