The CESG’s zero tolerance to BYOD (Bring Your Own Device) is counterproductive to Local Authority transformation agendas. Great news though for security based organisations in terms of selling additional services and increasing licence revenue from Public Sector organisations. But does it help the average Local Authority transform and reduce its cost base through adoption of a mobile by default agenda and PSN (Public Sector Network)?
Provided that information presented to Local Authority staff on BYOD does not originate from another PSN service – i.e. other PSN partner organisation, then exposing internal Local Authority web-based applications based on internal Council systems is acceptable at present and perfectly feasible.
So, for example, if you have web enabled applications hosted within your own organisation IT landscape that does not pass PSN originated information from a PSN originated service, then it is acceptable to expose these services to the internet provided that you follow some simple rules.
I have outlined these simple rules below structured around the user connection, the user’s registration details and finally user authentication. Build up a picture of this architecture and move your organisation forward instead of creating unnecessary silos which will at best stall the opportunity that a mobile by default strategy can bring to Local Authorities.
End user connection – rule set 1
The following lists some simple rules to follow for the connection of end users.
- Where the external user is required to connect to a council’s web sites or portals these connections should be made available via https only
- Connections should be secured through the use of x509 certificates from an external trusted supplier chosen from a list of approved certificate authorities
- Security should use TLS 1.2, TLS 1.0 is okay to use but TLS 1.2 provides additional features which are beneficial
- A regime should be in place where all web servers are routinely scanned for vulnerabilities
- IT Health Check to PSN standards with robust standards in place for hardening of servers should be in place
- Leverage multiple virtual machines across multiple physical environments – in other words don’t put all your eggs into a single physical basket
- Where SAML/2 tokens are sent between and authentication service and web based servers these should be signed and encrypted using x509 certificates and the encryption should use AES 256.
End user registration – rule set 2
- It is important that a robust user registration process is in force and as a minimum be based on Level 2 service outlined in CESG GPG 43 Appendix B guidance. This guidance can be obtained directly from CESG
- An important facet is to provide a secondary check against registration information provided by the user. Typically the registration information provided by users can be checked against an internally active directory or LDAP. This process checked through the use of a logically separated internally facing web service
- All information held in a user directory should be converted into SHA256 hashed information before being stored in a user directory
- A password used to access internally web services across the organisation externally which must be separate to a corporate logon credentials (a PSN requirement) provided by the user for externalised website access should be stored in a separate external user directory using non reversible encryption.
End user authentication – rule set 3
- The CESG states that strong 2 factor authentication must be in place. User authentication requires username, password and a separate piece of information. Sometimes this is a token or a crypt card or a SMS provided tokens. Many high street banks use a memorable word from which the user is requested to provide 3 characters in a random sequence – presently upon examination of guidance this is also acceptable as an approach
- Make sure that user authentication level follows the guidance from CESG GPG 43 Appendix B
- Finally, another recent requirement for PSN is that user credentials (for externally facing council web applications) are different from the user’s corporate logon credentials. This approach complies with “CESG Architecture Pattern 2, Walled Garden Architecture” and “CESG Application Pattern 7 Transitioning to PSN Managing the Risk from Unmanaged End User Devices” guidance which can be sourced from CESG IA Policy guidance.
To sum up
If Local Authorities wish to transform with a mobile by default agenda, there are some simple guidelines or rules to follow which will not impede on PSN certification at present.
I would urge Local Authorities not to take zero tolerance to BYOD literally and not exploit the mobile agenda or worse still retract from their present position without challenging your current models against the rules in the above which are perfectly acceptable at present.