UK government organizations, and those that have a need to interact with them, can apply to join the UK Public Service Network (PSN). However, to do so they must be able to ensure and prove their use of the PSN is compliant. Network access control (NAC) technology helps achieve this goal
A common mantra of the New Labour administration that governed the UK from 1997 to 2007 (after which ‘new’ was all but dropped with the departure of Tony Blair), was that Britain must have a more joined-up government. An initiative was kicked-off in 2007 to make this a digital reality with the launch of the UK Public Sector Network (PSN, since relabeled the Public Service Network).
Back then, digital reform, data sharing, sustainability and multi-agency working were all top of mind. However, an effective PSN also makes it easier for smaller suppliers to participate in the public sector marketplace, an issue which interested the Coalition government that replaced Labour in 2010, and its recent Conservative successor. This saw the government focus shift to public sector spending cuts and a desire to break up mega technology and communications contracts into smaller chunks.
In short, the PSN is a dedicated high performance internet for the UK government, a standardized network of networks, provided by a large service provider such as BT, Virgin Media, Vodafone and Level 3 Communications and a host of smaller companies, keen to get in on the action. The PSN architecture is similar to the internet but separated from it with performance guaranties. Separate, but not isolated, how else could citizens be served?
Information sharing via the PSN is controlled. The aim is to be open when appropriate but secure when necessary. One objective is to reduce the reported instances of data leaks. According to the UK Information Commissioner’s Office (ICO) Data Breach Trends, in the last financial year there were 35 reported breaches for central government and 233 for local government, the latter only being beaten by healthcare with an atrocious 747. That made government organizations responsible for about 15% of all incidents (excluding health, education and law enforcement).
An organization wanting to access the PSN must pass the PSN Code of Connection (CoCo), an information assurance mechanism that aims to ensure all the various member organizations can have an agreed level of trust through common levels of security.
Advice on compliance is laid out by the government on the PSN website and advice is also available from Innopsis, a trade association for communications, network and application suppliers to the UK public sector. Innopsis was previously known as Public Service Network GB (PSNGB), and helps its members understand and deal with the complexities of the public sector ICT market, especially with regard to use of the UK’s PSN.
The PSN rules include making sure the end-points that attach to the network are compliant, which means they must be managed in some way (i.e. ad hoc bring-your-own-device is not allowed). Example controls include: ensuring software is patched to the latest levels; preventing the execution of unauthorized software; deploying anti-malware; and using encryption on remote and mobile devices. A PSN member organization can have unmanaged devices on its own network, but this must be clearly and securely separated from the CoCo compliant sector of the network.
"The PSN rules include making sure the end-points that attach to the network are compliant, which means they must be managed in some way"
Innopsis was represented by its chairman, Phil Gibson, on a panel facilitated by Quocirca at Infosecurity Europe in June 2015, which looked at secure network access in the UK public sector. Also on the panel was the ICT security manager for the NHS South East Commissioning Support Unit (CSU) talking about a project to roll out the Sussex Next Generation Community of Interest Network (NG-COIN), one of four linked WANs that South East CSU manages.
NHS organizations currently use another dedicated network called N3. However, this is being replaced by a PSN for healthcare, which is to be labeled the Health and Social Care Network (HSCN). The Sussex NG-COIN involved 30,000 end-user devices across 230 sites with anything from one to 5000 users; many of the sites required public network access. There are 15 different organizations using the NG-COIN with varying security requirements and thousands of applications containing sensitive clinical information.
The old COIN relied on an ageing and ineffective intrusion prevention system (IPS). With NG-COIN this was replaced by a network access control (NAC) system. The cost difference to the 15 user organizations was absorbed as a security line item cost, which they were already accustomed to.
ForeScout’s CounterACT NAC system was selected in 2013. It proved to be fast to deploy; 95% of the network was being monitored within one week. It was compatible with all the legacy networking equipment from a range of vendors including Cisco, HP and 3Com (now owned by HP). The system provided flexibility to define policies by device type, site owner, user type, etc. and was integrated with the existing wireless solution to provide authenticated guest access.
CounterACT also fulfilled reporting requirements providing complete information about access and usage across the whole network; what, where, when and who from a single console. It also provided the ability to automatically block access to non-compliant devices or limit access based on usage policies.
These are all issues that any organization needs to be able address before attaching to the UK PSN. NAC provided Sussex NHS with a way to ensure controlled and complaint use of its network that any organization wanting to attach to the UK PSN compliantly could follow as an example.