Allowing councillors to have secure remote access via an SSL VPN to Surrey Heath's systems was just the start of a business project which is being extended to council staff and the general public. Julia Vowler reports
Keeping outsiders on the outside might be the easiest way of making an organisation secure from illicit intrusion into its IT systems, but an increasing number of people now want legitimate remote access to those systems. How can IT departments make sure they get it, but without jeopardising IT security?
At local authority Surrey Heath there was a pressing need to allow the borough's 40 councillors to have such remote access.
"We knew we had to do something quickly," says Rita Hall, head of IT at Surrey Heath. "Councillors were dialling in for e-mail but it was taking them between 20 and 40 minutes to download 150-page council documents. The wait made them switch off their PCs. The situation was a tremendous problem for them."
As well as elected officials, Hall knew that some of the 280 council staff wanted the ability to work from home, but with access to the borough's IT systems. On top of that, 2005 is the deadline for e-government when public services must be available online. And all of this had to be done securely.
Surrey Heath opted for SSL virtual private network to provide secure remote access. The major advantage of this, as opposed to an IP-sec VPN, is that it does not require the remote machine to have any security software loaded on to it. All the security is host-side. Client-less VPN means that access, once the user is authenticated, can be from any remote machine, even a PC in an internet caf' or from a laptop.
"So long as it has a web browser - Explorer 5.5 or higher - you can be anywhere in the world," says computer services manager, Brendan Foley. "With the IP package we would have had to install some local software on the clients."
There are about half a dozen SSL VPN suppliers in the marketplace, reckons Foley. "We got demos of four, and narrowed it down. Most of the suppliers are much of a muchness. Some of them recommend RSA encryption, but that was possibly overkill for us," he says.
Surrey Heath opted for E-gap from Whale Communications, which provides a dedicated security server connected to the council's Xchange server.
"E-gap takes our [applications] data into its server, strips off everything except the data, which is passed as a text to the client via a SCSI converter and reassembled," says Foley. "It was a different kind of system, more sophisticated, but easier to user, more secure and more robust."
The council also needed a security product that would fit in with the existing IT infrastructure. "We wanted it to interface with Microsoft Active Directory, which some products could not do, or only partially. Whale can, so it saves us time having to create a separate user list," says Foley.
"We bought E-gap in December. We had been looking since the summer and knew exactly what we were looking for. By October we had drawn up our specification, canvassed what other councils were using, and looked at other products. No one had used Whale, but we thought it worth evaluating because it was a combined hardware and software package that we felt was more advanced, easier to use and more cost effective," says Hall.
"We implemented the project from mid-January. We took delivery of the kit, trained our technical staff, who did a lot of remote testing of the system, had it audited by an independent security specialist, who told us it was 100% OK, and then rolled it out, going live from February," she says.
With councillors also being provided with broadband access - BT found it confusing whether the lines were for home or business use, says Hall - more than half of the councillors already have secure remote access. "We are doing it in three phases: e-mail, e-mail plus their Word and Excel files, then remote access to applications," says Foley.
As for supporting staff who want to work from home, Hall says, "I've just presented my report to the board of directors and it has been approved in principle. It will start from this month, and then we will look at extending it to field workers such as planners and building contracts officers."
The in-house systems that will be remotely accessible depends, says Foley, on which ones are web-enabled. "If the applications are already web-enabled, such as our Oracle Financials, it is quite easy to set up remote access," he says.
Because there are currently no applications where it is critical to provide remote access, it will happen "little by little as we refresh the applications. As we replace them they will be XML-compliant and web-enabled via our intranet."
However, just because an application is web-enabled does not mean it will be accessed remotely. "It is not a main requirement for our councillors to see into Oracle Financials, for example," says Foley. "It is a large, complex system to get information out of, and it is much easier for them to ask someone to find the information they want than get it themselves.
"Most of the demand will be for files and possibly Access. We have not seen any demand yet, say, for the geographical information and planning systems."
End-user training has proved, says Foley, very straightforward. "The end-user is given a URL link to the address of the web server. A screen comes up, the user types in his user ID and password, then requests to download a plug-in module at the first session, which takes a few seconds, and then he can access his e-mails and file attachments. The system looks like a web page so users know how it works and know the look and feel of it," he says.
Once the session has ended, a Whale applet on the client wipes clean anything that may have come down from the server, so that if the access is from a public machine, nothing will remain on it from the host.
When it comes to providing e-government, the need for security is even more evident. The public can already dial in to the council's website and make credit card payments for such things as council tax, but at the moment the payment has to be made via a third-party internet payments service, Girobill.
"We want to be able to integrate payments with our core systems, so security will be of the utmost importance to us," says Hall.
"At the moment there is no link to our back-end systems," says Foley.
Using the E-gap SSL VPN security will allow the public to have direct but secure access to the local authority's systems electronically to pay bills or track planning applications, for example. "The secure payments system is now in testing and is likely to be available about May or June," says Foley.
The case for client-less VPN comes across most clearly when there is a need for public access because it means that the host system does not have to worry about what machine is accessing it. It does, however, raise one of the down-sides of adopting this technology. Although the cost of the project itself "was not huge - the price of a large server - and came in under our tendering level", says Hall, it is the ongoing cost of ownership that needs to be carefully assessed.
"The package is very secure, and very good, and the implementation was straightforward," says Foley. "The E-gap technology was not very expensive, but the cost of licences could be a problem. On a low number of users it is favourable, but as we scale up it becomes increasingly expensive, and this does concern us in the longer term.
On the basis of current usage, "with 100 concurrent licences we are well over capacity, so it is not a problem if all our users log in simultaneously," he says.
"However, the real test will be when we provide public access. The number of licences we have could be a potential logjam. At the moment we are very happy, but if the cost goes up it could affect us. If we wanted we could pull the plug after a year and find another package."
Yet the business case for implementing remote access security is clear, says Hall. Because it is a publicly-funded government organisation, whose computer systems hold so much sensitive information, "We have to be trusted," says Hall. "We can't afford to make security mistakes."
As a matter of course, says Hall, "we always do an independent security audit whenever we make a major change to IT. The need for security is increasing, from more virus protection to upgrading firewalls. There is a security premium to be paid, and it is growing. I would say we spend about 5% to 10% of our IT budget on security. We cannot afford to cut down on security," she says.
But apart from the risk element of not investing in adequate IT security, Hall also sees more positive benefits in the business case for providing remote secure access. E-government should lower costs to local authorities, by automating more transactions. Cashflow can also be improved if payments can be made direct to the council, rather than via a fee-based third-party payments system.
Moreover, if secure remote access can support staff homeworking, "it will save on office accommodation and travelling time, which all goes into the business case," says Hall.
Finally, although councillors were provided with council PCs at home, in future, now that Surrey Heath can do client-less secure remote access, that will no longer be necessary, a saving that, again, can be fed into the business case for providing secure remote access.
As ever with IT security, calculating return on investment is a mix of avoiding negative outcomes, such as security breaches, and enabling a range of positive ones that may not be immediately obvious, but all of which rely on sufficient investment being made in appropriate levels of security.
The business case for secure remote access
Because it is client-less, home workers and councillors do not need council kit to get remote access l Staff working from home means the council can save on office space and commuting time
Remote field workers can stay in touch more easily with the office
It helps the council meet e-government deadlines for providing 100% of services online by the end of next year
Direct payments by the public of bills will improve the council's cashflow, plus avoid paying for third-party internet payment services.
This was first published in April 2004