Three of the world's largest technology providers Tuesday introduced a consortium they've created to help federal government agencies develop IT networks and systems that more efficiently and securely share information. Together, Cisco Systems, EMC, and Microsoft plan to offer the federal government services and off-the-shelf technology as part of a venture they're calling the Secure Information Sharing Architecture. Business IT managers take note: If SISA is a hit with the government, it'll be coming to the private sector as well.
Two years in the works, the Secure Information Sharing Architecture, or SISA, was created in response to the federal government's growing need over the past decade or so to more effectively and securely share information. These two objectives -- data sharing that's both effective and secure -- are often at odds with one another, Eric Rosenkranz, industry manager in Microsoft's Public Sector organization, told InformationWeek Tuesday. "One is looking to lock down data and the other is looking to enable better data sharing across jurisdictional boundaries," he added. "No single government organization or vendor can do this on its own."
Yet finding this balance couldn't be more important to public safety and to the government's counterterrorism efforts. SISA, which is based on technology that most agencies already use, offers "the infrastructure to do what we in government have only been talking about," Grace Mastalli, Homeland Security's former director of information sharing and collaboration, told InformationWeek Tuesday. She added that, despite "huge amounts of money" spent by the federal government in various efforts to create data-sharing networks, SISA is an idea that could actually make secure data sharing a reality.
As an "architecture", SISA is an effort by Cisco, EMC, and Microsoft to pre-integrate different products so that government agencies can focus more on setting security policy than on setting up technology. The companies are offering several services to help agencies get started. These services address access, content, and data protection, as well as management of the architecture.
In addition to Cisco, EMC, and Microsoft, the alliance behind SISA includes Liquid Machines digital rights management software, Titus Labs' information labeling and classification technology, and Swan Island Networks products and services for designing and operating information-sharing systems. The alliance is expected to grow as new data sharing security needs are identified by the founding members.
SISA's members are offering four different services at this time. Access protection services are designed to help federal government agencies set up secure network connections and identity management using, for example, Microsoft Active Directory, Windows, and EMC's RSA two-factor authentication technologies. Content protection services, which include technology from Liquid Machines and Titus Labs, are designed to make sure users sending information throughout government networks can control who has access to that information and what they can do with that information.
Data protection services secure information at rest with the help of Cisco and EMC on the network and Microsoft on the desktop. And SISA's "watchdog" services will let government agencies create a baseline of system performance and data flow so that they can quickly and more easily identify problems. New services will be added as the architecture evolves. One service already in the works is one to help the government establish federated identity management across different agencies.
The companies envision the combination of their technologies being used to help the federal government share sensitive but unclassified acquisition, financial, HR, law-enforcement, and other information between agencies and with commercial contractors. A typical scenario, as described by Microsoft's Rosenkranz, might include a government worker who needs to communicate information about a possible terrorist threat via e-mail. Before that sensitive information is sent, that worker needs to know that the information will be kept confidential wherever it goes, even after he sends his message. Systems set up according to the Secure Information Sharing Architecture will allow that worker to create a policy that governs who has access to the contents of that e-mail, even after it leaves the worker's computer.
What the federal government should look to avoid are large, long, and expensive projects that require a lot of custom coding. There are dozens of examples of these, including the FBI's Virtual Case File system and Homeland Security's $350 million Homeland Secure Data Network -- called a "network of networks" back in 2004 -- which promised to link that department's networks with those in the Justice, State, and Energy departments.
Mastalli knows the days of those dinosaur projects are numbered. "Immense amounts of energy have gone into trying to construct a system of systems or a network of networks as an interoperable information sharing system," said Mastalli, who served 30 years in the federal government, including 18 with the Justice Department. These projects involved a lot of contractors and a lot of different policies about how data should be shared and secured, and no one was in a better position to see the damage this caused than the three companies that created the SISA alliance. "What Cisco, EMC, and Microsoft realized is that they were continually being hired [by the government] to create more problems for the federal government as they worked with different agencies on their different requirements," she added.
In fact, Mastalli's work for the federal government exposed her to at least 310 different statutory authorities -- including the Privacy Act and the Homeland Security Act -- that dictated how information could and should be shared and secured. "This created extraordinary complexity," she said.
To provide an example of how federal government data sharing has worked in the past, Mastalli cites 1997 amendments to the Clean Air Act that required companies in the chemicals industry to provide the federal government with worst-case scenarios that could take place at their chemical plants. "Those of us who worked in national security and counterterrorism saw the data being collected as a roadmap for terrorism," she said. "How do you give this information to those with a need to know while protecting it from people who would use it for nefarious purposes?" The government's answer was to make hard copies of the data available to law enforcement agents who had to sign out the documents from a library rather than taking any security risks and sharing the information online.
This example may be a decade old, but the government's effectiveness at sharing information hasn't changed much. "The solution for making information sharing available and secure will never be perfect, but when you realize that the greatest single barrier is the lack of trust of what will happen to the information after you lose control of it, then having digital rights management and a common understanding of how policies can be implemented goes a long way toward undercutting the rationale for not sharing information," said Mastalli, who's now launching a business consulting firm called Ethos International Inc.
The key to simplifying the process -- and to the new architecture -- is to let the technology companies focus on the technology while the government agencies work to set and enforce policies around data sharing and security.
SISA also has a lot of potential to serve private-sector businesses. "We do see this moving into the commercial market and moving global," Francie Kess, partner and manager with EMC's federal division, told InformationWeek, adding that both the public and private sector can benefit from blueprints that help them more efficiently use the significant investments they've already made in technology from Cisco, EMC, and Microsoft.