Civic Innovations

Technology, Government Innovation, and Open Data

Friction as Security

Sometimes things are hard on purpose.

This is especially true in government, and probably other heavily regulated industries as well, where certain processes are designed to be difficult to ensure they are not done frivolously or by people who are not authorized. A process may be littered with roadblocks, requiring frequent assessment and review to ensure it is proceeding according to the rules and that all requirements are met. This can be jarring to people new to government, and is a good reminder that intentional dysfunction is sometimes a feature, not a bug.

Too often, the concept of friction as a control mechanism finds its way into the software and technology platforms that are used by government agencies. Friction is often used a way to ensure security requirements – to force development teams to undergo manual review and approval processes before their solutions can be deployed. Ideally, platforms are meant to be ways to streamline and speed the deployment of digital solutions, not to slow them down. So it’s worth pointing out the irony here, and working to fix it.

If new development teams onboarding to a platform are unable to get their app working without going through manual review and approval steps, this can sometimes be an effective way to ensure that applications adhere to security requirements. However, it is almost always a stressful, frustrating, and difficult experience for developers. Any team that is able to avoid using platforms that embrace friction as a security mechanism will do so whenever they can.

At best, this approach slows down the delivery of agency software solutions – which works against efforts to improve customer experience. At worst, it leads to duplication, with teams standing up their own infrastructure to support their projects – duplicating features and functionality that are more effectively consolidated into a shared platform.

Streamlining the process of deploying software by using shared platforms, and enforcing security requirements are not mutually exclusive – even if some agency software platforms are designed as if they are. The best way to ensure development teams adhere to security best practices and fulfill all requirements is to make it easy for them to do so.

Adhere to the principle of “make the right way the easy way” by doing these things:

  • Provide sample apps, starter kits, and reference applications that incorporate security best practices into their design. Show developers what the “right way” looks like.
  • Make the tools teams need to secure their applications – monitoring, logging, secrets management – cheap and easy to use, and ensure that they are well documented.
  • Allow development teams to self provision services their applications will likely need, like storage, data persistence, and caching in ways that are secure out-of-the-box.
  • Automate away mundane tasks like certificate issuance and renewal, to ensure these things don’t fall through the cracks by adding them to a development team’s backlog.

Speeding up the delivery of software solutions by government agencies is a key strategy to improving customer experience. We don’t need to slow things down to ensure they are secure, and this friction may actually work against some security goals.

When it comes to improving agency digital services, speed is an ally. We need to ensure that agency software platforms are designed to reflect this.

, ,

Leave a comment

About Me

I am the former Chief Data Officer for the City of Philadelphia. I also served as Director of Government Relations at Code for America, and as Director of the State of Delaware’s Government Information Center. For about six years, I served in the General Services Administration’s Technology Transformation Services (TTS), and helped pioneer their work with state and local governments. I also led platform evangelism efforts for TTS’ cloud platform, which supports over 30 critical federal agency systems.

Recent Posts