NEW - IDC WebcastFree E-NewslettersRSS Feeds | Site Map
Security Resource CentreBusiness Value of TechnologyMunicipal Centre
SearchSearch
Tips
Policy
HR
Registration
Program
Collaboration
Technology
Slice by Program
Technology < General Technology < Security feature: Getting defensive

Security feature: Getting defensive

By: Grant Buckler, CIO Government Review(Mar 10, 2008 06:00:00)



Governments are collecting increasing amounts of data about their citizens, and the need to handle all of it in a secure way is motivating ministries, departments and agencies to improve their IT security infrastructures. Although some are embracing the new defence imperative willingly and quickly, others are finding it a much tougher challenge.

It was the sort of episode CIOs - and CEOs for that matter - have nightmares about. A visitor to a Web site discovered he could view personal information about others who had used the site. The site had to be shut down temporarily, and the story was all over the press.

There have been many such stories, but this particular one didn't involve a private-sector business. It was Passport Canada's online application system where, late last year, Huntsville, Ont., resident Jamie Laning browsed other people's personal data by altering the URL displaying the data he had entered himself.

Passport Canada did not respond to requests for comment, but more may be known about what went wrong when the federal privacy commissioner's office completes an audit of the department - which was already in progress when the incident occurred. The audit report is due some time this spring. The privacy commissioner's office did not respond to requests for further comment.

Was this breach an isolated incident, or a symptom of broader problems with the security of personal data? Maybe some of each. David Senf, director of Canadian security and software research at International Data Corp. (Canada) Ltd., says governments probably do a better job than many businesses when it comes to security. "The public sector is up there with finance as an industry that understands the importance of security," Senf says.

That said, he adds, everyone has work to do in the area of online applications security. "Web application security as a focus is on the increase, so we are seeing more attention being paid to that."

"Seventy-five per cent of new attacks now exploit software vulnerabilities, and most of the IT security dollars are spent bolstering up the security on the perimeter of the network," says Brian O'Higgins, chief technology officer at Third Brigade Inc., an Ottawa-based intrusion prevention system provider.

Proposed registry

And for governments, a comparatively good job of security may not be enough. "We're dealing with the government here," says Derek Manky, security research engineer at Fortinet Inc. in Vancouver. "We're dealing with a very high level of sensitive information."

According to Manky, the Passport Canada breach shouldn't have happened. There wasn't even a deliberate attempt to penetrate the database, he points out. "This was simply a matter of private information being made available to the public."

The Canadian Internet Policy and Public Interest Clinic (CIPPIC), based at the University of Ottawa's law faculty, recently called for a centralized electronic registry of data breaches, to which private-sector companies would be required to report unauthorized data access.

CIPPIC is focusing on the private sector because of current consultations on reforming a data protection law that applies to business, says Philippa Lawson, director of CIPPIC, but "there's no reason why the same rules shouldn't apply to the public sector."

Lawson says it appears the government is receptive to creating a compulsory registry of private-sector data breaches. Yet there is currently no such requirement for the public sector in Canada, with the exception of Ontario's Personal Health Information Protection Act.

Garnering praise

Like Senf, Lawson has some good things to say about governments' efforts to secure citizen data. She applauds Ottawa's decision to create separate databases for different online government services rather than throwing everything together in one master database of citizen information - an approach that she says would undoubtedly have been quicker and easier but also a greater privacy risk. "The larger the database, the bigger the attraction to criminals is."

The federal government's best-known security initiative is Secure Channel, which combines a secure network, secure message routing and public-key infrastructure (PKI) user authentication technology called epass. Initiated by Treasury Board Secretariat, it is run by Public Works and Government Services Canada.

In e-mail responses to questions for this article, representatives from both departments said all government departments use the secure network and all departments will use the other Secure Channel components by 2011.
Secure Channel only deals with authentication and secure data transfer, though. It does not affect the security of individual Web applications.

That's the responsibility of individual departments, according to the prepared answers, although the Treasury Board issues directives and provides support to ensure proper security measures are taken.

The federal government's security efforts have met with mixed reviews. Secure Channel received a silver award for customer care in the 2005 Canadian Information Productivity Awards, yet in the same year the federal auditor-general said that, overall, the government had made "unsatisfactory progress in strengthening information technology security since our audit in 2002."

There are some encouraging stories in public-sector information security in Canada, though.

Service New Brunswick, a Canadian pioneer in electronic government services when it launched in 1996, addresses security on a number of levels, ranging from determining how long data is retained on a case-by-case basis to scanning Web applications for vulnerability to exploits such as SQL injection attacks.

Every time Service New Brunswick adds a new service it goes through a risk analysis, says Dorothea Foley, director of information technology for SNB. That analysis addresses security, privacy and data retention issues.

