One of the most frustrating things we both hear is "you can't do [insert IT thing here] for security reasons." These mysterious “security reasons” often stem from the misconception “CESG guidance says we can’t…”
We know we’re not alone - it’s clear from the workshops on making Government IT better that our colleagues elsewhere in the public sector are also used to hearing this. Computers that take an age to boot up due to multiple security applications; internet access that blocks vast numbers of sites; restrictive lockdowns on smartphones that sometimes makes them more like bricks than the productive devices we have at home. All because of “security”.
We don't want security to be seen in this way, or to have this impact on how we use technology in the UK public sector. A smarter approach to security helps us all. It means we're not trying to work around confusing rules, or struggling with complex security systems on our computers when we're trying to work. It also means we can work in different ways, using social media for example, or building innovative apps to deliver our services.
We want to challenge the dangerous misconception that good security practice is at odds with technology innovation.
It’s all about balance
CESG and GDS have been working closely on this. We want the right security in the right places - living up to our duty of care to look after the data citizens trust us with doesn’t mean we have to have unusable technology!
We want to get the balance right, and allow informed risk management to occur around the use of technology, particularly at ‘OFFICIAL’ level. Security at OFFICIAL is achieved through following good commercial practices, using well configured commodity technologies, and by people taking personal responsibility and using their judgement to look after information.
For example, we knew our previous approach to End User Device security wasn’t right. Certifying a limited number of devices was time-consuming and meant a very restricted set of options with barely usable configurations.
So we published the Platform Security Guidance covering common devices such as laptops, desktops, tablets and smartphones for use at OFFICIAL. Rather than turning all the security dials up to “11” we’ve tried to focus on the minimum set of configurations needed to make these devices suitably secure but still usable.
We’ve done something similar for cloud services, and for Bring Your Own Device – all part of a new approach to managing information risks pragmatically and effectively.
We have also released guidance for System Administrators considering their password policies; a reminder that making passwords increasingly complex and hard to remember doesn’t necessarily increase your overall security.
A default ‘no’ doesn’t equal good security
We think that many of the problems we observe as a result of "security" are actually symptoms of ineffective risk management processes within organisations, which default to saying "no". We want to help organisations to get better at thinking about security and technology and have better results for the end user.
We want to ensure that security guidance evolves in-step with technology advances, so that as new technology becomes available, the UK public sector is ready and able to quickly take advantage of it, with good knowledge of any security risks and benefits it brings.
Security needs to be about helping organisations and individuals achieve what they need to get done, as safely as possible, not about stopping things from happening. We both know there's a lot to do. Along with our colleagues at CESG and GDS, we’re committed to making things better.
Don't forget to sign up for email alerts from this blog.
7 comments
Comment by Roy Hair posted on
Security might not say "no", but it often says "not without..." and the list of mitigations that need to be put in place can scupper an enthused team trying to deliver an innovative approach. To have to negotiate the often torturous route of obtaining buy-in and go-ahead for flying a small kite that may, just may, have the potential to make things better can be a burden that prevents any progress in the course of the busy days. Trying to convince the various levels of executives, the IT security gatekeepers, the business colleagues, the information governance guys and your own peers to take time to R&D and test a new approach against a background of security fears can be a long-drawn out and tiring journey, only to be embarked upon by the very resilient of spirit. And then a budget has to be obtained to implement new security software or hardware solutions to wrap around the fledgling proof of concept. It's surprising we get anything done.
So how to be less risk-averse? I don't know, except to just do it and see!
On the other hand the PSN compliance drive over the past two years has brought a much-needed shot of realism to the promises of cloud and byod and shared services and consumerisation of IT. There are undoubted benefits to these but also limits and risks that need to be interpreted by leading organisations like CESG, GDS, socitm etc to counter the hyperbole of easy, cheap solutions. Risks on single point of failure, lock-in, data governance, de-skilling and lifetime costs,...more needs to be investigated around these areas to bring a sense of balance, especially with short-term concentration on savings. Long-term we may have a situation similar to PFI.
