A New Approach to Resilience
In this Government Technology Q&A, Jeff Brown, Google Global Public Sector Workspace Lead, shares how agencies can use Google Workspace’s secure, cloud-based collaboration tools to support business continuity and resilience.
What business continuity challenges do government agencies face? How does the current threat environment affect their resilience?
The challenges really have to do with their current technology infrastructure. There’s a focus on fixing and patching, rather than modernizing. This is largely because it can be expensive to rip and replace systems. It also can be difficult to implement advanced threat mitigation techniques, like zero-trust security, with all the emails and other communications that come into these organizations. Compliance is a challenge, too. There are growing mandates where government agencies need to show they’re making efforts to address cybersecurity threats.
How does Google Cloud and Google Workspace support business continuity?
Our cloud tools can sit in a non-production environment — like an insurance policy — behind an agency’s current platform. Users can already be provisioned, and our tools can be brought into production quickly if something happens to your normal platform. We spent a lot of time developing backend integrations so we could go to customers and say, “Keep doing what you’re doing and leverage us for continuity of operations.”
Over the years, we’ve seen cities and counties shift to consumer email and collaboration accounts when their work platforms were disrupted. Our solutions — like Gmail, Google Maps and Google Search — are used by billions of people and they’re already in the cloud and ready to go. The ability to leverage that same infrastructure for business continuity is another way to look at the offerings we provide.
How can agencies take advantage of cloud-based collaboration tools without rendering their existing technology obsolete?
I think there’s a misconception that it’s all or nothing, but that isn’t the case. For example, there’s a lot of Microsoft compatibility built into our products. In Google Drive, you can edit a Microsoft document in its native format. There are integrations with other calendar platforms and integrations with Azure, Okta and Active Directory on-premises, among others. We can use this interoperability to bring more capabilities to an agency’s current platform. They can really pick and choose the tools they want to use and they’ll work well together.
What change management or cultural transformation is required to help agencies fully leverage Google Cloud?
Government employees and the constituents they serve are already using a lot of these applications in their personal lives, so it’s really not as big of a shift as you may think. Still, specific training — down to the individual level — is important. Agencies need individual users to understand why they’re making the change and what’s in it for them. If you can customize training down to that level, then you’ll be much more successful. You can’t train frontline healthcare workers the same way you’d train an executive administrator or power users in the finance department. Customized training by agency, by mission and by role can really make that fundamental change management much more effective.
As agencies look to innovate, how should they evaluate the security and disaster recovery capabilities of potential technology partners?
First, ask whether they embrace a zero-trust approach. At Google, this is a big differentiator for us. When you think about this approach, what it really means is “trust nothing.” We implement this by focusing on four areas:
- Individual user attributes: Employee metadata including what groups, roles and organizational units they belong to and what they are allowed to connect to.
- Device attributes: Is it a corporate device? A personal mobile device? What is the operating system? Is the device configured properly with no vulnerabilities to connect to the network?
- Business rules engine: This provides a set of simple policy settings to map applications, manage access and apply rules to thousands of applications without creating thousands of different rules.
- Proxy: This means every time an employee clicks, the system goes through all the previously mentioned attributes — Who am I? What device am I on? Is it configured properly? — before making a decision about whether to authorize that user.
Ask potential partners to explain their security posture — and how they measure and manage it. Look for companies that can tell you a singular and succinct story about their security approach. Security should be simple. If it’s too complicated, some users will try and find ways around it to get their jobs done.