Cabinet Office warns that personal devices may compromise PSN data

It is concerned that a compromised device could gain access to data travelling over the network

The Cabinet Office has issued an action notice warning local authorities that unmanaged personal devices used by public sector employees may compromise sensitive data travelling over the Public Services Network (PSN).

The action notice comes as CESG, the information security arm of GCHQ, advised government that although BYOD strategies are possible for public sector organisations, it is not recommended.

The PSN is core to the government's ICT Strategy and the Cabinet Office hopes that in three years' time 80 percent of its PC-based staff (four million users) will be on the network.

It will create a network of networks by joining up organisations, departments, authorities and agencies that deliver public services at local, regional and national levels.

The full list of suppliers to the public sector that have been signed to the framework include Virgin Media Business, Logicalis, BT, Cable & Wireless, Global Cross, Capita, Updata, Fujitsu, MDNX Enterprise Services, eircom, KCOM and Thales.

The action notice states that local authorities are known to allow remote access to systems from unmanaged end-user devices.

"We are concerned about the potential for unmanaged devices, which may be compromised, to gain access to the PSN or to services within the local authority that contains data which originated from the PSN," it said.

"Exposing internal government services to access from unmanaged end-user devices is not compliant with PSN information assurance conditions, guidance from CESG or the HMG end user device strategy, so local authorities must ensure that the risk to information received through the PSN is minimised."

To address this, the Cabinet Office has asked that an architecture and an accompanying project plan be signed off by the local authority's CEO, which should be included as part of the local authority's submission, prior to PSN compliance authorisation being granted.

The notice continues: "We are familiar with the balancing act between access, security and cost. However, the business conducted by local authorities and the data underpinning those services must be appropriately protected."

The action notice outlined changes local government must make to ensure that data travelling over the PSN is protected from compromised devices.

In the short term authorities are being asked to develop a 'mediation zone' which provides an appropriate proxy with an internal firewall for all services which are exposed. It states that this will likely take the form of a webmail gateway for access to email, a reverse proxy server for other web applications and an appropriate proxy for thin client or virtual desktop services.

"Only services containing non-PSN data can be exposed to unmanaged end-user devices. This includes access via the thin client or virtual desktop," said the Cabinet Office.

In the longer term, the use of unmanaged end-user devices to connect to internal applications should be minimised and where it remains essential, a strong network separation within the internal network should exist between PSN and non-PSN elements.

For example, such a separation could involve splitting PSN and non-PSN services into separate 'network zones'. As such, Non-PSN applications would be made accessible via IP addresses that are not shared with any services containing PSN data.

Local authorities have 12 months to implement these changes, prior to their 2014 PSN compliance authorisation.