Colin’s IT, Security and Working Life blog

August 6, 2010

Thinking the unthinkable – changes to government IA security architecture

Filed under: Government IT Security — chaplic @ 12:42 pm

I’ve said before, government information security is pretty good. We’ve had leaks and data losses in the past – noticeably “low tech” problems. In terms of issues in the public domain involving technology, there’s a pretty good story to tell.

However, times are different now, there is no money left. There’s a lot of security controls in place to mitigate against risks. Is it time to accept some of these risks and pare down the controls ? Let’s look at what can be done, comparing against a normal large business as our “sanity control”. Similarly, most businesses do not have to deal with “life and death” information, so I’m not considering that classification of information.

Government policy will not allow a wide area network to be run without complex encryption over the top. So, whilst most companies buy MPLS from the likes of Cable and Wireless and BT, government will do the same, then overlay a complex and expensive VPN. Removing this as a mandatory requirement would reduce costs in future, and even for currently deployed networks there’s a need to support all these extra boxes (and give them power, cooling). Plus, removing the extra encryption would improve speeds! As long as the migration cost is less than the support cost, everyone wins!

There’s a requirement for hard-disk encryption. Most corporates have woken up to this as an issue, and central government is no different. However, rather than effectively mandating a few, expensively approved products, perhaps the use of common commercial alternatives would save tens of pounds per machine.

VPN is another common business operation. Again, common in Government but mainly done with exotic VPN products you’ve never heard of. Ditch this, and go with Juniper and Cisco that everyone else uses. Many corporates will provide webmail for their employees. This will allow employees to access their email, probably from their home PC. This might alleviate the need for a blackberry, laptop and so on. You just won’t see this on a central government system. So, provide this and see mobile comms costs tumble.

Each government department is an autonomous organisation. They are joined up via the “Government Secure intranet”. This is a private WAN used to ship email and allow access to each others private websites. For email, if you’re feeling bold you could enforce TLS between your partners, or have a select few use PGP. But use the internet like everyone else. And when business want to share information, they setup VPNs over the internet. Do all this, and scrap the GSi

You’ll note none of these suggestions are fundamental. I’m not suggesting everyone run linux, or some sort of single, unified IT system. Mainly because change == cost, and drastic change == lots of cost.

However, there has to be a downside, and that is risk. Our attackers will have an easier ride, and those who seek to get at our information will have more success. As cyber-terrorism becomes a reality, would we be setting ourselves us for attack? At the more trivial end there’s bound to be stories about Nigerian scammers getting into government accounts.

The controls that are in place are not there because some security nerd wanted to install the latest gizmo. The question is therefore, is there anyone senior enough to take these decisions and also genuinely accept the risks and guaranteed issues?


October 27, 2009

Providing very secure webmail

Filed under: Government IT Security, Uncategorized — Tags: , — chaplic @ 3:46 pm


Most office workers are familiar with the concept of “webmail”. It allows the employee to access their email from any web browser, on any internet connected PC. This gives staff flexibility, may remove the need to supply some staff with a laptop and allows access anytime and anywhere – for example, on holiday (if they are keen). Webmail looks similar to email in the office and allows the user access to their inbox, calendar and attachments.

Technical configuration is fairly straightforward – encryption is provided by the same type of system used to secure web-banking, and users get logged in either by using their office username and password, or occasionally a more sophisticated mechanism like SecurID (little fob with changing numbers). All major email packages include a webmail server and it’s straightforward to configure.

It is cheap to provide, easy to use, and popular with staff.

Some clients cannot accept the risks of providing a “vanilla” webmail solution. Why not?

The stereotypical answer of “security” is often used. But to understand why this answer is used, it’s necessary to look at aspects of a webmail system.

Firstly, the encryption. As the data travels across the public internet and untrusted systems, it’s necessary to encrypt it. This encryption is a flavour of “SSL” or Secure Sockets Layer – websites identified by a padlock and starting with https in a web browser. This is the exact same technology used by online buying and banking.

Whilst for most intents and purposes SSL is pretty secure, some organisations do not consider it secure enough, and if you are a man-in-the-middle you can potentially read encrypted data quite easily.

