Securing joined-up government: the UK's Public Service Network (PSN)

A common mantra of the New Labour administration that governed the UK from 1997 to 2007 (when the ‘new’ was all but dropped with the departure of Tony Blair), was that Britain must have more joined-up government. An initiative was kicked-off in 2007 to make this a digital reality with the launch of the UK Public Sector Network (PSN, since relabelled the Public Service Network).


Back then digital reform, data sharing, sustainability and multi-agency working were all top of mind. However, an effective PSN also makes it easier for smaller suppliers to participate in the public sector market place, an issue which interested the Coalition government that replaced Labour in 2010 and its recent Conservative successor. This saw the government focus shifted to public sector spending cuts and a desire to break up mega technology and communications contracts into smaller chunks.


In short, the PSN is a dedicated high performance internet for the UK government, a standardised network of networks, provided by large service provider such as BT, Virgin Media, Vodafone and Level 3 Communications and a host of smaller companies, keen to get in on the action. The PSN architecture is similar to the internet but separated from it with performance guaranties. Separate, but not isolated, how else could citizens be served?


Information sharing via the PSN is controlled, the aim is to be open when appropriate but secure when necessary. One objective is to reduce the reported instances of data leaks. According to the UK Information Commissioner’s Office (ICO) Data Breach Trends, in the last finance year there were 35 report breaches for central government and 233 for local government, the latter only being beaten by healthcare with an atrocious 747. That made government organisations responsible for about 15% of all incidents (excluding health, education and law enforcement).


An organisation wanting to access the PSN must pass the PSN Code of Connection (CoCo), an information assurance mechanism that aims to ensure all the various member organisations can have an agreed level of trust through common levels of security.


Advice on compliance is laid out by the government on the PSN web site and advice is also available from Innopsis, a trade association for communications, network and application suppliers to the UK public sector. Innopsis was previously known as Public Service Network GB (PSNGB). Innopsis helps its members understand and deal with the complexities of the public sector ICT market, especially with regard to use of the UK’s Public Service Network (PSN).


The PSN rules include making sure the end-points that attach to the network are compliant which means they must be managed in some way (i.e. ad hoc bring-your-own-device is not allowed). Example controls include; ensuring software is patched to the latest levels, preventing the execution of unauthorised software, deploying anti-malware and using encryption on remote and mobile devices. A PSN member organisation can have unmanaged devices on its own network, but this must be clearly and securely separated from the CoCo compliant sector of the network.


Innopsis was represented by its chairman, Phil Gibson on a panel facilitated by Quocirca at InfoSec in June 2015, which looked at secure network access in the UK public sector. Also on the panel was the ICT Security Manager for the NHS South East Commissioning Support Unit (CSU) talking about a project to roll out the Sussex Next Generation Community of Interest Network (NG-COIN); one of four Linked WANs that South East CSU manages.

NHS organisations currently use another dedicated network called N3; however, this is being replaced by a PSN for healthcare, which is to be labelled the Health and Social Care Network (HSCN).  The Sussex NG-COIN involved 30,000 end user devices across 230 sites with anything from 1 to 5,000 users; many of the sites required public network access. There are 15 different organisations using the NG-COIN with varying security requirements and thousands of applications containing sensitive clinical information.


The old COIN relied on an ageing and ineffective intrusion prevention system (IPS). With NG-COIN this was replaced by a network access control (NAC) system. The cost difference to the 15 user organisations was absorbed as a security line item cost, which they were already accustomed to.


ForeScout’s CounterACT NAC system was selected in 2013. It proved to be fast to deploy, 95% of the network was being monitored within one week. It was compatible with all the legacy networking equipment from a range of vendors including Cisco, HP and 3Com (now owned by HP). The system provided flexibility to define policies by device type, site owner, user type, etc. and was integrated with the existing wireless solution to provide authenticated guest access.


CounterACT also fulfilled reporting requirements providing complete information about access and usage across the whole network; what, where, when and who from a single console. It also provided the ability to automatically block access to non-compliant devices or limit access based on usage policies.


These are all issues that any organisation needs to be able address before attaching to the UK PSN. NAC provided Sussex NHS with a way to ensure controlled and complaint use of its network that any organisation wanting to attach to the UK PSN compliantly could follow as an example.