The Scottish Wide Area Network(SWAN) recently left the Government Secure Internet Convergence Framework(GCF). We moved to a new email service, cut IT costs and improved trust in our network by implementing the secure email guidance from Common Technology Services (CTS).
What is SWAN?
SWAN is Scotland’s Public Services Network (PSN) and we’re leading a Scotland-wide push for a secure email solution across the public sector and associated organisations.
SWAN is a trusted network, so changing how our email functioned required us to listen carefully to our users and give them something they will continue to trust.
We spoke to lots of information owners, and found they wanted to be confident that:
- emails are secure during transit whether they’re sent via a trusted network or the internet
- emails are properly protected and handled by the recipient
- they will still receive emails that are vital to their business regardless of when they are able to adopt the changes
Protecting the SWAN
To answer our users’ concerns we used the CTS guidance on securing government email. It shows how public sector organisations (and third sector partners) can implement a secure email solution as an alternative to the current national services, and improve their existing email security.
The approach can be implemented on existing in-house email solutions or support the shift to cloud based email.
The guidance includes the following technologies:
- Transport Layer Security (TLS) – to encrypt the emails in transit
- Sender Policy Framework (SPF) – a published list of valid sources for your domain’s email
- Domain-based Message Authentication, Reporting & Conformance (DMARC) – let’s you set a policy and get reports back on when your email comes from
- Domain Keys Identified Message (DKIM) – digital signing to verify the email source and protect from tampering in transit
By using this we could provide assurance to each organisation on SWAN that there is:
- encryption to protect email in transit between email services. This is particularly important for emails that transit an untrusted network or go to organisations outside of the public sector.
- anti-spoofing to ensure emails are genuine and to prevent spoofing or phishing email attacks.
- assurance from the domain monitoring tool that your email service is configured and runs securely. It monitors TLS and DMARC use across government and the wider public sector and checks if a service is secure. It is being made available to anyone who needs to check whether email systems utilising TLS and DMARC are as secure as possible.
Assurance can also be provided by organisations who use the SWAN and/or PSN email relay service through their compliance to the PSN and SWAN Code of Connection and SWAN Connect Agreement (if an organisation is already PSN compliant).
We’re defining a draft process to provide information assurance for cloud-based email services. This will make sure the email service is delivered and managed securely according to CESG guidelines. Information gathered by these processes will provide and maintain a list of subscribing organisations and confirm that their connections are encrypted, verified and have evidenced a secure email service.
Finding a way of protecting the SWAN email service does come with some challenges. For example, the Simple Mail Transfer Protocol (SMTP) is like a ‘relay race’. You can only confirm the recipient accepts TLS if you connect via a single hop: sender to recipient. If there is more than one hop, then you lose the end to end view. If the guidance is implemented correctly there is a greatly reduced risk of this happening. This risk will reduce further as the guidance is iterated and improved.
There is also the human factor at the receiving end. It is the responsibility of Information Asset Owners to ensure that information handling is suitable for the entire lifecycle of the asset. Information Sharing Agreements should still be used and detail security arrangements appropriate for the classification of the asset. We cannot solely rely on technical security.
While reducing risks and increasing security are practical goals, there have been additional benefits. So far we have:
- reduced the need for commercial licences normally required to enable a secure email service
- seen widespread adoption of TLS across email suppliers: Fife Council found that 93% of all council emails were being encrypted automatically to partners, third sector and citizens
- found that implementation prevents organisation domains from being spoofed and used as a source for malicious activity
- reduced our reliance on expensive low bandwidth PSN circuits: we found that the Scottish Government could save approximately £60,000 per annum by using the SWAN Mail Relay for the same purpose
The guidance also supports the more rapid adoption of cloud based email services by removing the link between the domain name and security level.
For adoption to happen across the Scottish public sector we needed the email guidance to be included in the SWAN secure mail relay design. This will enable SWAN users to securely send and receive email, with the advantage of it being a managed filtering solution.
Our designs need approval from GOV.SCOT which requires the guidance to be presented to the Technical and Design Board (a cross public sector group in Scotland responsible for the development and adoption of national ICT solutions). They want to see the guidance as a ‘national’ standard and to have it included in the High Level Operating Framework (a document which describes the agreed procedures, processes and standards coming from the board).
The guidance has also been presented to NHS Scotland via the NHS Information Security Forum. NHSmail2 have implemented the solution, and NHS trusts are being encouraged to adopt the standards for their own email domains.
Showing the way
Fife Council, one of the leading partners in the project, was one of the first to implement the guidance and worked with CTS to test the solution. They will be giving us a detailed look at how they implemented the guidance in a separate post, but here is an overview. We found that:
- the guidance is clear, logically structured and easy to follow in conjunction with the Domain Information Tool
- the standards and technologies required (TLS, SPF, DKIM, and DMARC) are common across modern email solutions, both in-house and hosted, for example in NHSmail2, Office 365 and Gmail
- the guide describes how to configure an existing email service with no requirement to add infrastructure or replace email platforms
- we needed a third party reporting tool to properly analyse DMARC reports
- the domain information tool was very useful and easy to follow and takes you through your own domain configuration
- the tool lets you check other domain status and updates a whitelist that can be used to make routing decisions in email systems, for example to force TLS to domains that accept it
Fife Council’s findings were presented to the Scottish Local Authority Security Group (SLAISG). As a result 10 more Scottish councils have requested access to the GDS Domain Information Tool to aid the secure email implementation.
Tell us your experiences
Andrew Williamson is the SWAN Programme Manager in the Office of the Chief Information Officer in the Scottish Government