Government tests secure Linux to protect web server applications

Infosecurity Europe: The government looks to Linux to secure websites, faces a call for a federated approach to identity card security, and extends a kitemark scheme

Government tests secure Linux to protect web server applications

The government is to test a secure version of the Linux operating system that could make it easier for public sector agencies to secure their websites from attack.

A trial starting this month at County Durham & Arlington Acute Hospitals NHS Trust could lead to the wide-scale roll-out of the operating system across the public sector, the Cabinet Office believes.

The project is designed to underpin the transformational government programme to improve public services, said Steve Marsh, director of the government’s Central Sponsor for Information Assurance.

“The value for government is that it will bring confidence that business applications are going to operate securely,” he said.

The trust is working with suppliers IBM, Tresys and Belmin to test the ability of Security Enhanced Linux to protect web server applications.

Security Enhanced Linux offers IT departments the ability to “lock down” the security of servers by limiting the potential damage hackers or a computer virus can cause.

The trust will use Security Enhanced Linux to wrap a layer of security around Websphere middleware, which is widely used in the public sector. If successful, it will provide government bodies with a way to rapidly secure their Websphere applications.

The take-up of Security Enhanced Linux has been limited by the complexity of writing security policy code, which can be up to 300,000 lines long, said Marsh. However, the trial will test new tools to automate the process.

“It is a low-impact way of getting additional security. It does not affect your infrastructure. It is simple to deploy. If you get a virus or Trojan on the network, it limits the damage it can do,” said Frank Mayer, chief technology officer and co-founder of Tresys, which is developing the tools.

The trust plans to use Security Enhanced Linux to secure a web-based invoicing system, Aries, which will reduce costs by replacing manual invoicing systems.

Central database for ID cards wrong, says peer

The government has come under fire from a peer over its insistence on building the £5.8bn ID card programme around a single central database to hold personal details of the public.

Lord Erroll, who lobbies on IT issues in the House of Lords, said the purpose of such a central registry appeared to be to give the government more control, rather than to reduce crime or provide better public services.

Storing personal data centrally meant there was a risk it could be compromised by hackers or illegally accessed by dishonest government employees, said Erroll.

“I am not pro the central registry. It is a database tracking through your whole life. If that gets compromised, someone has open access to your biographical identity,” he said.

Erroll said the Home Office could achieve its objectives more effectively by using technology based on the idea of federated identity, which provides greater security for personal data.

“The card is verified locally by the citizen [using a card reader]. The citizen gives permission as to which government databases can talk to each other and which cannot. When the card is removed [from the reader] the databases do not talk anymore,” he said.

Rather than having a single registry of the population containing all the personal information on an individual, federated identity would allow the public to register only the information that was relevant to each organisation.

Erroll said the money the government was investing in ID cards could be better spent elsewhere. It would do little to stop illegal immigration or reduce crime, he said.

“If you gave me over half a billion pounds a year to solve the problem, I think I could use it much more effectively,” he said.

Conduct risk assessments to counter e-crime, SMEs urged

Small businesses have been urged to carry out risk assessments of their IT security, after government research revealed they are disproportionately affected by the cost of IT crime.

The Department of Trade & ­Industry’s Security Breaches Survey 2006, released at the Info­security conference, found that small businesses are bearing the brunt of computer crime, which is costing UK businesses an estimated £10bn a year – a rise of 50% in two years.

Large firms have significantly increased their investment in security over the past two years, spending an average of 4% to 5% of their IT budget on security, compared to 3% in 2004 and 2% in 2002.

But small firms are failing to assess the risks to their computer systems as they rush to exploit the advantage of the internet for online commerce, the survey suggested, with 40% of small firms spending less than 1% of their IT budget on security.

Andrew Beard, director at PricewaterhouseCoopers, which conducted the survey, said that although security advice for small firms is readily available free of charge or at low cost, small firms were failing to take advantage of it because they failed to understand the risks.

“Some of them simply do not see the business need for increasing their security spending – 84% said they were not using authentication because they did not see a business need to do so,” he said.

But PricewaterhouseCoopers  rejected claims by the Federation of Small Businesses that the government should provide more assistance to smaller companies.

“The government is doing quite a lot in terms or providing guidance, but I do not think securing company networks is a government responsibility,” said Chris Potter, partner for security at PricewaterhouseCoopers.

The DTI survey revealed that the number of firms reporting security incidents over the past two years has fallen from 74% to 62%. But the cost of security breaches has risen by 50%, costing small companies an average of £8,000 to £17,000 per incident, and large organisations between £65,000 and £130,0000.

Kitemark scheme is expanded

The government has expanded a security kitemark scheme designed to make it easier for local authorities, police and other government agencies to make informed IT purchasing decisions.

The CSIA Claims Tested Mark, which was introduced by the government at the end of last year to accredit security products, has been extended to cover IT security services.

“Managed services are of particular interest to the public sector, especially in terms of data sharing within and between organisations,” said Steve Marsh, director of the government’s Central Sponsor for Information Assurance, which manages the scheme.

The kitemark will provide local government organisations with a menu of products and services that have been independently tested to ensure they perform as specified, said Marsh.

The CSIA believes that the scheme will also be used by small and medium-sized businesses when they make decisions about buying security equipment.

Jim Murphy, the Cabinet Office minister responsible for e-government, said the scheme would help government bodies achieve the transformational government targets to improve customer service.

“It is more important than ever for the public sector to have confidence in the information security products and services they acquire.

“The CCT Mark Scheme is crucial in gaining this confidence as it provides a choice of assured products and services to help us achieve more joined-up government,” he said.