PSN Security – the Letter and the Spirit

PSN initiatives need to go beyond ticking boxes, says Dr Graham Buckberry, Siemens Enterprise Communications Limited
Government organisations must embrace the Public Services Network (PSN) vision if the ‘network of networks’ is to deliver the consistency, flexibility and significant cost savings the public sector requires now and in the future.
The PSN has a number of critical success factors that must be fulfilled for the vision to become a reality, but none as fundamental as security.  Security is the single most important enabler in the adoption of PSN services. It follows that a robust, reliable and consistent security model has been a key requirement of the PSN since its inception.
By employing a clear set of pan-government security standards and policies, the PSN should offer all parties a guaranteed level of security, creating a bond of trust between PSN-connected organisations. Public sector organisations are well aware of security threats, for example, in a recent FIFO request HM Revenue and Customs (HMRC) disclosed that its offices in Wales recorded 990 security incidents in the 12 months to July 2012.
Scalability is the key
The value of the PSN lies in the ability of government organisations to securely share data without creating complex information assurance challenges that cause barriers to adoption. The simplicity of operation offered by the PSN is dependent on every organisation and the Supplier community using scalable and truly multi-tenanted systems.

It also has to be recognised that any ICT environment is only as secure as its weakest link. The biggest government departments are potentially lucrative, targets for organised cyber-criminals. Only truly scalable systems can span pan-government operations with a level of centralised control and instant deployment of security updates that can respond to the sheer volume of threats and vulnerabilities faced by the PSN of the future.

It is the case, however, that the success of the PSN’s security is reliant on how its policies and guidelines are interpreted.
The PSN operates at a default security level categorised as business impact level 2 (IL2). PSN Service Providers, therefore, have to achieve appropriate accreditation in order to supply PSN services. Whilst the accreditation process is thorough, it is only applicable in the context of the original risk assessment.
A solution, for example, can be accredited right down to the level of a small department, but such a solution is not necessarily going to dynamically and ultimately economically scale to cover an organisation as large and as high profile as the Department of Works and Pensions, with the same risk profile.
Embrace the spirit of PSN, not just the letter
Public sector organisations, suppliers and even the accrediting bodies must recognise that IL2 or IL3 accreditation is just a baseline. All parties must aspire to exceed tick-box compliance, evaluating how their systems will interoperate in practice and the level of trust they will offer to partner organisations.
End-user organisations, and suppliers, developing PSN systems must take a candid view of their decision-making processes. Many are not asking themselves, or their partners, the right questions. Too many are simply focused on compliance, short-sightedly implementing the letter of the PSN law as opposed to its spirit.
The ‘islands of security’ that may result from this approach surely are not in the interest of the mainstream PSN. Islands of security will create anxieties on the PSN ‘mainland’ as secure data sharing cannot exist between islands – a hopscotch archipelago – in a sea of vulnerabilities. Rather, save the notion of islands for organisations handling extremely sensitive data (IL4 and above), who actually benefit from the isolation.
The reality is that true portability and mobility across the PSN can only be achieved by the adoption of scalable, multi-tenanted systems. Most importantly, the vast majority of the financial savings the PSN will deliver from services comes directly from scalable solutions that ease ICT management; such as common user management portals that can encompass multiple government operations. In the longer term, the PSN aim of achieving commodity ICT costs can only happen if suppliers rise to the challenge to deliver secure services on a truly pan-governmental level, from day one; this is the vision of our PSN CTO.
Building for the greater good
PSN security relies on a two-way commitment. For example, in designing mobile services there is an obligation to recognise the wider requirements of a secure PSN; that they must serve the largest of organisations as well as the smallest. By building PSN ICT systems that scale, smaller organisations are not only aiding their larger government partners, but also helping themselves by earning trust on the PSN ‘mainland’.
There is little doubt that adoption of the PSN will be a journey, but it is one that needs to be implemented thoughtfully to secure rich rewards for both public sector organisations and the citizens they serve.
Let us help you build your business case – call 0800 158 5236