"Typically, we only keep it for as long as we need," Foley says. Service New Brunswick's privacy officer reviews data to be collected, and if she considers it toB be personal information, it is encrypted for as long as Service New Brunswick retains it.

In some cases, SNB acts as a front end for government departments, in which case data is passed to them, "at which point their policies on data retention would take over," Foley says. In some cases - with land registry data, for instance - the information is kept indefinitely.

All SNB applications run on hardened servers in secure government data centres with perimeter and server-level firewalls, intrusion detection, antivirus and antispam software and physical access controls, Foley says.
The agency frequently uses outside contractors to develop Web applications.

"The companies we deal with tend to be ISO-certified," she says, "so that gives us some level of assurance on the quality of the work they're doing. We do monitor their work, we have an internal quality assurance team who test all applications and security testing is integrated into that."

That specifically includes checking for problems like back doors and cross-site scripting and SQL injection vulnerabilities. "All our outward, public-facing stuff is scanned monthly to ensure that there's nothing there that's going to pose me any risk," Foley adds.

Just recently, out of concern about loss of data being sent via e-mail to other government departments, Service New Brunswick created a secure system called Self-Serve Reporting, which allows internal and external clients to log in to a secure server, authenticate themselves and download reports and data from SNB's systems.

Legacy systems pose some of the greatest security challenges, Foley observes. Designed in an era when most government systems weren't connected to the internet and security was less of a concern, they need updating to contend with today's threats.

"With today's technology you can Web-enable the front of it and off you go," Foley says, but security requirements increase dramatically.

The Public Health Agency of Canada created the Traveller Health Assessment Database in response to concerns about Avian Flu and other pandemic disease outbreaks. It collects data from travelers who arrive at Canadian airports with symptoms of illness and are examined by 25 to 30 quarantine medical officers across the country, says Dr. Elaine Cramer, a quarantine medical officer in Vancouver. Smaller airports see fewer.

Database decisions

The first security precaution with the database is that no data that identifies individuals goes into it, Dr. Cramer says. Officers at the airports keep paper files on the passengers they examine, but only aggregate data goes into the national database.

The tablet PCs that quarantine officers use have fingerprint readers as well as password protection, says Hany Bishay, chief of application and architecture development for the Public Health Agency of Canada. Data on them is encrypted, and the agency is buying encrypted drives that could not be read even if removed from the devices.

Data is transmitted to the central database using virtual private network (VPN) and Secure Sockets Layer (SSL) technology, Bishay says. Rather than take chances with wireless access for officers in the field, data is synchronized with the central database over secure connections when they return to the office.

Bishay says policy management practices control who has access to what data, based on need. Each screen a user sees is drawn on the fly based on that user's security privileges, so that for instance only users qualified to generate reports from the data will see the report option on their screens.

During application design, the agency has IT staff members whose job it is to test the applications for vulnerability to SQL injection attacks and similar threats by attempting intrusions.

These examples show that some government agencies pay close attention to security. Many others are unwilling to discuss what steps they are taking, so it is hard to know if such precautions are the rule or the exception. But incidents like the Passport Canada breach help underline the fact that government can't afford to let its guard down.

"Security is not something you set up an annual project for and then you're done," says SNB's Foley. "It changes daily."

Related content:

Passport Online breach adds to privacy chief's audit list

PWGSC defends Secure Channel

Big IT projects fumbled by feds, says Auditor General's report

Bookmark on:del.icio.us| Digg it| Furl| Google| Technorati| StumbleIt| Yahoo!
Have something to say about this article?
Add a new commentLetter to the Editor
Find an inappropriate comment? You can notify the moderator by clicking the Report an innapropriate comment icon.
ADD A COMMENT
Name:*Your email address will not appear online and will be used only in the event that the editor wishes to contact you personally for additional comment.
City:
Email:
Title:*
Comment:*
* required fields
Technology < General Technology < Security feature: Getting defensive
Blog Spotlight: Sandford Borins
Sandford Borins

As Professor of Strategic Management at the University of Toronto, Sandford Borins brings InterGovWorld.com readers exclusive insights into how and why the public sector is changing. You'll find new perspectives and questions, observations and objectives, lessons and answers. Cover to Cover, the blog by Prof. Sandford Borins, appears every Thursday.

Inside Cover to Cover

Unified Communications
Data Defence

Unity is a word often heard in the public sector, with myriad agencies and departments looking to foster collective thinking around some of today's most pressing issues. The word, however, doesn't usually get mentioned in the same breath as technology. That's a situation, though, that might soon be changing, thanks to a new software platform known as unified communications.

