Mobile by default for Local Government – the zero tolerance BYOD enigma

16 April 2014

Andrew Gunn

Andrew Gunn

Consultant

The CESG’s zero tolerance to BYOD (Bring Your Own Device) is counterproductive to Local Authority transformation agendas. Great news though for security based organisations in terms of selling additional services and increasing licence revenue from Public Sector organisations. But does it help the average Local Authority transform and reduce its cost base through adoption of a mobile by default agenda and PSN (Public Sector Network)?

Provided that information presented to Local Authority staff on BYOD does not originate from another PSN service – i.e. other PSN partner organisation, then exposing internal Local Authority web-based applications based on internal Council systems is acceptable at present and perfectly feasible.

So, for example, if you have web enabled applications hosted within your own organisation IT landscape that does not pass PSN originated information from a PSN originated service, then it is acceptable to expose these services to the internet provided that you follow some simple rules. 

I have outlined these simple rules below structured around the user connection, the user’s registration details and finally user authentication. Build up a picture of this architecture and move your organisation forward instead of creating unnecessary silos which will at best stall the opportunity that a mobile by default strategy can bring to Local Authorities.

End user connection – rule set 1

The following lists some simple rules to follow for the connection of end users.

  • Where the external user is required to connect to a council’s web sites or portals these connections should be made available via https only
  • Connections should be secured through the use of x509 certificates from an external trusted supplier chosen from a list of approved certificate authorities
  • Security should use TLS 1.2, TLS 1.0 is okay to use but TLS 1.2 provides additional features which are beneficial
  • A regime should be in place where all web servers are routinely scanned for vulnerabilities
  • IT Health Check to PSN standards with robust standards in place for hardening of servers should be in place
  • Leverage multiple virtual machines across multiple physical environments – in other words don’t put all your eggs into a single physical basket
  • Where SAML/2 tokens are sent between and authentication service and web based servers these should be signed and encrypted using x509 certificates and the encryption should use AES 256.

End user registration – rule set 2

  • It is important that a robust user registration process is in force and as a minimum be based on Level 2 service outlined in CESG GPG 43 Appendix B guidance.  This guidance can be obtained directly from CESG
  • An important facet is to provide a secondary check against registration information provided by the user. Typically the registration information provided by users can be checked against an internally active directory or LDAP. This process checked through the use of a logically separated internally facing web service
  • All information held in a user directory should be converted into SHA256 hashed information before being stored in a user directory
  • A password used to access internally web services across the organisation externally which must be separate to a corporate logon credentials (a PSN requirement) provided by the user for externalised website access should be stored in a separate external user directory using non reversible encryption.

End user authentication – rule set 3

  • The CESG states that strong 2 factor authentication must be in place. User authentication requires username, password and a separate piece of information. Sometimes this is a token or a crypt card or a SMS provided tokens. Many high street banks use a memorable word from which the user is requested to provide 3 characters in a random sequence – presently upon examination of guidance this is also acceptable as an approach
  • Make sure that user authentication level follows the guidance from CESG GPG 43 Appendix B
  • Finally, another recent requirement for PSN is that user credentials (for externally facing council web applications) are different from the user’s corporate logon credentials. This approach complies with “CESG Architecture Pattern 2, Walled Garden Architecture” and “CESG Application Pattern 7 Transitioning to PSN Managing the Risk from Unmanaged End User Devices” guidance which can be sourced from CESG IA Policy guidance.

To sum up

If Local Authorities wish to transform with a mobile by default agenda, there are some simple guidelines or rules to follow which will not impede on PSN certification at present.

I would urge Local Authorities not to take zero tolerance to BYOD literally and not exploit the mobile agenda or worse still retract from their present position without challenging your current models against the rules in the above which are perfectly acceptable at present.


 

View comments

Comments

Blog post currently doesn't have any comments.

Security code

About the author

Andrew Gunn

Consultant

Coming from Newcastle my simple analogy to my entire career is to think about the many marvellous bridges across the River Tyne. I have spent over 24 years bridging the gap between client’s business challenges and technology helping my clients spend wisely. I am a highly experienced Digital Transformation evangelist specialising in the field of Information Management using Big Data and Mobile technologies delivered through the Bluefin Solutions Public Sector and Services business unit.

Simply speaking, I work for my clients in local government in either Customer services, Finance, Procurement or HR, helping them to get more value from the right data at the right time. These challenges are not new, they are simply bigger because there is more stuff to process.

I have worked on more than 15 projects in Public sector over the years - ranging from client side digital strategy engagements (£20k+) to forming an integral part of larger teams delivering mega projects (£500m+) for my clients in various roles such as Technical Design Authority, Digital Strategist, Business Architecture Design and Programme Management. A key aspect of my Digital Transformation passion is to ensure that I identify and deliver real transformational led savings with examples ranging from £0.5m to £20m per annum saved across a wide range of organisations.

What frustrates me is that many firms bamboozle their clients with complexity. Often recommending unnecessarily overly engineered solutions costing in excess of £5m. Big data challenges are not new, it’s about the right data at the right time in the right format, managed properly. I believe that working collaboratively with our clients to deliver complex Enterprise Information Management challenges simply is vital to achieving sustainable results. This, rather than doing transformation to our clients, as adopted by certain organisations, is the way I like to work.

Bluefin and SAP S/4HANA - welcome to the one horse race