Network access control will save public money in Nottingham

Nottingham City Council finds a way to manage mobile workers with an affordable network access control product from Sophos.

With multi-agency working very much the order of the day in local government, Nottingham City Council finds itself increasingly playing host to people from different public-sector bodies. Visitors arrive from a range of organisations including the health service and law enforcement, and they expect to be able to work on their laptops and even connect up to their own networks.

Up to now, their choice has been limited because the City Council's networks will only allow access to its own users' computers which it knows have been properly configured and equipped with the right security. Allowing unchecked computers to connect was just too risky, according to Dan Smith, the Council's principal network and security officer. "Our network contains sensitive data about hundreds of thousands of citizens, as well as confidential information about various government projects, so security is absolutely critical," he says.

The result has been that some Council buildings have several dedicated connections to each of the outside agencies, which as Smith says, is a waste of public money.

But now he is about to introduce a new system that will allow visitors to work safely on the City Council's networks and access their own systems without a problem. Smith is currently in the final phase of testing a new network access (NAC) system that should start to be rolled out by the end of April, and which will provide the mixture of flexibility and security he needs.

Supplied by Sophos in a £250,000 deal covering not only NAC but also email security, the system will allow the City Council to provide access to anyone with a PC, provided it meets the requirements laid down in the NAC policy guidelines. In practice, that means having up-to-date anti-virus running, security patches and a firewall installed, and no forbidden applications, such as P2P file-sharing.

Smith says the system will not only provide security and flexibility for users, but will also make better use of public money by removing the need for each outside agency to have a dedicated outside connection.

"At the moment we could have up to four different network connections in some of our buildings," says Smith. "There is no reason why primary care trusts and other agencies should not use the office with their PCs, as long as they are pre-configured to a standard, and be allowed on to our network. They can use our network to get back to theirs, still with firewalls in place to control access, so there is no danger of losing sensitive information. This is a move towards shared services and joined-up government."

At the moment, the system is running just in the IT department with around 100 users testing its capabilities. So far, the deployment seems quite straightforward, says Smith, and he plans to start moving it out to departments by the end of April, with the ultimate aim of providing protection to 7,000 users across the City Council's 180 networked sites. A future release of the Sophos NAC will provide new features such as USB port control, and Smith is also keen to start using that as soon as it becomes available, to manage and monitor what gets copied on to portable devices.

In a later phase of the project, in a new City building, he plans to have hot-desking facilities for different public-sector workers, all sharing the single network infrastructure.

Smith says he talked to a number of NAC suppliers but went with Sophos mainly on price. "Other vendors were asking a lot more money. We were offered a very good deal," he says.

He says his business case went beyond what benefits the City Council would derive. "My case was that it would be a money-saver for all of us in the public sector. For any network connection, you're looking at 15 to 20 grand over a five year period, so just getting rid of three dedicated connections would save £60,000 of public sector money."

As part of the project, the whole of the council will soon move to a single Microsoft Active Directory (it currently runs multiple Microsoft and Novell directories), and that means everyone will come under a single global structure that can be centrally managed and that will provide an audit record of who logged on and what they did.

Smith concedes that details of how guest access will be distributed to visitors, especially to the police who "are proving a slightly tougher nut to crack", still need to be ironed out, but as far as the technology is concerned, he is confident it will make network management and security a lot easier.

Read more on Endpoint security