The other challenge is the “endpoint” – otherwise known as the PC or laptop. With a organisations own PC it’s possible to be reasonably confident that software patching is up-to-date, there’s no malware software installed, and anti-virus is up-to-date. This cannot be claimed of computers that are likely to be used for webmail access.

Computers used for webmail are likely to be home PCs (perhaps crawling with nasties) and public web-cafes. Web-cafes in Airports are a well-know target for people installing keylogging software as they are commonly used by businessmen. Such nasties can capture information and send it back to the attacker. It’s unlikely to be a targeted attack – the malware will be on millions of PCs – but it is unknown what the attacker will do with the information.

The attacker is probably seeking ebay login details or credit card numbers. But, potentially, for that session and maybe beyond, they can access what the user can access via webmail.

Finally, there is also the issue of data remnance. When a web page is loaded, all the information is stored locally on the PC to speed up access. This is especially true if the user accesses an attachment. This information is typically not encrypted (and, there is no way of controlling). Thus, the next user of the machine may very easily find information they are not intended to see.

Predictably, the market has developed solutions. Webmail can be accessed via a number of products all of which can check the endpoint to ensure anti-virus is up-to-date, ensure it passes a number of other tests, and wipe attachments when the session ends. It’s also possible to control what operating system and web browser the user is connecting from, though the PC may spoof this.

It’s also possible to setup filtering based systems where the webmail system either filters emails the user can see based on a label (i.e. do not show this email unless it’s labelled as “UNCLASSIFIED”), or the webmail system is a duplicate of the normal environment, but only containing non-sensitive emails.

Ultimately, the decision to implement such a solution lies with the organisations risk owners. Clearly, they need to be in full possession of the facts, risks and countermeasures. They will also need to support the development process because a novel solution like this is likely to attract attention.

The impact of not providing this facility needs assessed. How many staff effectively do this already by emailing documents to their hotmail account so they can work at home? Recently, transport unions have proposed short-notice 5-day strikes. How would the organisation cope if a key transport route was closed? What would be the impact of not providing this facility to carbon neutral and efficiency savings targets (need to buy 1000’s of people a blackberry or laptop?).

A likely technical solution would have the following aspects:

· A “front end” webserver in a secured (DMZ) network

· Use of best-commercial-grade SSL encryption

· Registration with companies on the internet that allow ongoing and continual penetration testing of websites

· Endpoint checking – a small software component would have to be downloaded to the untrusted endpoints. This checks the machine to ensure software patch levels and antivirus is at acceptable levels, and perhaps the operating system is agreeable. If the endpoint check fails, or cannot be loaded, access is denied

· A high degree of protective monitoring – user access would be closely logged and anomalies alerted (perhaps in real-time)

· There is an element of end-user responsibility therefore terms and conditions would have to be maintained and agreed. It may be necessary for the solution to be “opt in”

· Use of a one-time-password (RSA SecurID) to replace or complement a password

· It may be desired to redact some information or remove some webmail functionality – for example the ability to download or upload attachments

· It may be desirable to control what machines can access the webmail by performing an enrolment procedure and using certificates. This removes the ability to access from any PC but allows access from pre-agreed PCs (e.g. users home PC)

I’m a big fan of the Microsoft IAG product. At its most basic level it’s an SSL VPN, and brings with it the endpoint checking functionality – so we can ensure the client PC is at a certain patch level.

It also allows us to dip into the data being accessed – in real time- and perform filtering based on rules we set. Finally, it sits atop ISA Server 2006 which is a firewall that’s Common Criteria EAL4 evaluated – in other words, it’s a robust firewall.

A simplified solution architecture is shown below:


In conclusion, the effort required achieving this and the friction creating a solution that steps outside the normal security paradigm for a high-security organisation should not be underestimated. Technology to create a robust solution exists and is  commercially heavily used.

Technorati Tags: ,,

September 24, 2009

Government Security is quite good – and out to get you.

Filed under: Government IT Security — chaplic @ 6:17 pm


The UK Governments Information Assurance Policies (IT Security to you and I) is actually quite good.

There, I said it.

And before someone mentions the thorny issue of CDs in the post, allow me to delve a bit deeper.

Each department is responsible for assessing their own risk and putting countermeasures and functionality in place as they see fit. However, it’s driven from policy from the “centre” meaning there is a commonality across all central government departments.

