From the outside, much of what Egress Software Technologies does can appear a little mysterious. The very phrase ‘data encryption’ tends to conjure up thoughts of Mission Impossible and James Bond, rather than of your stereotypical office worker sharing confidential data securely as part of their job.
However, data security is a very real and serious issue that affects every organisation – large or small, public or private.
The challenge for government organisations
As transparency and cost-cutting measures continue to bite, there is an increasing demand for UK government to collaborate more effectively in order to improve efficiency and cost effectiveness. As more services are outsourced to external third parties, the amount of highly sensitive data leaving accredited government networks will only increase.
Despite this demand to share information more effectively, there remain many myths and misunderstandings about what information can be shared, and how this can be done. This isn’t down to the lack of either availability of technology that will enable secure data exchange policies and procedures to enable data security, but actually a fundamental misinterpretation of how this process should be handled.
When talking about these misunderstandings, I must bring attention to the Government Protective Marking Scheme (GPMS), which requires that broad classes of government generated information (including email) be marked with an appropriate security marking (Impact Level – IL0 to IL6) and handled appropriately. These Impact Levels are used to protect information from intentional or inadvertent release to unauthorised recipients.
However, inadvertently I believe that Impact Levels have become the source of much of the confusion regarding information sharing in government – particularly when it comes to sharing IL2, IL3 (RESTRICTED) and IL4 data, which make up over 95% of government data.
It's not about 'playing' with Impact Levels
There seems to be an apparent contradiction between Impact Levels, the procedural policies organisations put in place and the real-life scenarios that individuals face when sharing information with third parties. Too many government organisations are either preventing data sharing because it is ‘too sensitive’ or re-grading IL3 information to justify its release through an IL2 mechanism.
This, however, either hinders business processes or places confidential data at unnecessary risk.
At the heart of the matter lies the perceived misconception that because a third party is not on an accredited IL3 network, information cannot be shared with them. Instead, however, government organisations should be encouraged to take a ‘Risk Managed Approach’, rather than ‘playing with Impact Levels’ and adjusting them to suit their needs.
What is a Risk Managed Approach?
CESG are clear that organisations should not expose sensitive information to unnecessary risk, but instead examine ‘the appropriate procedures and technologies in place so that they can be used to protect the information to the best of an organisation’s ability and at all points where they are responsible for that information’. However, CESG also acknowledge that ‘too many automatically associate IL3 assets with something that ‘can’t be released’, as opposed to something that needs to be released, a massive misinterpretation of how impact levels are supposed to work.’
So, how can IL3 data be shared securely?
The answer lies in taking a Risk Managed Approach to secure data sharing, regardless of whether the data is marked IL2, 3 or 4. Working closely with their lead accreditor and SIRO, organisations need to identify the associated risks of sharing data, set out the policies to manage this risk, and ensure that the chosen technology solution has been evaluated and tested against these risks and policies. This doesn’t lower or re-grade the Impact Level, but rather uses it appropriately to gauge the sensitivity of the data being shared and any risks posed to it. In doing so, the organisation can complete necessary business transactions and ensure that the data is protected ‘to the best of their ability’ while they are responsible for it.
Finding the balance
Currently, there are too many myths and misinterpretations around the way sensitive information can be shared outside government, with many hiding behind Impact Levels. As a security community, we must work together to encourage best practice data sharing outside of government secure networks. Ultimately, we must remain cognisant of the risks that this poses, focusing on ensuring confidentiality and integrity.
Thus we must find the proper balance between affording information the right level of protection at all times and facilitating the growing need to share data with the third sector. By applying a sensible risk assessment and using CESG’s recommendations, organisations must rid themselves of these misunderstanding and misinterpretations that prevent data from being shared – either securely or not at all.
Through a combination of the correct technology and risk assessment procedures, data can flow securely between organisations, with Impact Levels existing to complement and protect, rather than hinder, this process.