I was surprised to find that it’s approaching six months since I last posted here. I’ll make sure my New Year’s resolutions include a commitment to do better in 2015…
I think a good topic to get myself back on track is to write something about the working group I had the pleasure of chairing on 9 January, where we looked into the thorny issue of PSN compliance for councils who want to enable access for unmanaged devices (aka Bring Your Own Device). As I’ve blogged before, I think this is a much bigger issue than simply letting users use their own smartphones to access their work systems. Council IT teams need to be able to support a growing range of partnerships with external organisations, many of whom are likely to use their own IT kit — including voluntary sector and community groups, and it’s essential that our security arrangements strike the right balance to avoid creating unnecessary barriers to delivering local services.
I felt that we made positive progress in getting to grips with some key issues and agreeing how we can work together with the Government Digital Service to find solutions to these. Some aspects felt more encouraging than others, but all in all I’m feeling increasingly optimistic.
First, a disclaimer:
- This is not an ‘official’ statement on behalf of anyone, it’s just my take on the discussions last week.
- The event was held under the Chatham House Rule (I checked — there’s only one! http://www.chathamhouse.org/about/chatham-house-rule#), which is why I haven’t referenced any specific details from the councils who attended the workshop.
What was the event about and who was there?
The event was well attended, and encouragingly included representatives from across local government, including districts, counties, and unitaries from across the UK. You can find an outline of the day here: https://lgaevents.local.gov.uk/lga/frontend/reg/thome.csp?pageID=10333&eventID=38&eventID=38.
In the morning, we held a closed session for local authorities to share practice and discuss our concerns. We used this to shape the agenda for the afternoon.
And in the afternoon we were joined by representatives from the Government Digital Service PSN team and PSNGB (the suppliers’ organisation). We put the questions that we had developed in the morning to them, and this stimulated a lively debate.
The event wasn’t expected to come up with all the answers (and it didn’t!), but we did get some useful clarifications and agreed some follow up activities which will now be taken forward using a ‘task and finish’ approach. We also discussed a broader range of issues than just unmanaged devices (possibly an indicator of poor chairing on my part!), and this gave us the opportunity to get some useful clarifications on other aspects of the PSN’s direction.
How did the discussion go and what happens next?
From the work we did in the morning session we identified four main areas which we wanted to focus on during the afternoon. These were:
1. How will the future direction for the PSN connect in with other compliance requirements, in particular health and the Police?
It was generally agreed that from a local authority perspective we often find ourselves having to take account of very different information assurance approaches and different interpretations of standards such as the new ‘OFFICIAL’ marking scheme. This can result in highly complex ways of working in order to meet the requirements of our various partners.
This was a tricky question for the PSN team to answer. They don’t have jurisdiction over many of the organisations involved, so finding a way to join things up is going to rely on collaboration rather than edict. They asked us to let them know where we come across these challenges, so we need to use our existing networks (for example WARP and regional SOCITM groups) to feed those through.
This will be something which continues to be an area of focus for the Local Government Association’s PSN programme board, which is working to make sure that local government is part of influencing the direction for Information Assurance that our partners take. Given how complex this is I don’t think that this is going to be a quick fix, so we’ll all also need to continue to work with partners on a local level to find ways to enable sharing of information, and share good practice to help others do the same.
2. Will the PSN take account of the needs of local government and the partnerships we rely on as they develop their compliance requirements?
The response to this was encouraging. We were given a clear statement that the PSN approach will be adaptive to reflect the different types of organisation who need to connect. Larger organisations will be expected to demonstrate a greater level of maturity in their information assurance arrangements, and smaller organisations will have a lighter touch. This was good to hear, and in my view demonstrates a big step forward from the days of ‘zero tolerance’ in 2013.
3. What are the implications for councils from the changes to the PSN Code of Connection which have been announced recently, and how can we make it easier to get consistent advice on acceptable ways of enabling access for unmanaged devices?
Throughout the discussion the PSN team put a lot of emphasis on listening and collaborative ways of working, and it’s clear that they are hoping to engage in a very different way to the ancien régime.
In terms of the high level approach, we were given a clear steer that the notion of ‘PSN originated data’ is definitely gone. In the future the PSN controls will focus on managing risk to the network, and data owners will be able to make their own risk decisions in terms of the ways that data is made available. The key being that where you are sharing information you need to be clear about what the data owner considers acceptable, and abide by their requirements.
In my view this is a welcome change, but it does have the effect of making things more complex (which is ever the way with a more pragmatic approach — and in my view is preferable to the alternative of ‘levelling up’ to whatever is needed by the most risk averse organisation). We will need to work together to figure out a way to make sure that advice to authorities is consistent.
In terms of specifics, there’s still a lot of detail which needs more work. For example, a question asked by several attendees was whether ‘container’ based solutions for providing access using unmanaged mobile devices would be acceptable for PSN connection if your whole network is in-scope (i.e. you have a ‘flat network’)? The current answer seems to be ‘no’, as CESG advise that these types of solution pose an onward risk back to other connected organisations. This was subject to some discussion, and it’s clear more work is needed to establish what will and won’t be acceptable to the PSN.
But we did get clarity that there are acceptable ways of providing flexible access while also complying with the PSN Code of Connection requirements. For example, thin client desktop access with no data on the end user device is in principle acceptable, subject to making sure that the design meets the PSN security requirements. And the PSN team will also be happy to review designs before they are implemented to advise on whether or not they will be acceptable.
We agreed that a good way to take this forward would be to establish a ‘library’ of approved solutions. This mustn’t be restrictive as technologies are changing rapidly, but it will help councils make sure that they are aware of the existing options available and avoid rumour and misunderstanding leading to incorrect assumptions about what would not be allowed. Nick Roberts (@socitmpresident) and I have agreed to meet with the PSN team in a few weeks time to sketch out a process and template, with a view to then drawing on the wider local government community to help produce this library. This will include giving thought to suggestions for the best way to share this information for future reference.
4. Finally, how will the growing use of cloud services be reflected in the PSN requirements?
A number of people were also keen to get a clearer understanding of the PSN’s position on cloud services (for example the use of Google Apps for Work and Microsoft Office 365). We didn’t get too deep into the specifics of this (as it wasn’t the core topic for the day), but the key message was similar to those for unmanaged devices — the essential requirement for PSN compliance will be the need to demonstrate that the design mitigates any onward risks to the PSN network.
So in short, my main conclusions from the day were…
- The PSN do not have a blanket ban on providing access using unmanaged devices, but it will still be essential to demonstrate that security architectures mitigate onward risks to the PSN network.
- The risk appetite of the data owner will be key, and we are all going to need to make sure that we’re clear about that as part of our information sharing agreements.
- The PSN team are committed to working collaboratively with councils to develop architectures that will work, and recognise that local government has specific needs which need to be reflected in the Information Assurance approach.
- We need to do more work together to develop clearer guidance which will help councils feel confident that they know which approaches will be accepted, and we can then continue to develop that over time to make sure that we keep up with technology change.
- And that’s going to be best done if it involves people from across local government. The number of people who made the effort to come to the workshop suggests that it will be no problem getting people to help make this happen!