The government is officially allowing public sector organisations to introduce bring your own device (BYOD) schemes for employees to access data and applications using their own mobile devices.
The final version of the End User Devices Security and Configuration Guidance policy was published this week by CESG, the information security arm of GCHQ.
The regulations mean for the first time local authorities are officially allowed to use BYOD schemes, but it is clear from the report that CESG would prefer public bodies not to do so.
It places several restrictions on how staff-owned devices must be used, and implicitly acknowledges that CESG would prefer public bodies not to offer BYOD if possible.
The guidelines state: “What is necessary is that the device is placed under the management authority of the enterprise for the complete duration it is permitted to access official information. Hence, a BYOD model is possible, although not recommended for a variety of technical and non-technical reasons.”
More on PSN
Equally as important as the end-user devices policy, was the less heralded PSN compliance changes, which were released last week.
The Public Services Network (PSN) is a public sector "network of networks" for the UK, which intends to connect all public bodies onto one secure network, while cutting organisations’ cost through joint procurement.
The Cabinet Office wanted to ensure that to join the PSN, certain thresholds of security standards were met. So it instigated a process of auditing local authorities' security with a deadline of the end of the year.
Councils were finding it difficult to become compliant by this time and Computer Weekly understood local councils were at risk of being disconnected if they missed the deadline.
The most important change to the PSN regulations has given councils more time to achieve security authentication to share data across the network.
BYOD and PSN collision
CESG effectively said it would not allow confidential data to be used on unsecure mobile devices that shared this data across the PSN. This would have meant local authorities being unable to access critical Whitehall services such as the Department for Work and Pensions for exchanging details of benefits claimants. Any existing BYOD schemes would have been put in jeopardy.
Council leaders believe mobile technologies are instrumental to meeting their future goals, and many have pursued BYOD schemes to help meet austerity budget cuts. A recent report concluded 86% of council leaders believe the most effective technology solutions in local authorities are those that support agile and mobile working methods.
The Changing Places – how innovation and transformation is taking place in local government report conducted by Civica and independent think-tank, Localis, interviewed 80 council leaders and CEOs across the country. It also stated 48% of respondents viewed PSN as having the most potential in helping councils achieve their goals.
“This is where two noble strategies collide,” said Steve Halliday, president of public sector user group Socitim .
Sollihull’s BYOD scheme
Many local councils have taken the decision to roll out BYOD schemes in a bid to cut costs.
Solihull council was one early adopter, led by CIO Halliday. In his role as Socitim president he worked closely with CESG to bring in some of the PSN compliance changes.
More on BYOD
- The ICO issues BYOD warning after breach
- CW500 Club: BYOD best practice
- Enterprises struggle with security challenge of BYOD, study shows
- How BYOD strains corporate network bandwidth
He said the security audit extension was critical for local councils.
As for the Solihull BYOD scheme, Halliday said he had been in touch with CESG to ensure that the council’s scheme was compliant.
For instance, one of the requirements of the CESG BYOD guidelines was that mobile devices may have to be returned to factory settings to be compliant with security standards.
“It almost becomes donate-your-own-device if you’re not very careful,” he said. “If your device is locked down and you can’t go to certain websites, you can only do a very limited set of things, and if the organisation completely controls it, you have effectively donated it - why would you do that?”
While Solihull won’t be asking its employees to wipe their own mobiles as CESG has deemed, the council has a reasonable BYOD architecture in place. This is permitted because the council only shares low risk data over its mobile devices, not high risk data.
But Halliday said employees may be forced to do so in the future.
“The world keeps changing, and like all solutions we have to keep reassessing and respond with our information security solutions to how the world changes,” he said. “But I believe I have a suitable secure, proportionate solution in place and I’m confident that we will have a sensible pragmatic ongoing dialogue that will help BYOD.”
Halliday said continuing conversations were hugely important to compliance going forward. From the PSN perspective, he has set up a working group called the Local Government PSN Secure Solutions Group to be created as part of the recent compliance changes.
The working group will also run workshops with members of the business community experienced in information security to share their views on unmanaged endpoints as the technology keeps evolving.
There is already a dialogue happening between the user community and the information security community.
“To an extent the technical information security specialists in local authorities are saying they can deliver a secure solution with BYOD and meet my information security audit requirements,” said Halliday.
“What we need is a forum to enable us to continue to have that dialogue with mutual trust and respect.”