Ensuring effective public-sector security in an interconnected world
Just as it has across all sectors of business, increasing interconnectedness is causing sweeping changes to all levels in the public sector.
The digitisation of data and processes is creating both challenges and opportunities for departments and agencies of all sizes. Traditional workflows and practices are being replaced by online communications channels, while delivery of services is increasingly being conducted digitally.
In many areas, the applications and data stores supporting these activities are also shifting. Where once they would have been housed within dedicated data centers, many are now being migrated to cloud platforms. This is seen as a way to keep operational costs down while at the same time providing more efficient access to resources.
As a result, rather than being tied to an office desk, public servants can readily work from any location. For citizens, information and services can be easily accessed via the internet using their chosen device.
The security challenge
While these changes have delivered significant benefits, they have also presented challenges when it comes to IT security. Where once data and applications could be kept locked in the data center, now they must be secured regardless of their location. Sensitive files held on a cloud platform must be just as secure as those sitting in government data centers.
This security challenge was highlighted by the Federal Government's recently released Australia's Cyber Security Strategy 2020 report. The report outlines the Government's plan to invest $1.67 billion during the next decade to improve the nation's security preparedness and combat evolving cyber threats.
The report points out that, while Australia has been fortunate to avoid a catastrophic cybersecurity incident to date, the country remains vulnerable to the types of attacks that have been seen in other parts of the world. Ensuring the elements are in place that can minimise the chances of such an event occurring is vital.
Security in the cloud
Cloud platforms are a particular focus when governments are assessing and upgrading their security infrastructures. This challenge is made more acute by the fact that the Australian Government has a stated strategy for all departments to adopt a 'cloud first' policy when it comes to deploying new IT resources.
One approach that is attracting increasing attention is the strategy dubbed 'zero trust'. This approach shifts the security focus from a government department's perimeter to individual users, devices, transactions, and data.
Once all the components of a department or agency's IT infrastructure have been secured, the perimeter becomes meaningless. Users can access cloud services directly and enjoy the same high levels of performance from data center-based applications and stores.
The importance of IRAP
To help departments and agencies achieve goals such as zero trust, the Australian Signals Directorate (ASD) created the Information Security Registered Assessors Program (IRAP) initiative.
Endorsed IRAP assessors can provide an independent assessment of components such as cloud services, gateways and information systems. Once accredited, departments and agencies can then deploy these services with confidence.
The IRAP assessment process is undertaken by authorised IT professionals who have met strict criteria around industry knowledge and experience. This ensures they are well-qualified to examine the robustness of security components and determine whether they will provide the level of protection that governments require.
It's therefore essential that public-sector IT teams ensure they deploy only security tools and services that have completed an IRAP assessment.
By following this policy, they can be confident that all elements of their infrastructures, including those on cloud platforms, will remain resilient to the constant threat of cyber-attacks.