Cabinet Office warns that personal devices may compromise PSN data

It is concerned that a compromised device could gain access to data travelling over the network

The Cabinet Office has issued an action notice warning local authorities that unmanaged personal devices used by public sector employees may compromise sensitive data travelling over the Public Services Network (PSN).

The action notice comes as CESG, the information security arm of GCHQ, advised government that although BYOD strategies are possible for public sector organisations, it is not recommended.

The PSN is core to the government's ICT Strategy and the Cabinet Office hopes that in three years' time 80 percent of its PC-based staff (four million users) will be on the network.

It will create a network of networks by joining up organisations, departments, authorities and agencies that deliver public services at local, regional and national levels.

The full list of suppliers to the public sector that have been signed to the framework include Virgin Media Business, Logicalis, BT, Cable & Wireless, Global Cross, Capita, Updata, Fujitsu, MDNX Enterprise Services, eircom, KCOM and Thales.

The action notice states that local authorities are known to allow remote access to systems from unmanaged end-user devices.

"We are concerned about the potential for unmanaged devices, which may be compromised, to gain access to the PSN or to services within the local authority that contains data which originated from the PSN," it said.

"Exposing internal government services to access from unmanaged end-user devices is not compliant with PSN information assurance conditions, guidance from CESG or the HMG end user device strategy, so local authorities must ensure that the risk to information received through the PSN is minimised."

To address this, the Cabinet Office has asked that an architecture and an accompanying project plan be signed off by the local authority's CEO, which should be included as part of the local authority's submission, prior to PSN compliance authorisation being granted.

The notice continues: "We are familiar with the balancing act between access, security and cost. However, the business conducted by local authorities and the data underpinning those services must be appropriately protected."

The action notice outlined changes local government must make to ensure that data travelling over the PSN is protected from compromised devices.

In the short term authorities are being asked to develop a 'mediation zone' which provides an appropriate proxy with an internal firewall for all services which are exposed. It states that this will likely take the form of a webmail gateway for access to email, a reverse proxy server for other web applications and an appropriate proxy for thin client or virtual desktop services.

"Only services containing non-PSN data can be exposed to unmanaged end-user devices. This includes access via the thin client or virtual desktop," said the Cabinet Office.

In the longer term, the use of unmanaged end-user devices to connect to internal applications should be minimised and where it remains essential, a strong network separation within the internal network should exist between PSN and non-PSN elements.

For example, such a separation could involve splitting PSN and non-PSN services into separate 'network zones'. As such, Non-PSN applications would be made accessible via IP addresses that are not shared with any services containing PSN data.

Local authorities have 12 months to implement these changes, prior to their 2014 PSN compliance authorisation.

Tags: Virgin Media Business, Logicalis, BT, Cabinet Office, Cable & Wireless, Fujitsu, public sector, Capita, GCHQ, Mobile & Wireless, virgin media, security

Organizations suffer SQL Injection attacks, but do little to prevent them

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Endpoint Encryption

Robust data protection for PCs, smartphones, and removable media

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.