You can expect a more nuanced, situational security framework that would move beyond the traditional models of role-based access and network perimeters. The "three-dimensional" view of security and access controls they described would take a more fine-grained approach to who should be able to retrieve certain types of information that would consider factors such as the time of day of the request, location and device being used.
A law enforcement official, for instance, would be expected to run regular background checks on individuals associated with an investigation. But what happens when he uses that access to run a check on the boy his daughter has started dating?
Dan Doney, chief innovation officer with the Defense Intelligence Agency, suggested agencies adopt a "continuous compliance monitoring" framework that would add context to the security protocols in place to record and set controls for who is accessing which applications and under what circumstances.
"Coupled with the speed and the agility of cloud is the need to have continuous oversight of what's going on," Doney said. "Roles alone are not enough to protect this data."
The panelists also stressed that CIOs consider a similar level of differentiation when evaluating what level of security to apply to various types of data.
It "depends on the categorization of the data," Kingsberry said. "Because there's a price to pay" with heightened security, he added, which "is not necessarily monetary," though cost is certainly a factor. But added layers of unnecessary encryption can also impair productivity when access to non-sensitive data is tightly restricted.
That approach argues for a thorough appraisal of agencies' data assets, resulting in tiered classifications dictating what information is subject to encryption while in transit and at rest, and where access controls need to be the strictest.
Sign up for Computerworld eNewsletters.