Inside the latest issue of CGR

More Resources
Driving innovation through effective service management
Driving innovation through effective service management
This white paper discusses how a service-oriented governance framework can help ensure that IT decisions are consistent with business vision, values and strategies-and that IT delivers maximum value to the business. Complimentary with registration.
Download it now
IT Service Management Solutions and the service desk
IT Service Management Solutions and the service desk
This white paper presents the capabilities of IBM Tivoli CCMDB, and describes how Tivoli CCMDB extends the value of the service desk and integrates other essential ITIL processes in support of IBM Service Management. Complimentary with registration.
Download it now
Info-Tech Research Note: WAN Optimization Tools worth the investment
Info-Tech Research Note: WAN Optimization Tools worth the investment
Multi-site enterprises experiencing WAN bandwidth demand growth and struggling to maintain acceptable application performance should evaluate WAN optimization technology immediately. WAN optimization appliances can dramatically improve inter-site WAN performance, reduce bandwidth requirements, and allow for server centralization. For many enterprises a positive ROI can be achieved in less than a year. Download this research note now. Complimentary with registration.
Download it now
Advertisement

2007 Salary Calculator
Knowledge Centres at a Glance
Policy
Google Street View to be launched in EU
Registration
Opinion: Security priorities are changing for Canadian organizations
Program
Policy problems could result from private sector ID plan
HR
Strategic influence to be gained through innovation for CIOs
Collaboration
Africa needs 1.3 million IT pros, says Cisco exec
Technology
Green IT success requires behaviour changes - not just tech, says Ontario ADM
White Papers
Info-Tech Research Note: WAN Optimization Tools worth the investment
IT Service Management Solutions
IT Service Management Solutions and the service desk
Driving innovation through effective service management
Keys to accelerating Web application delivery
Symantec Internet Security Threat Report (July 1 to December 31, 2006)
read more white papers
New blog entries
Thoughts of the day
Rate my public servant? Right on!
Customer feedback, citizen feedback: Two contrasting stories
Le Francais dans les Airs: Digitizing a Legacy
Stand up for Canada's public service: An open letter to Kevin Lynch and Len Edwards
While Austan Goolsbee is no Austin Powers, maybe Stephen Harper is Doctor Evil
This week's top stories
Most popular stories of the week
Demographics pose pressing dilemma: Renew or reinvent
Aussies take their cue from Canada on breach notification
Recording everything in the workplace soon to be in vogue, say researchers
Government of Alberta launches public health action plan
Putting e-mail intelligence to work
Readers write back
Comments from Intergovworld readers
Canadian governments engage in e-waste clean up
Federal privacy chief urges law revamp
Seven ways to kill innovation
Ontario Ministry of Health modernizes data transfer system
Toronto pet owners safe from Patriot Act
Government to government
Inside the public sector machine
Public utility's bare insecurities
Online crime fight needs more than law enforcement
Environment Canada opens up to open source
Government overconfident on security, says analyst
Shared services raise governance challenges
Government to business
P3: Public-private partnerships
Advocates say online privacy policies need work
GTAA gets its cabling challenges under control
Open source gaining traction in U.S. government, says survey
Government needs to be stronger advocate for health IT, say experts
Canadian governments engage in e-waste clean up
Government to citizen
e-Government service transformation
Canadian governments engage in e-waste clean up
Canadian municipalities sign up for eUniversity
Exclusive: PWGSC launches recruitment campaign to bridge baby boomer gap
Feds fend off cyber crime with funding schemes
Wi-Fi growth fuels video surveillance adoption
Blogs
Browse Blogs By:
Blogs by Topic
Blogs by Author
read all InterGovWorld Blogs
WiFi Hot Spot Finder
Upload Centre
Upload Your Documents
Contribute and share with your peers by uploading:
- Initiative updates
- White Papers
- Job Links
- Events
- Other
Upload Centre
Download Centre
Most popular downloads:
Download More Documents
Download:
- Initiative updates
- White Papers
- Job Links
go all downloads
Subscription Services
Manage your InterGovWorld.com account!
Change your account information, password, e-mail address, and existing e-newsletter subscriptions.
Change or update your existing subscriptions
Change your e-mail address
Site Feedback Survey
Tell us what you think of InterGovWorld.com!
take the survey
FUN SurveyFUN Survey
Take the one-minute Family Unit Networking survey!
Take The Survey
IT Salary Survey IT Salary Survey
Take the IT Salary Survey '06 Today
Take the survey now!
Career Resources
InterGovWorld provides links to resources for government job seekers and current employees, including: current job postings, job search strategies, career options and training, and employee rights, provided by all levels of government from everywhere across Canada.

How to apply for a job in the federal Public Service
Public Service Commission of Canada
Provincial and Territorial government job opportunities
Service Canada
City and Municipal jobs in Canada
Jobs in Canada
Identify and research your career options
Service Canada
HR planning and accountability
Public Service Human Resources Management Agency of Canada