I read the announcement of the strategic move by GDS away from the Public Services Network (PSN) towards the internet (https://governmenttechnology.blog.gov.uk/2017/01/20/the-internet-is-ok/) with interest.
Digital has matured
The digital environment has certainly matured from when the PSN was conceived, and the opportunity for the public sector to use low-cost commodity Cloud services is not one to be missed. This opportunity is crucial when you consider that a parliamentary report in 2015 (http://www.publications.parliament.uk/pa/cm201516/cmselect/cmsctech/468/468.pdf) stated that over 90% of data circulating the internet was created in the preceding two years; this figure can only have risen in the past two years. The ability to share and consume electronic information has moved away from the PC towards the mobile platforms, with tablet and smartphone usage reaching record levels. With the move away from centralised core network government services traditionally used by the PSN last year to Cloud-based services, the technical barriers were reduced considerably.
IT Security is evolving
So, the remaining bastion was whether you could trust the internet more than the traditional closed-community WANs that were offered by the PSN, N3, Police National Network (PNN) etc.? Accompanying guidance from GDS on how to improve the information assurance available within services from suppliers and consuming organisations alike has been welcome in this regard, as this has enabled transparency on key risk areas within the use of Cloud services.
Indeed, the Cloud Security Principles (https://www.ncsc.gov.uk/guidance/implementing-cloud-security-principles) and the resultant PSN Service Security Standard (https://www.gov.uk/guidance/public-services-network-psn-compliance) has brought these areas into sharp focus. I’d say that they have certainly worked on the supply side, with the larger Cloud Service Providers (CSPs) such as Google, Microsoft and Amazon Web Services moving their operations to the UK. Aligning government guidance with established enterprise practices is the way ahead, and the wholesale move of the public sector to Cloud services such as Google Apps for Work hasn’t resulted in a breach.
As GDS said, however:
“Of course, it’s not going to happen immediately. Organisations that need to access services that are only available on the PSN will still need to connect to it for the time being. They’ll need to continue to meet its assurance requirements, and in fact they should make use of the practices that covers when reviewing all their core IT.
But from today, new services should be made available on the internet and secured appropriately using the best available standards-based approaches. When we’re updating or changing services, we should take the opportunity to move them to the internet.”
The highlighted areas above show that assurance requirements on organisations resulting from the PSN are still to be kept, not only within the PSN but within the entire consuming organisations, with a sharp focus on security to be retained.
Is the internet understood?
The issue, therefore, is not one of IT security but service assurance. Looking at the network principles (https://www.gov.uk/government/publications/network-principles/network-principles) we can see the various wireless and wired connectivity options available to an increasingly mobile marketplace that are commonly called ‘the internet’. The guidance is well thought-out and describes the planning challenges when defining the user need, namely:
Knowing:
- what business services your users depend on
- what network services they rely on to access them
Documenting your needs across different networks for:
- bandwidth
- availability
- resilience
- class of service (CoS)
- quality of service (QoS)
- price
In short, the challenges are to define what the service requirements are within an increasingly Cloud-based supply chain and diverse connectivity methods.
Creating the service assurance regime for the 21st century
The PSN was a network platform designed for legacy assurance approaches, yet still understood the need for consistency of approach within a multi-supplier network. The experience on customer experience and service assurance from creating the PSN played a huge part in the industry engagement with NHS Digital in creating the Health and Social Care Network (HSCN).
The HSCN is created with the SME Internet Service Providers (ISPs) in mind, aligning to the established CESG Assurance Service (Telecommunications) scheme (CAS(T)) by the National Cyber Security Centre with options relating from an entry point of self-assertion (whilst still meeting the minimum CAS(T) requirements) through to full CAS(T) certification. This approach was crucial, as CAS(T) is designed from the outset to provide high-availability services built to the enterprise IT Security requirements of ISO/IEC-27001:2013.
Not only has the HSCN been built to these requirements, it has also evolved from the operating model of the PSN to ensure that the foundation for inter-supplier co-operation is created.
This is fundamental as we look towards disruptive network technologies, such as Software-Defined Networking (SDN), gaining traction and is shown by recent wide-spread outages of Cloud and digital services. The Cloud itself isn’t the issue, but the lack of information available to customers about the supply chains means that you can’t tell if your suppliers are relying on a single CSP.
Delivering the network platform for digital government
So, how can industry and the public sector work together to deliver the network platform for government?
The challenges are compounded when there is a rise in unknown information held within increasing blocks of data (known as ‘dark data’) that current studies estimate at around 59% of information within organisations being stored and secured without knowing if they need to be. This causes an issue whereby the public sector consumers will find it difficult to determine what their needs are at an application level, and will be tempted to revert back to the network level as a common denominator.
With an uncertain future relating to the exit from the EU and adoption of the General Data Protection Regulation in May 2018, how can consuming organisations be sure that their investments are sound and their needs are being met?
There is a need for guidance for consumer and supply organisations alike that transcends the current Cyber approaches and allows communities of trust to be created based on information management and resilience of services. The guidance would realise the opportunity to leverage the application and network guidance from GDS if you address the information management challenges, and unlock the existing investment made in the regional public sector WANs (that are built to PSN standards for resilience) that already deliver wired and wireless internet services.
These communities of trust can align to the mature information management frameworks that exist from the legal frameworks that exist within the U.K. and not just the Data Protection ones.
SummaryIs OK good enough when talking about the network and Internet connectivity? It may well be for some services, but I’d wager that the frontline public services require service assurance that will not be found in all internet connectivity. However, answering the question fully relies on the consuming organisation following the GDS network principles and requires more guidance on risk and governance.