ACT CSO's data Nirvana built around role-based encryption, identity controls

Centralisation and consolidation of information assets may be a long-term goal for the ACT government's head of information security, but he warns that it won't happen without the ubiquitous use of encryption and tight management of user and device identities across the territory.

"My Nirvana of security, and I am trying to enable this, is to have one copy of an application that presents accurate and timely information to a predefined number of customer sets," ACT government senior manager for security Peter Major said at the recent <i>CSO Perspectives Roadshow</i> in Canberra.

"With one instance of any database, it stores information to be presented to be displayed to defined customer sets. But this requires being able to divide customers into 'trusted' and 'untrusted', and to present a single interface with appropriate data sets being based off appropriate authentication."

Building such a data focused authentication schema was a long-term priority for Major. As head of the ACT's information security efforts, he faces the mammoth task of ensuring security of information spread across 10 core directorates, 13 public authorities, and state and local government services that collectively involve over 300 internal websites, 200 externally hosted websites from multiple ISPs, and three "separate and disparate" gateways for education, the ACT executive government, and the Canberra Institute of Technology (CIT).

With more than 18,000 public servants, 30,000 VoIP endpoints and 70,000 CIT students alone, "we have a large area to cover", Major said. "I have electronic information scattered across my entire internal environment, and shedloads of unstructured data floating around the place. We don't know exactly where it is, but it's on the network and on external sites as well – and it has to be protected to comply with a number of laws."

Those obligations were driving the need for stronger user-based authentication – to positively identify the remote user – as well as authorisation that would feed the trusted/untrusted determination. Untrusted users might be given a low level of access without authentication; semi trusted corporate entities could use certificate based authentication to limited resources; and trusted employees would be managed using out-of-band multifactor authentication to a broad set of resources.

Part of the risk assessment would be based on the user's 'posture', including the device and network they were using to access the government services.

Yet it is the use of multiple-key encryption technology – with quantum-based key management systems to ensure random number generation via use of the KMIP protocol – that would complete the security paradigm, by allowing data to be encrypted based on particular applications.

This would allow highly granular control of application-specific or particular classes of data – keys would be based on authentication, authority and resource paths – that could see different users given different data from the same single source of the truth.

A member of the general public, for example, could get low-level access to access bus timetable information while a senior transport executive could access the same database to get detailed information on route utilisation and efficiency "to work out how many bus drivers to lay off given the low usage of some bus routes within the ACT".

"Both parties would be accessing the same application and same database, but with vastly different sensitivities."

Taking this approach would not only better protect data according to differing service classes, but would prevent any later breach of the encryption from giving malicious hackers the keys to the proverbial kingdom.

"I should be trying to ensure that when my network is compromised – and it's going to come – the perpetrator can't get access to the information on the network," Major said.

"Encryption is the end all and be all of everything: in this way, if the network is compromised all they're going to do is get a look at nothing. They might damage the integrity of the data if they change it, but if it is damaged or changed you can't decrypt it."

For now, Major is sticking with conventional perimeter-based protections, but as authentication-based data protection evolves in the near future he expects a greater reliance on role-based access management and highly-granular encryption.

"In the long term I should have less, not more, applications and infrastructure to deliver information to appropriate consumers," he said. "If I can present with a minimal amount of infrastructure and maximum amounts of security, I have achieved an objective. And, in the future, this security model will make our data centres redundant – and we can start moving our data to anywhere in the cloud [with the same protections."

Join the CSO newsletter!

Error: Please check your email address.

Tags CSO Perspectives Roadshow

More about ACTCSOTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts