https://governmenttechnology.blog.gov.uk/2016/02/22/sensible-email-security-2/

Sensible email security

In December we told you how we are trying to make technology work for government. To discover how best to solve our common issues, the technical team have been working with our colleagues across government and suppliers.

One issue consistently raised was email security. We’ve tackled this together to find not only a solution, but one with strong benefits as well.

The people we’ve worked with

Government has some really big data owners like HMRC and DWP. We also have experts in security like CESG, and a broad range of scale and technical capability in central and local government.  

Initially we talked to as many people as possible to find out what they did, what they needed, and what would work for them. We also talked to experts in industry, including email service providers, and specialists in email security and trust.

Some of these people joined our discovery and provided valuable information and insight. For example most government organisations operate two parallel email services with complex configurations routing via the PSN and the internet which means it can be difficult for organisations to trace their full email security stack. 

The main requirements of a new design were:

  • is what I send secure in transit?
  • is it properly protected when it gets there?
  • how will I know the two needs above have been met?

In addition organisations adopt change at different speeds. The ones that move first need to know they won’t be left out in the cold and asked:

  • will people still email us?

What we discovered

Departments need to work together securely.  Having a secure network such as the Public Services Network (PSN) allows them to share and publish services without having to worry too much about protection from the wider world.  The network even includes commercial organisations providing services to government.

Three organisations exchange information inside the PSN. Creative commons attribution. Nick Woodcraft.
Three organisations exchange information inside the PSN.
Creative commons attribution. Nick Woodcraft.

But the nature of technology in government is changing. Email is very much a commodity service. It's well established and understood, and the technology used is fairly homogeneous and mature.  Every organisation uses it, and all in much the same way.

And, like other common applications, email has moved to the cloud, bringing with it the benefits of reduced cost, improved reliability, and continuous improvement.

While the new security classifications have allowed a lot to change in the last year, many organisations are still catching up. Government is keen to move to cloud-based email services.  Some departments already have, but security is still a big concern, and we can no longer depend just on the network for protection.

Two organisations inside the PSN exchange information with an organisation outside the PSN Creative Commons Attribution. Nick Woodcraft.
Two organisations inside the PSN exchange information with an organisation outside the PSN
Creative Commons Attribution. Nick Woodcraft.

What we did

Our research told us we needed three things:

  1. encryption
  2. verification
  3. assurance 

To meet these needs we’re using open encryption and verification protocols and a combination of a monitoring tool and existing assurance.

Organisations inside the PSN exchange emails with organisations outside the PSN using TLS encryption and DMARC verification. Creative commons attribution. Nick Woodcraft.
Organisations inside the PSN exchange emails with organisations outside the PSN using TLS encryption and DMARC verification.
Creative commons attribution. Nick Woodcraft.

Encryption

Several encryption standards exist, but only Transport Layer Security (TLS) has the high adoption and low burden on the end user needed.  TLS protects email in transit between email services, and we are telling government organisations to use policy to ensure it is used in any email exchanges over the internet including, as far as possible, when talking to people outside government.

Our HMRC colleagues highlighted the need for clear guidance on implementing TLS to make sure it provides the proper security. This has been answered by CESG who maintain a list of preferred cryptographic profiles and have recently published guidance on TLS to support its use in government.

Verification

Preventing spoofed or phishing emails is key for providing greater confidence that an email is genuine. HMRC are leaders in this area, and have published a white paper on combating email fraud. They are supporting our approach to provide verification by Domain-based Message Authentication, Reporting and Conformance (DMARC).

DMARC uses a combination of open standards like DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF), and reporting to help an organisation understand how it’s email domains are being used or misused. It also allows you to set a policy telling other organisations how to treat email that does not appear to come from you.

DMARC is widely implemented in banking and online services, and the National Crime Agency is working with industry to use it for fraud prevention. We hope that by using it in government we will encourage its adoption country-wide.

Assurance

When you send or receive an email you don’t get any indication of how it was sent, and the people looking after the servers get limited information. Although TLS and DMARC are widely supported open protocols, the nature of the Simple Mail Transfer Protocol (SMTP) on which email is built makes it difficult to get assurance about their implementation.  

To provide this we are building a tool to monitor TLS and DMARC use across government, providing a way to check if a service is secure.  It will give you a dashboard of the domains in your organisation, a way to check whether an email sent between two domains should be secure, and a whitelist of domains that are setup securely.

The tool is already in alpha and going through user testing.  We’re making it available to a limited number of people this week to help iron out any issues before going live.  Contact CTS if you’d like to be involved. Once we’re happy it works as intended we’ll make it available to everyone in government and open source the code so it can be reused and developed elsewhere.

The output

By collaborating across government we’re not only setting a standard for what email security should look like, but one that is interoperable and easy to use.

We’ve published a detailed guide that explains more about what government organisations need to do to securely send and receive email over the internet. It also provides guidance on legacy domains, such as gsi.gov.uk and gcsx.gov.uk.  We’re also updating the email gateways and filtering on the PSN to ensure the standards we’re setting are supported inside and outside the network.

Making the changes needed will vary by organisation - common cloud-based email services have all the options available out of the box - but where organisations need help we’ll work out the best way to provide it, through documentation and advice.

The goal is for all government organisations to meet this standard and implement it as soon as is practical. We’ll use the assurance tool to monitor implementation and see what other activity we might need to support this change.

The benefits

The benefits of using the secure email standard are clear. Government organisations can continue to work together securely, but will also have assurance that they can safely exchange email with people outside of government too -  without needing to connect to a special network or do any government-special configuration to do it.

But it goes further than that with reduced costs, increased flexibility, and access to better tools for end users.

You’ll be able to follow our work on this blog and GDS main blog. Departments and agencies interested in collaborating with CTS can contact us via contact.cts@digital.cabinet-office.gov.uk

20 comments

  1. Bob Smith

    Gmail introduced TLS checking a couple of weeks ago, with the red padlock symbol.

    Gmail also checks dmark validity - it is a heavy indicator in whether it is spam or not.

    Why not just get them to fill in any gaps that you need? Is it because GDS loves building cutting edge things?

    Link to this comment
    • Nick Woodcraft

      Hi Bob,

      Thank you for your comment.

      The Gmail functionality you mention is great and helps users of that service. The sender still needs to have TLS and DMARC setup for it to work though. Government uses a variety of email services so a single vendor can't do it alone. Improving email security is something every organisation should consider, and we've set out some simple guidance on how to do it.

      Link to this comment
      • Mark Van-Kerro

        So is it the case

        GMail using a GaFW set-up, utilising SPF, DKIM and DMARC. As well as enforcing TLS in conjunction with white-lists meet the requirements.

        A further option utilising a secure addon like virtru for full secure delivery would also add a benefit.

        This would make a transition very easy.

        Regards

        Link to this comment
        • Nick Woodcraft

          Hi Mark

          You need to setup the encryption and anti-spoofing as described, and use our assurance form (linked in the implementation guide) to show you're running your email service in a sensible way.

          Thanks
          Nick

          Link to this comment
  2. Eugene Victor Tooms

    Worth being really clear about the limitations of this.

    This is not end-to-end encryption. That means your messages may be travelling, or stored, in the clear on their journey between the sender and recipient.

    I deal with this daily with users having a false sense of security from "gsi" and "TLS".

    Mandatory TLS is just a good measure - like not keeping your front door wide open. But it's not the same as closing all doors and windows.

    Link to this comment
    • Nick Woodcraft

      Hi Eugene,

      Thank you for your comment.

      You are right to highlight that this forms part of a wider security issue. We are providing guidance for email data in transit that we expect to be augmented by additional security measures. These measures will vary depending on the risks and threats an organisation is subject to.

