Cabinet Office warns that personal devices may compromise PSN data

It is concerned that a compromised device could gain access to data travelling over the network

The Cabinet Office has issued an action notice warning local authorities that unmanaged personal devices used by public sector employees may compromise sensitive data travelling over the Public Services Network (PSN).

The action notice comes as CESG, the information security arm of GCHQ, advised government that although BYOD strategies are possible for public sector organisations, it is not recommended.

The PSN is core to the government's ICT Strategy and the Cabinet Office hopes that in three years' time 80 percent of its PC-based staff (four million users) will be on the network.

It will create a network of networks by joining up organisations, departments, authorities and agencies that deliver public services at local, regional and national levels.

The full list of suppliers to the public sector that have been signed to the framework include Virgin Media Business, Logicalis, BT, Cable & Wireless, Global Cross, Capita, Updata, Fujitsu, MDNX Enterprise Services, eircom, KCOM and Thales.

The action notice states that local authorities are known to allow remote access to systems from unmanaged end-user devices.

"We are concerned about the potential for unmanaged devices, which may be compromised, to gain access to the PSN or to services within the local authority that contains data which originated from the PSN," it said.

"Exposing internal government services to access from unmanaged end-user devices is not compliant with PSN information assurance conditions, guidance from CESG or the HMG end user device strategy, so local authorities must ensure that the risk to information received through the PSN is minimised."

To address this, the Cabinet Office has asked that an architecture and an accompanying project plan be signed off by the local authority's CEO, which should be included as part of the local authority's submission, prior to PSN compliance authorisation being granted.

The notice continues: "We are familiar with the balancing act between access, security and cost. However, the business conducted by local authorities and the data underpinning those services must be appropriately protected."

The action notice outlined changes local government must make to ensure that data travelling over the PSN is protected from compromised devices.

In the short term authorities are being asked to develop a 'mediation zone' which provides an appropriate proxy with an internal firewall for all services which are exposed. It states that this will likely take the form of a webmail gateway for access to email, a reverse proxy server for other web applications and an appropriate proxy for thin client or virtual desktop services.

"Only services containing non-PSN data can be exposed to unmanaged end-user devices. This includes access via the thin client or virtual desktop," said the Cabinet Office.

In the longer term, the use of unmanaged end-user devices to connect to internal applications should be minimised and where it remains essential, a strong network separation within the internal network should exist between PSN and non-PSN elements.

For example, such a separation could involve splitting PSN and non-PSN services into separate 'network zones'. As such, Non-PSN applications would be made accessible via IP addresses that are not shared with any services containing PSN data.

Local authorities have 12 months to implement these changes, prior to their 2014 PSN compliance authorisation.

Join the CSO newsletter!

Error: Please check your email address.

Tags Virgin Media BusinessLogicalisCabinet OfficeBTCable & WirelessCapitapublic sectorFujitsuGCHQMobile & Wirelessvirgin mediasecurity

More about BT AustralasiaFujitsu AustraliaGCHQLogicalis AustraliaThales Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Derek du Preez

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place