Skip to content

Cabinet Office requests “BYOD & PSN” tweet clarification

November 15, 2013

I was recently asked by the Cabinet Office to clarify a “BYOD & PSN” tweet.

So here goes: People engaged in the UK Public Sector world of digital and ICT will be aware that we are developing and implementing a Public Service Network (PSN) which is a kind of secure internet for the sector. So we can share information between each other safely and be, as the tax payer wishes, more “joined up”.

It’s a brilliant and necessary idea which is being deployed across the country. It also is saving millions of pounds by encouraging public sector agencies to jointly procure their networks.

Mutual Trust

In order to join the networks together, there needs to be a common level of trust between participating organisations. Cyber threats are very real in the 21st Century and we do not wish to open up opportunities for hacking, fraud or computer virus transmissions by joining our networks together. So, a set of security standards have been published by the government and the Cabinet Office has been tasked with ensuring that every organisation joining the PSN meets these standards.

The Balance of competing objectives

So far, so good. But like all good things, there are balances to be struck with competing objectives. Government (and the tax payer) also wants public service bodies to be more open, more transparent and more modern. We should be deploying mobile computing, publishing open data, working with cloud solutions and allowing consumer commodity devices (like iPads) to quickly become standard in the public sector office. These business needs are potentially at odds with the equally important security business need.

At Solihull

At Solihull Council, we have embraced both security and business agility. We are very concerned to safeguard our citizens’ information. We are not the MoD, but we have put suitably strong cyber security provisions in place, proportionate to the risks carried in our data. We were very pleased that the Cabinet Office has reviewed and approved our information assurance measures through a PSN Certificate of Compliance, reconfirmed in November 2013.

We also are very concerned to enable business agility and efficiency with technology. I have published elsewhere about the business benefits of Bring Your Own Device (BYOD), if it can be achieved in a secure way. I am confident that modern, secure BYOD solutions offer the best of both worlds: security and agilty.

Here’s some previous thoughts:

Our Solihull BYOD implementation has won international awards for agile security, so I am very certain that this is a cake you can both have and eat (The Computer Weekly Security Judges said “Solihull Council shows how an inclusive model for information security can work”

BYOD Compliance

There is a right and proper concern of the threat that BYOD presents to the PSN. Like Internet browsing, if BYOD is provisioned badly, it opens the organisation to cyber crime and viruses. So the Cabinet Office has been very strong on the conditions in which BYOD can be tolerated. And quite right too – none of us wants bad BYOD weakening the mutual trust of the PSN. But good BYOD is a lever for transformative culture and should not be thrown out with the security bathwater.

So, at Solihull we were waiting with baited breath to learn whether our BYOD scheme, which has been taken up by over 15% of staff, would be allowed to continue. And we were delighted to be given a compliance certificate – so I tweeted the good news to the world.

The Tweet

Here’s what I said on my tweet:

The offending tweet

A few days later, I received a note from the Cabinet Office, advising me that my tweet had been “escalated” and that I needed to explain in more detail and clarify on twitter.

Clearly that’s hard to do in twitter’s 140 characters, so we agreed I would write this blog and tweet a reference to that.

The Solihull BYOD solution

In Solihull, the BYOD and unmanaged device use is outside what PSN security architects call the “walled garden”. The Cabinet Office have confirmed that Solihull have appropriate network separation in place to meet the short term architectural pattern as detailed by CESG.

When Solihull embarked on its BYOD journey, the council wrote to the Cabinet Office CoCo authorisation team to explain what they were doing and to seek its approval. This was granted.

Employees have two methods to access council systems and data on their own devices.

Solution 1 The first is a container solution for providing Blackberry  style access and experience.  By installing a secure infrastructure from Good,  users can access, through an app-like interface, the council intranet and some Oracle self service applications which means that they can access their payslip or approve procurement requests away from the office.

The Good technology operates a ‘secure encrypted container’ for storing business data. This container is password protected and can be remotely wiped without affecting the personal data on the device.

Solution 2  The second method is a Remote Access solution provided by Juniper, whereby employees are able to access their applications  remotely via a Thin Client interface. The Juniper solution makes use of Two Factor Authentication and ensures that no data is stored locally

Solihull has coined the term Your Device at Home (YODAH) for this solution which has enabled some employees to work, from home, either regularly or occasionally. While permanent home workers have corporately provided solutions, for staff who may be required infrequently, but at very short notice, to work from home, they now do not need to have a corporate lap top waiting in their home.

For the avoidance of doubt BYOD access to PSN is not compliant. But it is possible to have PSN compliance and allow users BYOD access for most systems and information – so long as the BYOD devices can’t access PSN data.

The Future

So the Solihull solution is compliant because BYOD devices do not access PSN data. Whether it remains compliant over the coming years remains to be seen. There is a view that as the scope of PSN expands to include everything on the network and as CESG and the Cabinet Office remain convinced that even secure BYOD is not acceptable, organisations like Solihull will have to decommission their BYOD investments.

There is an alternative view that as the BYOD secure solutions mature and pass through a due diligence review at CESG, that some solutions may be agreed to be acceptable to the PSN.

I was personally pleased to learn, for instance that “Good Technology has achieved Evaluation Assurance Level 4 Augmented (EAL4+) certification for its Good for Enterprise mobile collaboration solution. This certification is the highest level under the international Common Criteria program, which measures the security of products used in environments handling sensitive government data.” More on the Common Criteria programme here:

My prediction is that agreeing certain specified secure BYOD solutions are acceptable to the PSN security requirements is a matter of “when”, not “if”.