For the most vital of documents, keeping them confidential, unmolested and available when they are needed is critical.

However, not all data falls into this category and to provide ultimate protection to all data would be considerably expensive and cumbersome. To help with segregation of data, the government uses protective markings.

This is a short term like RESTRICTED or TOP SECRET which is a shorthand to describe what would happen should the information be compromised. Lower markings may just mean some commercial exposure or embarrassment, right up to the compromise of other assets directly leading to loss of life. Labelling documents and systems makes it the value of the data contained within very clear

This probably isn’t directly applicable to most commercial companies. However, if many had a label of, say, “PERSONALLY IDENTIFIABLE INFORMATION” or “COMMERCIALLY SENSITIVE” and clear guidelines as to how information like this should be handled (i.e. do not take a document labelled PERSONALLY IDENTIFIABLE INFORMATION” on a laptop without hard disk encryption), how fewer cases of potential identify theft would we have?

So, the UK Government has a nice labelling system which puts all data in little pots and a bunch of policy documents telling users what they cannot do and a whole host of technical security requirements. Fascinating, but not a compelling reason for your business to get on-board with a structured security methodology?

e-Government is an agenda that’s still quickening pace. You will almost certainly have some customers who are related, or are, a government organisation.

National Government recognises the value of secure communications and is pushing is intranet (the GSi – Government Secure Intranet, and variants) out to partner organisations, quangos, and local councils. To connect up , these bodies have to warrant their systems stand up to Codes of Connection.

If you want to do business with any of these bodies you are going to have to get to grips with these requirements too. Fortunately, the requirements are not arcane, unusual or hidden. They are published on the cabinet office website and called the Security Policy Framework

Let’s quote one requirement that’s poignant here:

Departments and Agencies must have, as a component of their overarching security policy, an information security policy setting out how they, and their delivery partners (including offshore and nearshore (EU/EEA based) Managed Service Providers), comply with the minimum requirements set out in this policy and the wider framework

There’s no escaping it. Expect to see adherence to SPF in your ITT and contractual requirements (if they are not already).

Many companies, if not well-versed in Government IT Security, find the the process alarming when the full implications are realised. They may well have used enough smoke-and-mirrors during the bid phase to hide their lack of knowledge or indeed a poor score in this may not have been enough to lose the bid.

But when they come to deliver, under the full scrutiny of experienced consultants, accreditors and security officers they often find delivering their SPF-related contractual obligations to be daunting (and, expensive).

But all is not lost. This is a scenario where security can truly be a business-enabler for your company.

Firstly, it provides you with carefully thought out, well proven and common set of criteria for your IT security operation. Sometimes, even organisations with pretty tight IT security setups like banks find they do not meet the criteria. It isn’t necessarily a quick fix but a path for your organisation (or, perhaps only a subsection).

To understand how mature your Information Assurance is and how work is progressing, an Information Assurance Maturity Model is available – those who work with CMMi will be in their element.

Secondly, and most importantly – your company will likely want to do business with the government at some point, on some level. Taking these steps now will not only demonstrate the value of security to the business, it will put your company in the driving seat when it comes to delivering these new contracts.

Finally, can a UK government IT Policy catch on and be universally accepted? Well, ITIL isn’t doing to badly!

June 12, 2009

Security does NOT mean firewalls!

Filed under: Government IT Security — chaplic @ 1:00 pm


I was in the unusual position of being part of an  interviewing panel who were evaluating tenders from the big consultancies firms for a piece of work.

The work was to provide a requirements definition for a fairly meaty government IT contract.

Of the four bidders, two of them didn’t refer to security once in their tender, one made me apoplectic as they discussed security as an optional extra in “phase 3”. WRONG.

One of my set questions during the interview was along the lines of asking what security challenges we might face.

All gave similar answers – making noises about firewalls, public access and so on. All very good but not exactly insightful.

What I was looking for is consideration of wider aspects – the old favourites of Confidentiality, Integrity and Availability, thinking about data aggregation issues and discussing risk, acceptable risk and mitigations/ controls to reduce risk.

If good security needs are not baked into requirements of projects, retro-fitting it is extremely expensive and difficult.

Create a free website or blog at