Cabinet Office requests “BYOD & PSN” tweet clarification
I was recently asked by the Cabinet Office to clarify a “BYOD & PSN” tweet.
So here goes: People engaged in the UK Public Sector world of digital and ICT will be aware that we are developing and implementing a Public Service Network (PSN) which is a kind of secure internet for the sector. So we can share information between each other safely and be, as the tax payer wishes, more “joined up”.
It’s a brilliant and necessary idea which is being deployed across the country. It also is saving millions of pounds by encouraging public sector agencies to jointly procure their networks.
In order to join the networks together, there needs to be a common level of trust between participating organisations. Cyber threats are very real in the 21st Century and we do not wish to open up opportunities for hacking, fraud or computer virus transmissions by joining our networks together. So, a set of security standards have been published by the government and the Cabinet Office has been tasked with ensuring that every organisation joining the PSN meets these standards.
The Balance of competing objectives
So far, so good. But like all good things, there are balances to be struck with competing objectives. Government (and the tax payer) also wants public service bodies to be more open, more transparent and more modern. We should be deploying mobile computing, publishing open data, working with cloud solutions and allowing consumer commodity devices (like iPads) to quickly become standard in the public sector office. These business needs are potentially at odds with the equally important security business need.
At Solihull Council, we have embraced both security and business agility. We are very concerned to safeguard our citizens’ information. We are not the MoD, but we have put suitably strong cyber security provisions in place, proportionate to the risks carried in our data. We were very pleased that the Cabinet Office has reviewed and approved our information assurance measures through a PSN Certificate of Compliance, reconfirmed in November 2013.
We also are very concerned to enable business agility and efficiency with technology. I have published elsewhere about the business benefits of Bring Your Own Device (BYOD), if it can be achieved in a secure way. I am confident that modern, secure BYOD solutions offer the best of both worlds: security and agilty.
Here’s some previous thoughts:
- On the BBC http://tinyurl.com/cr5qkq9
- In the Guardian http://tinyurl.com/pu45ssc
- On my own blog http://tinyurl.com/pn2j6af
Our Solihull BYOD implementation has won international awards for agile security, so I am very certain that this is a cake you can both have and eat (The Computer Weekly Security Judges said “Solihull Council shows how an inclusive model for information security can work” http://tinyurl.com/ndwzkm4)
There is a right and proper concern of the threat that BYOD presents to the PSN. Like Internet browsing, if BYOD is provisioned badly, it opens the organisation to cyber crime and viruses. So the Cabinet Office has been very strong on the conditions in which BYOD can be tolerated. And quite right too – none of us wants bad BYOD weakening the mutual trust of the PSN. But good BYOD is a lever for transformative culture and should not be thrown out with the security bathwater.
So, at Solihull we were waiting with baited breath to learn whether our BYOD scheme, which has been taken up by over 15% of staff, would be allowed to continue. And we were delighted to be given a compliance certificate – so I tweeted the good news to the world.
Here’s what I said on my tweet:
A few days later, I received a note from the Cabinet Office, advising me that my tweet had been “escalated” and that I needed to explain in more detail and clarify on twitter.
Clearly that’s hard to do in twitter’s 140 characters, so we agreed I would write this blog and tweet a reference to that.
The Solihull BYOD solution
In Solihull, the BYOD and unmanaged device use is outside what PSN security architects call the “walled garden”. The Cabinet Office have confirmed that Solihull have appropriate network separation in place to meet the short term architectural pattern as detailed by CESG.
When Solihull embarked on its BYOD journey, the council wrote to the Cabinet Office CoCo authorisation team to explain what they were doing and to seek its approval. This was granted.
Employees have two methods to access council systems and data on their own devices.
Solution 1 The first is a container solution for providing Blackberry style access and experience. By installing a secure infrastructure from Good, users can access, through an app-like interface, the council intranet and some Oracle self service applications which means that they can access their payslip or approve procurement requests away from the office.
The Good technology operates a ‘secure encrypted container’ for storing business data. This container is password protected and can be remotely wiped without affecting the personal data on the device.
Solution 2 The second method is a Remote Access solution provided by Juniper, whereby employees are able to access their applications remotely via a Thin Client interface. The Juniper solution makes use of Two Factor Authentication and ensures that no data is stored locally
Solihull has coined the term Your Device at Home (YODAH) for this solution which has enabled some employees to work, from home, either regularly or occasionally. While permanent home workers have corporately provided solutions, for staff who may be required infrequently, but at very short notice, to work from home, they now do not need to have a corporate lap top waiting in their home.
For the avoidance of doubt BYOD access to PSN is not compliant. But it is possible to have PSN compliance and allow users BYOD access for most systems and information – so long as the BYOD devices can’t access PSN data.
So the Solihull solution is compliant because BYOD devices do not access PSN data. Whether it remains compliant over the coming years remains to be seen. There is a view that as the scope of PSN expands to include everything on the network and as CESG and the Cabinet Office remain convinced that even secure BYOD is not acceptable, organisations like Solihull will have to decommission their BYOD investments.
There is an alternative view that as the BYOD secure solutions mature and pass through a due diligence review at CESG, that some solutions may be agreed to be acceptable to the PSN.
I was personally pleased to learn, for instance that “Good Technology has achieved Evaluation Assurance Level 4 Augmented (EAL4+) certification for its Good for Enterprise mobile collaboration solution. This certification is the highest level under the international Common Criteria program, which measures the security of products used in environments handling sensitive government data.” More on the Common Criteria programme here: http://tinyurl.com/n72foef
My prediction is that agreeing certain specified secure BYOD solutions are acceptable to the PSN security requirements is a matter of “when”, not “if”.
For me – and for colleagues in the Cabinet Office, CESG, Socitm and elsewhere – the main thing is to ensure the PSN successfully delivers its intended outcomes. A successful PSN will be one that is both secure and pragmatically useful.