SureCloud works with a significant number of the UK’s local authorities and public organisations, conducting IT Health Checks (ITHCs), and advising them on what they need to achieve and maintain to be PSN compliant.
In short, the PSN compliance framework requires organisations to meet Government Information Assurance (IA) requirements, which have been designed to provide an achievable and sensible baseline for ongoing security.
>See also: Is the UK’s public sector ready for GDPR?
As a result of the work, the company is well placed to observe the common challenges that organisations are facing in securing their IT infrastructure, specifically when trying to achieve PSN compliance. Let’s take a look at some of these challenges and examine how we can overcome them.
Relying on Windows Server 2003
One of the most common issues we see is a dependency on Windows Server 2003, despite Microsoft ending support for it on the 14th July 2015. We often see local government experience issues in migrating and removing Windows Server 2003 systems from their networks. These issues predominantly relate to the business requirements for certain legacy or niche business software, that is not supported on newer operating systems. The issue can be compounded by limited resources to perform the migrations without significant costs.
However, until systems can be upgraded or migrated to support Windows Server versions, there are a number of steps that organisations can take to harden their Windows Server 2003 deployments.
These include; removing unsupported software, regularly updating and patching third party software, restricting the users or hosts that can connect to the server using access lists, limiting open ports to the wider network, and isolating the server from the rest of the network using segmentation.
Securing third-party applications
While most organisations tend to be well versed in maintaining a standardised patching schedule for Microsoft operating systems and associated applications, they commonly overlook patches for third-party applications, such as Java Runtime or Adobe Reader. This can leave organisations vulnerable.
>See also: UK public sector increases cloud use
One of the biggest challenges arises when a third-party application has other third-party software pre-installed. In such cases, it may not be possible to update the individual component that has been identified as being vulnerable, without the main application vendor producing a patch or version update for their software.
In the case of business-critical applications, such as adult social care or a revenue and benefit systems, this can become a serious headache, as it may take months for the vendor to produce a patch, and even longer to arrange the business processes to accommodate the change of a business-critical application.
In these circumstances, if the vendor has provided an update to their application but you still are unable to implement this within a suitable timeframe, then a remediation statement with a plan to update, and a timeframe to do so, will contribute to a risk statement for your PSN submission.
Administrators can find the logistics of manually installing third-party patches and updates overwhelming, not least due to often lacking the required resources. Fortunately, there are numerous products on the market that can be implemented to address this as part of an existing Microsoft patch deployment methodology, such as System Centre Configuration Manager and Windows Server Update Service.
Ensuring the public wireless is adequately segmented
To adhere to the UK government wireless network guidance, organisations need to separate the public and corporate wireless networks, but far too often organisations fail to do this adequately. Adequate segmentation of these networks can often be achieved through the implementation of strict firewall rulesets, and ideally a wireless management framework should be implemented where costs permit.
>See also: The digital transformation of the UK public sector
A management framework will also provide adequate logging capabilities, along with traffic and device management.These should be configured in line with best practices. Where possible , look to implement full physical segregation.
Securing critical resources
A serious challenge facing organisations aiming to maintain PSN compliance, appears when a vulnerability is found on an external facing business critical appliance. These often present the biggest threat as they are public facing services that may be exploitable remotely, and any outages of these critical systems for maintenance may not be possible on a regular basis.
The single easiest way to address this is to implement a robust patching process and procedure for infrastructure items, as well as agreeing a regular outage period with internal change and risk teams.
Critical infrastructure should also be regularly tested for the purposes of disaster recovery fail-over. Alternatively, consider a contract with a supplier that has the necessary skill and resources who can maintain the critical infrastructure for you.
Budget constraints
With so many different areas to address for a successful PSN submission, it can be extremely difficult to know where to focus and where to spend any budget that may be available.
>See also: Future of the NHS: new technologies and the networks behind them
One of the biggest challenges facing the security of an organisation with a limited budget is identifying which products will give the best protection and which of those represent the best value for money. Solutions to consider to help address this include SIEM, real-time network analysis tools and intrusion prevention and detection systems.
Closing Statement
It is the responsibility of any public sector organisation to ensure that they are meeting their obligations set out in the PSN framework. But by addressing these challenges and by taking some relatively simple steps they can ensure that they are achieving compliance without it becoming overly complex and costly. Finally, and a key note, is that any guidance detailed in this piece still needs to be independently approved by your PSN auditor.
Sourced by Luke Potter, Cybersecurity Practice Director at SureCloud
The Women in IT Awards is the technology world’s most prominent and influential diversity program. On 22 March 2018, the event will come to the US for the first time, taking place in one of the world’s most prominent business cities: New York. Nominations are now open for the Women in IT USA Awards 2018. Click here to nominate