The past two years has seen us too often saying "no". The challenge now is to make all our colleagues understand the framework within which we can advance, the dangers and benefits that allows decisions to be taken and the context / exemplars of scenarios for new technologies - e.g. can email systems or intranets be shared when each organisation is responsible for its own data governance? What constitutes a "record" that must be managed according to legislative rules? What citizen data sets be combined and shared within an organisation, or across public bodies? Are certain operating systems inherently insecure (Android)? What happens when you want to move from Google cloud provision for Office to MS-365, or back to inhouse servers?
Overall it's a "well done" - I welcome your change of approach, but you're right - more needs to be done.
Comment by Neil Campbell posted on
It would be great to see some published case studies of this in action to show other what really works.
Comment by philip virgo posted on
And how about Verify? What does the pensioner who has never been on-line do when they discover that their pension is not arriving because a fraudster has registered in their name?
Comment by Rebecca Hales posted on
Hi Philip
GOV.UK Verify helps fight the growing problem of online identity theft. It's the first of its kind in the world, and stops someone pretending to be you.
GOV.UK Verify uses certified companies to check it’s you. As part of the process, users may to answer questions based on their financial history or provide or complete a check using photo identification, to prove that they are the owner of the identity that’s being asserted (this is because you know a range of things that someone who has stolen your wallet or fraudulently obtained your passport would not be likely to know).
The approach is being, and will continue to be, designed to protect people's privacy and put them in control of their data. GOV.UK Verify is built around privacy and data protection standards, in close consultation with privacy groups, consumer groups and subject experts.
Comment by John Godwin posted on
With the new generation of CESG and GDS security-related documentation being made available, buyers of both conventional and cloud ICT services will welcome this improved guidance. It will certainly help them to ask the right questions during both procurement and IT service management activities, and assist them with better informed and smarter decision making. Let's not forget that all OFFICIAL data is not the same - information at the lower end (formerly IL0, 2) can be expected to be managed, processed, stored and transmitted in different ways to data at the upper end (formerly IL3, 4), and individuals responsible for keeping their organisation's valuable data assets secure will need to understand, identify and implement the appropriate security controls which align with and support the sensitivity of their data.
Whilst the new GSCP may have changed the approach to information security, there will still be many circumstances where "no" may indeed be the right answer - sending volumes of sensitive personal data across an insecure network or to an untrusted or unencrypted endpoint device, for example, should probably be raising an eyebrow. Information security professionals remain a valuable resource whose expertise and guidance should be encompassing this recently published guidance, allowing them to continue to deliver the best and most pragmatic approach to data security. Whilst it may be the case that some will identify the need to develop their approach so as not to be viewed simply as a blocker to progress, they should remain mindful of their primary role as a trusted and capable resource, making a significant contribution to the protection of data against loss, theft or compromise.
Information security, therefore, should quite rightly remain one of our most important considerations, and should not be viewed as an easy compromise for achieving project cost savings or expediting the deployment of a new system. Whilst this updated security guidance is indeed very welcome, there remains a need for it to be both accessible to and properly interpreted by key decision makers as soon as possible. Ensuring that the whole spectrum of information security threats and vulnerabilities is identified and properly assessed, including evolving guidance around data protection, off-shoring, the use of encryption tools etc. is a responsibility we all continue to share. It's also a responsibility that the general public, as data subjects, will continue to expect us to deliver consistently and without compromise.
Comment by David Durant posted on
Thanks for a great blog post. It's always felt to me that one of the really useful first steps would be to create a cross-government community of people who are responsible in each organisation for making these kind of decisions.
For example, while it's encouraged to use things like Gmail, Trello and Google Drive in Cabinet Office following the CTS work there in 2014, the same sites are often blocked in departments and I have heard stories of people being threatened with termination for using them for work related purposes.
It's one highly admirable thing to have a set of standards but it's another for those responsible for implemented them to be able to query each other about their approaches.
Comment by Rosie Jessop posted on
Thanks for your comment, David. You're absolutely right, it's really important for senior decision-makers across government in any area to come together and discuss common approaches to their shared problems.
The Technology Leaders Network, a forum of CTOs and CIOs from across government, is the place where this happens. The TLN provides a really good opportunity for different parts of government to see what's happening elsewhere in the technology space.
As you say, common standards are only useful if we can see how they're being applied across government, and that's something we'll continue to focus on.