How to preserve security and autonomy while meeting information sharing directives

Information sharing is fast becoming a top priority for federal, state and local government agencies. After all, the only way to get a complete picture of anyone – from a local juvenile offender to an internationally suspected terrorist – is to gather information from a range of sources.

Data sharing is also becoming a regulatory requirement. In 2004 and again in 2005 the President of the United States issued Executive Orders (stemming from the Intelligence Reform and Terrorism Prevention Act of 2004) to enhance information sharing among agencies.

Yet some agencies are resistant, fearing security compromises and privacy concerns – particularly, determining and controlling who has access to highly sensitive information. Attempts have been made to create information sharing networks, such as the Joint Regional Information Exchange System (JRIES), but few have been successful. In that particular case, the differences in privacy and security needs and expectations between the parties involved became insurmountable.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Information sharing is fast becoming a top priority for federal, state and local government agencies. After all, the only way to get a complete picture of anyone – from a local juvenile offender to an internationally suspected terrorist – is to gather information from a range of sources.

Data sharing is also becoming a regulatory requirement. In 2004 and again in 2005 the President of the United States issued Executive Orders (stemming from the Intelligence Reform and Terrorism Prevention Act of 2004) to enhance information sharing among agencies.

Yet some agencies are resistant, fearing security compromises and privacy concerns – particularly, determining and controlling who has access to highly sensitive information. Attempts have been made to create information sharing networks, such as the Joint Regional Information Exchange System (JRIES), but few have been successful. In that particular case, the differences in privacy and security needs and expectations between the parties involved became insurmountable.

The need, therefore, is to share information – and reap the benefits of information exchange – in a way that is secure and allows access only to authorized users while protecting data integrity. The goal is to create a single version of the truth while protecting the privacy of our nation's citizens.

Is there a way to achieve this seemingly unattainable goal? Yes, in fact some agencies are already meeting this goal by focusing on how they share information and making unique choices based on individual agency needs.

Getting started

Rather than looking at specific products or services, the first step toward implementing an information-sharing environment is to take a closer look at the different ways organizations can share data. Examine and understand the varied types of architecture that will provide the underlying interconnections.

The architecture underneath your information sharing infrastructure will determine your levels of security and performance. In other words, the first action is to determine which architecture will be used. There are three primary options: centralized, peer-to-peer and hybrid.

Centralized: The centralized architecture is the simplest to implement, and one of the most powerful. In this method, all data to be shared is moved into a central hub, and all participants are connected to that hub. In other words, federal, state and local participants would move their most relevant information – the information they intend to share – to one place. This is essentially a data warehouse.

This approach has few functional drawbacks. It has a single point of control, which handles all queries against the shared data. Yet, because information is moved out of its original database and, potentially, outside original firewalls and existing access rights policies, security, privacy and trust are major areas of concern. For some organizations, this movement of data is unacceptable – or simply not possible.

Peer-to-peer: The second option is peer-to-peer. In this model, there are multiple hubs, one for each information-sharing participant. For example, federal, state and local organizations can remain in charge of their own databases and control access to that information. Participants implement their own policies to ensure access to sensitive data is not compromised.