Alexey Brin - Fotolia
I was pleased to see that the Government Digital Service (GDS), via the Technology Leaders forum, has made its position clear on the “internet versus Public Services Network” (PSN). However, this is not a “one-size-fits-all” issue.
The digital environment has certainly matured from when the PSN was conceived and the opportunity for the public sector to use low-cost commodity cloud services must be seized with both hands. The need for public services to become more agile has shifted data away from the PC in an office towards mobile platforms, with tablet and smartphone usage reaching record levels.
With the move away from the centralised core network government services traditionally carried by the PSN five years ago to cloud-based services now, a new communications architecture is needed.
Meanwhile, IT security is evolving. The remaining bastion was whether you could trust the internet more than the traditional closed-community wide area networks (WANs) that were offered by the PSN, N3, Police National Network (PNN), and so on. Accompanying guidance from GDS on how to improve the information assurance available within services from suppliers and consuming organisations alike has been welcome in this regard, as this has enabled transparency on key risk areas within the use of cloud services.
Indeed, the Cloud Security Principles and the resultant PSN Service Security Standard have brought these areas into sharp focus. I’d say that have certainly worked on the supply side, with the larger cloud service providers (CSPs) such as Google, Microsoft and Amazon Web Services moving their operations to the UK. Aligning government guidance with established enterprise practices is the way ahead, and the wholesale move of the public sector to cloud services, such as Google Apps for Work, has not resulted in a breach.
But, as GDS said: “Of course, it’s not going to happen immediately. Organisations that need to access services that are only available on the PSN will still need to connect to it for the time being. They will need to continue to meet its assurance requirements, and in fact they should make use of the practices that covers when reviewing all their core IT.
“But from today, new services should be made available on the internet and secured appropriately using the best available standards-based approaches. When we are updating or changing services, we should take the opportunity to move them to the internet.”
This shows that assurance requirements on organisations resulting from the PSN are still to be kept, not only within the PSN but within the entire consuming organisations, with a sharp focus on security to be retained.
Is the internet understood?
The issue, therefore, is not one of IT security, but service assurance. Looking at the network principles, we can see the various wireless and wired connectivity options available to an increasingly mobile marketplace that are commonly called “the internet”. The guidance is well thought-out and describes the planning challenges when defining the user need, namely:
- what business services your users depend on
- what network services they rely on to access them
Documenting your needs across different networks for:
- class of service (CoS)
- quality of service (QoS)
In short, the challenges are to define what the service requirements are within an increasingly cloud-based supply chain and diverse connectivity methods.
Service assurance regime
The PSN was a network platform designed for legacy assurance approaches, yet still understood the need for consistency of approach within a multi-supplier network. The experience on customer experience and service assurance from creating the PSN played a huge part in the industry engagement with NHS Digital in creating the Health and Social Care Network (HSCN).
The HSCN is created with SME internet service providers (ISPs) in mind, aligning to the established CESG Assurance Service (Telecommunications) scheme (CAS(T)) by the National Cyber Security Centre with options relating from an entry point of self-assertion, while still meeting the minimum CAS(T) requirements, through to full CAS(T) certification. This approach was crucial, as CAS(T) is designed from the outset to provide high-availability services built to the enterprise IT security requirements of ISO/IEC-27001:2013.
Not only has the HSCN been built to these requirements, but it has also evolved from the operating model of the PSN to ensure that the foundation for inter-supplier co-operation is created.
This is fundamental as we look towards disruptive network technologies, such as software-defined networking (SDN), gaining traction and as is shown by recent widespread outages of cloud and digital services. The cloud itself is not the issue, but the lack of information available to customers about the supply chains means that you can’t tell if your suppliers are relying on a single CSP.
Platform for digital government
So, how can industry and the public sector work together to deliver the network platform for government?
The challenges are compounded when there is a rise in unknown information held within increasing blocks of data (known as dark data) that current studies estimate at 59% of information within organisations being stored and secured without them knowing if it needs to be. This causes an issue whereby public sector consumers will find it difficult to determine what their needs are at an application level, and will be tempted to revert back to the network level as a common denominator.
With uncertainty surrounding the UK’s exit from the EU and adoption of the General Data Protection Regulation (GDPR) in May 2018, how can consuming organisations be sure their investments are sound and their needs are being met?
There is a need for guidance for consumer and supply organisations alike that transcends the current cyber approaches and allows communities of trust to be created based on information management and resilience of services. The guidance would realise the opportunity to leverage the application and network guidance from GDS if you address the information management challenges, and unlock the existing investment made in the regional public sector WANs – built to PSN standards for resilience – that already deliver wired and wireless internet services.
These communities of trust can align to the mature information management frameworks from the legal frameworks that exist within the UK, and not just the data protection ones.
So is OK good enough when talking about the network and internet connectivity? It may well be for some services, but I’d wager that the frontline public services require service assurance that will not be found in all internet connectivity.
However, answering the question fully relies on the consuming organisation following the GDS network principles and requires more guidance on risk and governance. I look forward to debating this further at our roundtable event on 9 March 2017 at the Institute of Directors. If you would like to join me and other public sector thought leaders at this debate, then register here.