Most important

For me – and for colleagues in the Cabinet Office, CESG, Socitm and elsewhere – the main thing is to ensure the PSN successfully delivers its intended outcomes. A successful PSN will be one that is both secure and pragmatically useful.

  1. Hi Steve,

    That is a really interesting post.

    Your last point is the key thing for me…what are or were the intended outcomes for the PSN and are they still relevant now?

    My concern looking at this from slightly outside the whole thing is that the underlying architectural assumptions of the PSN are flawed and fail to actually create a level of flexibility and business agility which would allow local public service providers to facilitate and create community infrastructure and not simply be an extension of central government service delivery.

    I’m not going to argue or debate the security of particular solutions as i think that would show my ignorance and lack of understanding. However looking at this from a business perspective – I have to ask at what point will the focus of PSN be about securing the business processes and not the underlying infrastructure?

    I’m personally not convinced that the current or even future approach to PSN is fit for purpose in a local public service delivery framework which needs to be dynamic and flexible given the challenges ahead.

    I’d value some feedback or clarification in this area.

    • Carl,

      First of all congratulations on winning the Leadership Excellence category in the Guardian newspaper’s Public Service Awards 2013! This was richly deserved, in my opinion.

      I think, yes, absolutely the intended outcomes of the PSN are still relevant now. In a climate of austerity and where being more “joined up” represents a major component of innovative solutions, the PSN objectives are more relevant now than ever.

      There are material concerns across the sector in relation to the impact that the security requirements may have on the intended business benefits.

      As Socitm president, I am meeting regularly with senior staff from the Cabinet Office to work out pragmatic and proportionate solutions to these concerns. I am convinced that they are fixable and that the PSN can emerge as a value proposition that local organisations wish to engage in. The technical architectures of information safeguarding are not simple and are to an extent opinion based. One persons “reasonable” is not necessarily the same as another person’s “reasonable”, so good dialogue is necessary to negotiate a good outcome.

      Certainly the collaborative procurement savings which the PSN drives are there for the taking. All public service organisations spend money (around £1m pa for a large county) on networking their buildings together. If we can shave a few percentage points off that, it is a responsibility to do so. Many regional PSN procurements are reducing running costs by over 25%, which is excellent.

      As Chair of the West Midlands PSN, I expect to announce a contract signature next week for such a procurement which will deliver material savings.
      But the procurement savings are just the start of the expected PSN benefits. It is a foundation for shared services, secure information sharing and efficient business outcomes. At Solihull MBC we run the Finance system for nearby Lichfield DC. To do this, we buy an expensive network connection to join our authorities together. When we are both on the PSN, that won’t be necessary. Across the sector, if we can make the technology of sharing more simple, then more sharing will happen, as is very clearly evidenced on the public internet.

      Carl, Your question regarding the PSN’s underlying architectural assumptions is well made. It has been a recurring theme in our discussions with the Cabinet Office – “does the vision of the PSN now still stack up, having learned more about the security implications?”

      Across both Local and Central government the compliance messages have been causing grave concern. It is certainly true that many organisations need to do more to improve their cyber protection. The PSN programme has catalysed dramatic improvements in this area, which is certainly a “good thing”. The contentious issues surface where the security compliance rules clash with the business agility imperatives. And it has to be said that the cultural aspects of how this clash is managed have raised more than a few eyebrows.

      I was delighted that the Cabinet Office has offered to host a Local Government focussed session titled “Help architect the future”. The proposal is for “a design process that starts with a blank sheet of paper and the data/business flows and builds out into network design(s).”

      The Cabinet Office advises that “this session will consider the apparent opposing forces of flexible working practices and the need for cyber security. Participants will look at the different security requirements for the data held by the Local Authority, the data needs and flows, the business drivers (such as the requirements for more integration with other department, the need for more flexibility and the effects of austerity programmes) and the PSN mesh design.”
      With this level of dialogue and responsiveness from the Cabinet Office, the programme can surely deliver the vision of the PSN.

  2. Thank you for your congratulations and for your detailed response Steve.

    Are the “Help architect the future” sessions being held in an open forum and is there a way for non technical (service managers perhaps) to follow along and contribute?

    I know that LocalGov Digital as a group have some concerns and ideas around this and is there a way we can pro-actively help and contribute to the wider discussions and outputs. Perhaps we could use some time at the upcoming Socitm Conference as I believe our steering group is meeting in the same building?

  3. Carl, the “Architect the future” sessions are to be held on 2nd, 3rd and 4th of December and are pitched at Enterprise Architects predominantly. Socitm have circulated invitations to members and the session is quite over subscribed – lots of interest, which is healthy. Let me know of you’d like to have some representation there.

    At the Socitm conference, we will have good coverage of PSN, including presentations, round table discussion and panel debate. Also, subject to the availability of the right technical specialists, we hope to have a stand in the exhibition space for the PSN Solutions Advisory Group (SAG), so people can have PSN focussed conversations. The SAG won’t have the answers for everyone but can capture key points to be fed back into the main conference discussions.

    Here’s the link to the conference, it will be great to have a good presence from LocalGov Digital.

Trackbacks & Pingbacks

  1. How to do BYOD, Mobility, Remote Working AND Maintain PSN Compliance | Richard Copley - Digital by Default

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: