by Craig

PSN. Maybe it's security all companies should take a look at?

I have been working quite a lot lately on a local government organisation’s (read: Council) PSN compliance. It struck me that much of what I am doing could, and should, be applied to the commercial world.

Ok so quick terminology here; The Public Services Network (PSN) is an actual thing it’s not just an acronym for a committee it really is something! It delivers (over a connection from an accredited provider) access into a secure network which other accredited bodies have access. The other organisations on the PSN are anything from Local Government and Blue Light services through to Government Departments such as the Department for Work and Pensions. Now that last bit is the important bit for me; unless the council I am working for can get a connection to the PSN then it cannot access the Department for Work and Pensions to process benefit claims, this would be bad….

In order to access the PSN you must hit a security standard. This isn’t a set standard as the security picture is continually evolving and as such setting one would be arbitrary and impractical to hit. Instead it is actually more about integrating security standards into your organisation as something that is part and parcel of your day to day business. This is quite an important distinction as many companies see accreditations as a “tick in the box” where you are such-and-such compliant but don’t actually practice it. Part of the PSN accreditation is yearly assessment which ensures that you keep up the practices and adopt them as part of your culture.

So once you have hit the standard required a bunch of paperwork flies back and forth between the various agencies involved (cabinet office and telecoms suppliers) and you are then granted access to the PSN network as a community of “trusted organisations” the theory being that you are all of a similar standard of security.

Seems easy huh? Well it can be provided you have built security into your infrastructure and processes from very early on. Implementing these things into a mature environment where processes have evolved can be very difficult but ensuring security could save a potential loss of data - a loss which would be both harmful to finances and customer relations.

The key steps to securing the environment aren’t actually that difficult. There are a few simple steps that you need can embark on and follow up by re-designing and fixing the infrastructure to enforce them.

1. Do an internal IT health check.

This will be done by an external agency that you pay them for; they will then give you a report saying what they found. I have engaged with, and used, NCCGroup in the past but cannot say they are better than anyone else (they seem ok).

Importantly these guys are independent of your organisation and can be used as a reference for when someone (read: The Cabinet Office) asks if the organisations security is ok. Any sort of security accreditation will need this and remember it’s a culture thing not a tick in the box so there is no harm in getting this done right now (they aren’t going to tell anyone else what they find!).

2. Fix the things they found in that health check

Yup that’s literally it. But wait(!) it might not be THAT easy because what they have found might have huge implications on how you actually work.

This is way WAY too in depth for me to go into what you might have to change. As an example the CESG (UK Government techie types) recommend a DMZ between two separate firewalls so:

Net -> Firewall 1 -> DMZ -> Firewall 2 -> LAN

This means a compromise of the first firewall does not mean the second one will be; indeed they recommend having two separate manufacturers for the two firewalls! This approach forces a protocol break between the two firewalls in the DMZ so any services you wish to expose externally (including VPN users) must have some sort of proxy in the DMZ. It may sound a bit like overkill but I for one would feel much more secure about my LAN with this sort of setup.

This isn’t the only example of architecture and there is a whole section on mobile devices that I wont go into but overall i would say:

2.1 Do not have un-managed devices on your internal network

So this appears to be fairly obvious but people think that the Bring Your Own Device (BYOD) culture is something we should all embrace. No we really shouldn’t! As IT professionals we must heavily restrict their usage and try to stand up to the people who shout/stamp/scream/tantrum that they can’t use their personal device for connections into work.

This is the biggest area of security concern right now as any edge security device; unified threat management (UTM), firewall, email filter, content filter or anything is completely useless when someone brings in a laptop from home with a virus on it and plugs it into your network.

But laptops aren’t the only thing you should be concerned about; phones are now at the point that they are smart enough to be a problem but not mature enough to be secure. They don’t really have firewalls on them, they all connect to a generic Access Point Name (APN), they can easily have code installed on them from unverified sources and often they aren’t locked properly.

If you have sensitive email on your phone (because you are the CEO/CFO/Director) then you should have a passcode on your phone and the phone should have a level of security to the same level as a laptop. What is more likely to be lost/stolen? What data is exposed if one of those people loses their personal mobile phone? How can you secure that data? In answer you cannot if it is a personal mobile, you must heavily secure that phone to be sure that the data is safe.

There are some vendors (Air Watch, Citrix, Good etc) who will promote the “container” approach to securing the device. This could be risky in itself as you still don’t truly control the environment as you just control a virtual machine (ish) running on the phone. I would be wary of this and treat it as a stop gap approach (btw did you know that all traffic on phones secured by Good is routed by two data centres in the US).

3. Patch stuff

Sounds stupid but most of the methods into a network are through services that are un-patched and have vulnerabilities in them. This happens over time as people find them and fixes/upgrades are put into place. By having a regime of patching you will be less likely to suffer from “zero day attacks” and will start to have these things engrained in your culture.

Obvious things like WSUS should be already in place and running and an understanding of your estate would really help but where you are unsure you need to run a security scan.

4. Scan your internal network

Having done all the above you want to make sure you remain secure and the best method of doing that is to regularly scan your network looking for vulnerabilities. A Nessus vulnerability scanner will do a good job of this and will alert you to where you need to apply patches. It is a subscription thing as there is a continually evolving landscape of security threats but it is worth the cost.

The scan report will point out where there are problems and what you need to do to fix them. This will happen a lot and you will want to give responsibility of this to someone who is a “proper techie” but also has the confidence to speak up about problems.

The wider view - do i need this?

It might be that you must have some BYOD service going on or that you have a particularly difficult system to get compliant. With these things it makes sense to put them into a lower security area (preferably by themselves) and firewall them off. You will of course be buying lots and lots of firewalls in this exercise but they are boundary controls and you need them to ensure the protections of your core information.

All this is, of course, about protection the core information and systems that are central to your business. Once those are secured then you can think about moving things around to lower security to less important things, I would even go so far as to say that you might want to outsource the things that you don’t need to run in house that are going to cause you security problems.

Architecture design is never the same from one company to the next and understanding business needs (one of which is security btw) and implementing them is going to be a tough task for any IT leader/CTO to balance out. However putting in appropriate controls and designs mean that you will reduce your risk profile and make yourself a difficult target. It does not mean you will have to hamper the business you support but you will certainly consume lots of resources implementing things they will never see. Until the day you don’t implement it and someone takes your data.