Is GDS addressing the user need?
The latest update from David Mead on the alpha PSN Service Security Standards (PSSS) (https://governmenttechnology.blog.gov.uk/2015/02/24/changing-psn-compliance-your-questions-answered/) is interesting, and I’d like to compare it’s rhetoric with the recent State of Privacy Report (http://www.symantec.com/content/en/us/about/presskits/b-state-of-privacy-report-2015.pdf) from Symantec.
The major difference between safe and secure data sharing is a culture of do versus a culture of don’t.
David states it’s important that the Government Security Classifications (GSC), introduced last April, have “handed responsibility for assessing and managing information risk back to data owners”. Its importance is reinforced further by the last Symantec threat report that showed the public sector was most at risk of targeted attacks. However, only 35% of UK respondents to the Symantec report trusted government with their data, compared to 68% who trusted health and 65% who trusted banks.
So, does this now mean that the public sector is allowed to control how they share information in light of their new responsibilities (indeed government was urged to make it easier to share information in a key finding of the Victoria Climbié inquiry back in 2003)? Unfortunately not, as “some data owners will require you to show that you meet certain security standards before they’ll send you their data.”
Who’s data is it anyway?
This latter point is interesting, who owns the data and what obligations do they have? This has to be considered in light of the 75% of respondents to the Symantec report who felt that their data had value, and that the majority of operational information being shared across government was likely to be gathered from the citizen. So in reality, the data the government is trying to control the used of, is not actually theirs to constrain – they are merely custodians of it, they do not own it. This approach sounds similar to that which meant that local government had to stop some of its transformative, cost-saving, activities to comply with requirements from the centre, just to be able to do their jobs.
Citizens are telling government they want better data sharing; so why is government still determining how people can access primarily using technical measures to provide controls without consideration of the maturity of information governance in those organisations that access it? In my view, this is counter intuitive as this could drive information sharing underground.
Are the current approaches to security still valid?
Now of course it’s easy to say that the same report shows that 89% of UK respondents rated data security as a key concern when choosing a service to use (higher than quality and customer service, 88% and 85% respectively), but we need to evolve in the digital world to realise that a totally secure state is a concept that died a death with the advent of the complex web services that emerged in the early years of this century.
We need to realise that information risk is (and always has been) much more than maintaining the confidentiality of the information. What about ensuring that the information is still accurate (integrity) and ensuring it’s accessible when required (availability)? Information risk is more than security, and risk itself is “defined as this uncertainty of outcome, whether positive opportunity or negative threat, of actions and events” according to the HMT Orange Book on Risk Management.
We have to stop the security industry talking about the Data Protection Act as if it’s the only law managing information, what about the Civil Contingencies Act which requires that the public sector ensures it’s services are available as required, what about the Social Value Act? These and many other legal requirements create a framework that governs how information can be shared safely; it provides the guidance to “do”, rather than the reasons to “don’t”.
I’ve talked about the need to balance benefits in my previous article, and we need to realise that trying to secure everything is something that even the Knights Templar realised was folly in the dark ages, you have to protect what you can. The real danger in progressing towards digital government is government itself thinking that it is the user, when its sole purpose is to serve the citizen; the real service consumer.
Looking to the public sector to find the answers
We need to support those organisations, public sector or third sector, which provide front-line services to the citizen to operate within an environment that provides safe and reliable services. The issue is that if we continue to use technical controls as a measure of compliance to gain access to the PSN, without the context of the governance regimes operating within these organisations, then they will look elsewhere to share their data at a local level. That will mean that the public sector will lose any control they may have over information sharing.
I read a blog post from the former president of SocITM, Steve Halliday, this week on a points system for providing endpoints to users (https://stevehallidaycio.wordpress.com/2015/02/20/saying-yes-to-user-choice/); this principle is a great example of the forward thinking within local government that will be stifled if we maintain a legacy view on information assurance. A thought I had (and posted in Steve’s blog) is there is real merit in realising that there are three key components for information sharing:
The endpoint – is it safe, does it support the functionality required for the organisation and can it connect to the right systems?
The organisation – does it have a good maturity of information governance, undertaking all legal, regulatory and contractual obligations for information management?
The network – is it safe and reliable?
If we had the same points approach as detailed by Steve in these key areas, it would make it much easier to establish the type of information sharing that the public sector so desperately needs. An approach like this would allow organisations with a more mature governance structure to be rewarded with more autonomy regarding how they access and process that information.
Creating a safe and reliable network platform
There is, however, a note of caution here; the PSN team appear to be reducing the PSN down to a mere network and forgoing the multi-supplier service management model that was created for all connectivity and non-connectivity suppliers. Why does this matter in an approach of “digital by default” and “Cloud first”? As government moves their services to the Cloud platform, they increasingly rely on a heady mix of connectivity, network, hosting and application services. How can the public sector know if it’s managing legal obligations to provide robust services to the citizen if they can’t rely on organisations to work together to address outages? Within the PSN, this challenge was addressed through collaboration between industry and government to set aside commercial differences to deliver open service management standards so that customers can rely on both connectivity and application service providers within the PSN to work together through their obligations within the PSN Operating Model. I have seen this in action, and it is a truly unique achievement that appears to be underestimated by GDS.
We’ve already seen that Cloud platforms such as Google and Microsoft Azure are not immune to large scale outages due to configuration errors, and there are likely to be a number of Cloud Service Providers hosted on these environments. Surely we want to extend the reach of the open standards that underpin PSN to Cloud? For those that think that moving to the Internet is the answer, we should also realise that the internet is only a method of connecting across the same physical links and data centres used by PSN and other government networks; the only difference is the service management obligations that the internet connections operate under.
The opportunity for GDS is to enable a single PSN that is safe, reliable and considers the needs of those unsung heroes within the public sector that deal with the citizen on a daily basis by providing the environment to “do”. That won’t happen if compliance is so onerous that it causes organisations to look elsewhere to share data locally through enforcing controls which make it more difficult to embrace new tools to collaborate, or fails to build on the delivery of the open standards from the PSN operating model to create an environment that is both safe and reliable.
I saw a tweet recently that sums up that approach required – “design like you’re right, listen like you’re wrong”. I hope that industry can continue the journey we started through collaboration with government and continue to deliver value through evolving PSN to meet the user need.