|by Dan Monafu|
(Spoiler alert: this article has a happy ending; I’m writing this in Google Drive.)
I’ve recently moved to a new department. It’s not important which - let’s call it Department X.
Department X ranks pretty low on the list of departments which allow a full suite of productivity tools and cloud-based software, according to an informal comparative analysis on the issue produced mid-last year.
Having worked almost exclusively in Google Drive (for work) for the past 2 years or so, the news that all of a sudden I couldn’t work on the Drive at all was disorienting; I didn’t think it would be one of the hardest aspects of my transition to a new department. In retrospect, it makes sense: everything was on the Drive, from past work and key contacts, to future ideas and plans, to great reference materials (all unclassified information, rest assured).
Once I got to my new work place, I had informally asked some of my Department X colleagues if they could access Google Drive. I was told they know of a few people in the Department that could, having been given exemptions. In some cases, colleagues suggested getting their own exemptions is on their to do lists, but that they dreaded the amount of approvals and hassle it might cause.
Well, I’m writing with pretty good news.
In the spirit of positive policies, to help demystify a process (it can be done!), as well as to help alleviate duplicative efforts, I’m sharing below the steps I took to have Google Drive exempted from the list of restricted sites. It took about a month, and roughly 2-3 hours of my time (cumulative), but it overall wasn’t an onerous process. More than than, I believe I did my part in making a case for access to this tool, on behalf of the policy community.
If we don’t make such requests, IT professionals and senior management won’t know we need them, and won’t necessarily make the process easier. The more requests IT security receive on this (and approve), the more the process will get easier. Who knows, it might eventually become open-by-default, getting us closer to nimble, agile, and high-performing.
Below are three ‘for reference’ pieces on the process: 1) a timeline illustrating the process in detail; 2) a ‘standard lines’ template I successfully used to make the business case for the exemption; 3) yes, there are legitimate risks with using cloud-based tools (and, like everything on the internet, we need to be smart about how we used them); here are some best practices my Department passed along - it’s good stuff to keep in mind.
Let me know how it goes in your department.
Timeline illustrating the process
April 4, 2016: Opened service ticket with the Service Desk
April 11, 2016: Opened new service ticket (this time with the correct group, IT Architecture Security)
April 11, 2016: Received response, which outlined the process (see screengrab below)
April 21, 2016: Received Director-level signed approval
April 25, 2016: Request reviewed by Departmental Security (note: some follow-ups were required regarding the type of information I would be sharing; my answer: everything will be unclassified)
April 26, 2016: Request moved for approval to Director-level Departmental Security
April 27, 2016: Request moved to Shared Services Canada (SSC) for testing; once testing was to be complete, the request was to return to the Departmental Security Office for Director-level approval; the request was then to go back to SSC, who was to whitelist the internet protocol (IP) address, granting approval
April 28, 2016: The request for Google Drive was approved. Note: I had also requested access to Slack.com under the same form. This was denied; with the following reason provided:“While not a threat at the moment, please note www.slack.com was hacked back in Feb 2015 and users’ data was compromised, including mail addresses, usernames, encrypted passwords, and, in some cases, phone numbers and associated Skype IDs. Since then a 2-factor authentication was implemented to their service.”
May 2, 2016: Configuration completed. I could access Google Drive.
‘Standard lines’ business rationale
Business rationale and the justification
XXX (name) is the XXX (role) on the XXX (team) within XXX (department). As such, he is required to participate in various working groups and interdepartmental committee meetings that conduct regular business predominantly through the two online productivity platforms mentioned above, Google Drive and Slack.
For example, XXX (name) participates in a weekly call with the XXX (group) – agenda items, as well as all discussion materials, are only shared through Google Drive.
Moreover, that same group has a Slack channel, where important real-time information is exchanged, in particular during quick turnaround requests for input from groups such as XXX (group).
The policy innovation community within the federal government embraces openness, transparency and co-creation as core principles. Use of productivity tools such as Google Drive and Slack is fully supported through TBS directives (see the 2013 Policy on Acceptable Network and Device Use: http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=27122) as well as in principle through aspirational statements and high-level direction given through the Clerk of the Privy Council (e.g. Destination 2020; Blueprint 2020 (www.clerk.gc.ca/eng/feature.asp?pageId=400).
What other risk options/alternatives were considered and/or dismissed as part of this request?
No other options/alternatives were considered given the need to use these particular productivity tools.
What steps will be taken to adopt a lower risk option?
What is the impact to the Department if the exception is not granted?
The Department will not be able to participate and engage in the work of the groups involved.
The Department’s input in various co-created materials will not be taken into consideration, resulting in potential loss of ability to support core mandate functions.
The Department will not be able to use current best practices (e.g. co-creation) when designing policy, with far-reaching negative consequences (e.g. from loss of productivity, to loss of talent in its workforce, etc.).
Please provide the specific period of time you require the access.
IT best-practices when using cloud-based services
As you will be accessing a Personal Network Site, please understand the risks involved with this practice. Once the information leaves our network, it is in the hands of the service provider. In the case of free services, this risk is increased as the provider typically relies on mining this information to support advertising and other commercial activities. If such a service is used, we recommend the following best cyber security practices:
- Service providers have the option of auto-saving your passwords on their websites. Don’t auto-save your passwords. Always use the two factor authentication on account(s) provided by your service provider.
- Do use hard-to-guess passwords.
- Your approved website(s) has embedded advertisement links. DON’T click on links from an unknown or untrusted source. Cyber attackers often use them to trick you into visiting malicious sites and downloading malware that can be used to steal data and damage networks.
- Remember that information sent over the Internet, via email or from a Personal Network Storage service provider has few privacy protections. Messages/information can be forwarded, be posted on public forums and can remain accessible on the Internet forever.
- Not everything belongs in the Personal Network Storage Cloud. Remove information that does not need to be in in your Personal Network Storage
- Do use good judgement when posting information on social media platforms for both privacy and cyber security reasons.
- DO lock your work device when not in use. This protects data from unauthorized access and use.
- Avoid using public Wi-Fi hotspots.
- Once you have finished, ensure you exit the session properly as leaving the session open can expose hackers to your credentials and account.
- Report any suspected security incidents to your Service Desk.
- Autocomplete is a common feature found on most email software. If your application uses the autocomplete feature, make sure that you are sending information to the right person.
- Ensure that any business information posted/shared has been approved for release, and carefully consider the information you post concerning your job duties.
- Know the classification level of the information being shared and ensure you follow the Classification Guide for Handling Information and Required Safeguards. A reminder that Protected B information MUST be encrypted and sent only to approved recipients.