      Link to this comment
  3. John Hope

    Great to hear that HMRC are leaders in email security. Perhaps they could investigate why Gmail marks their emails as "dmarc=fail"?

    Link to this comment
    • Nick Woodcraft

      Hi John,

      Thanks for the comment.

      HMRC have told me the following:
      'We are doing a lot of work around email security unfortunately the technology we have at the moment does not make DMARC possible, but we will be moving to a new service shortly and will be implementing DMARC as soon as possible.'

      Link to this comment
  4. Gerrit Berkouwer

    Great initiative! Here in The Netherlands we aim for the same standards, also from within Government, where most of these standards are mandatory to use. There is also a test tool developed here:
    https://en.internet.nl. Here you can test for website and e-mail standards.

    Link to this comment
  5. Chris Um

    Does this mean that GDS have now taken over writing security guidance for the public sector from CESG?

    Link to this comment
    • Nick Woodcraft

      Hi Chris,

      Thanks for your comment.

      CTS develops common approaches to help departments implement common technology. The secure email design pattern is an example of this. We work continuously with CESG throughout the design process to make sure that any designs we create are in line with CESG security guidance.

      Link to this comment
  6. Ally Miller

    I have read your blog and information on your blog is helpful for me.Thanks so much for providing such information for <a href="http://secureonsitesecurity.co.uk/">Security Agencies</a>.

    Link to this comment
  7. Peter Grogan

    I work in Information Governance for a large County Council. We are aware that GCSx mail is coming to an end. How will we now be able to assure our partners in NHS (.NET) , Police (.PNN), MoJ (.CJSM) and others (GSi etc) that our email is secure when we lose the suffix GCSx.

    Partners are not able to use our alternative encrypted solution EGRESS as this involves installation of software.

    We are aware of mandatory TLS as an approach but how will the hundreds of prospective domain partners be made aware of this and how will secure encrypted connections be verified senders and recipients.

    Regards

    Link to this comment
    • Nick Woodcraft

      Hi Peter,

      Thanks for your comment. You will be able to continue using your .gcsx.gov.uk email domain elsewhere as long as you follow the blueprint and run the email service in a secure way. We can provide access to a tool that will help you secure connections to verified senders and recipients.

      Link to this comment
      • Sam

        Hi, we are in the same boat in that we use GCSX email over PSN and that is coming to an end in March. We want to know how we can implement this in office 365 and if we can use standard office 365 email domain for sending and recieving "OFFICIAL" classified emails, please advise

        Link to this comment
        • Nick Woodcraft

          Hi Sam,

          Yes - it is very much the intention that you switch to cloud-based email services for all your email. We don't endorse particular providers Office 365 supports the encryption and anti-spoofing covered in the guidance and NCSC have published some good help on configuring it in a sensible way. I'll email you directly with some more detail.

          Nick

          Link to this comment
  8. Steve Jenkinson

    Are police forces within the PNN able to consume those cloud services for email yet? I hear conflicting information as to whether PNN has approved the use of Office 365 for example, and wondered if this was linked to your guidance here. Do you see any reason why those PNN forces could not start to use those services?
    Steve

    Link to this comment
    • Nick Woodcraft

      Hi Steve

      Thanks for your question. UK Policing is currently piloting the use of public cloud services including aspects of Microsoft Office 365.

      Link to this comment
  9. David

    I work for a local authority that has a PSN connection. Is it envisaged that we would still maintain two email gateways? One is connected to the Internet for regular email and we have another that routes gcsx.gov.uk down our PSN connection.

    Or would we be removing the PSN email gateway and just pushing everything in/out over our Internet email gateway?

    Link to this comment
    • Nick Woodcraft

      Hi David, thanks for your question. If you implement the secure email guidance and pass the assessment you can remove the PSN email gateway and use your internet gateway for all your email.

      Link to this comment