Psngb sunderland complete slide set 04 10 2012
33
Mike Thomas PSNGB UNCLASSIFIED
-
Upload
mikepsngb -
Category
Technology
-
view
311 -
download
0
description
The full set of slides used at the PSNGB event at Sunderland Software Centre on 4th October 2012
Transcript of Psngb sunderland complete slide set 04 10 2012
Mike Thomas
PSNGB
UNCLASSIFIED
© British Telecommunications plc
09.30 Tea, coffee and registration
10.00 Welcome and Introduction - PSN – The Inside Story .........
10.40 Workshops Session 1
Framework Procurement – Lead - Martin Farncombe
Compliance – Lead – Simon Foster
Security – Lead – Andy Smith
11.20 Coffee break, networking
11.40 Workshops Session 2
12.20 Lunch, networking
13.00 Workshops Session 3
13.40 Innovation
14.40 The way forward, final Q and A's - Cabinet Office and PSNGB
15.15 Close
UNCLASSIFIED
© British Telecommunications plc
Tom Baker
Head of ICT at Sunderland City Council
UNCLASSIFIED
PSNGB Seminar
4 October2012 PSNGB The Industry association for PSN suppliers
UNCLASSIFIED
Martin Farncombe Commercial Manager PSN Delivering on the Promise
Why Change?
• 2000+ networks
• 5.5 million people,
• 000’s sites
• Inflexible
• High cost
• Difficult to share
• Barriers to flexibility
• Limited collaboration
• Duplication
• No optimisation
• Complex
• Legacy interconnections
Now
UNCLASSIFIED
Blue light services
Other public services
Government departments
Common infrastructure services
Accredited private sector
Local authorities
Common Standards
• Technical standards improves interoperability over the same underlying infrastructure
• Information Assurance standards enable us to trust one another to handle our data
• Service Management standards enable services to operate effectively within a multi-supplier environment
• Commercial standards enable us to operate within an open and transparent market place, adopt common portfolio products and services and aggregate demand
UNCLASSIFIED
By aligning to these common standards we can: • Create a more unified market aligned to wider market investments • Harness our corporate buying power • Reduce procurement costs • Share services and reduce duplication of infrastructure services and business systems • Generate greater competition and innovation • Save money
How it works
UNCLASSIFIED
• Core standards set
• Successful pilot
• PSN Authority established
• Focus on benefit realisation - £30m 11/12 target significantly exceeded – actual £64.2m
• PSN Connectivity Framework operational and first competitions completed
• PSN Services Framework operational –competitions underway
• Central government mandate being enforced
• Substantial take up by Non Central Government
• Transition plans published
• Major customers contracting now for PSN services
• 2012 standards now published
• Cyber work in progress
• Users and suppliers becoming PSN Certified
UNCLASSIFIED
• The PSN marketplace is open for business • Delivery of PSN has begun, with wide scale
adoption across all parts of the Public Sector continuing throughout 2012/13
• There has been great progress by both
Government and the supplier community: but there’s lots more to do
• The big prize is ahead of us: we need to
accept the challenge to exploit PSN, aim high, collaborate and drive business transformation
UNCLASSIFIED
PSN Website
http://www.cabinetoffice.gov.uk/content/public-services-network
PSN Collaboration zone on Huddle
https://psn.huddle.net
Contact us:
General Communications with the PSN Programme and PSN
Authority
PSNA Compliance Team, for compliance requests and questions
regarding compliance
PSNA Service Bridge, for major incidents and security incidents
UNCLASSIFIED
UNCLASSIFIED
Neil Mellor
PSNGB
Ask the Panel – PSNGB & Cabinet Office
UNCLASSIFIED
The PSN Compliance process Simon Foster
UNCLASSIFIED
PSN Compliance
What it is, who has to do it and what has to be done.
Frequently asked questions
UNCLASSIFIED
PSN Compliance is the process by which we assure
that all PSN connected organisations meet the
minimum requirements for connection.
• Based on commercial best practice for Information Assurance
(IA) and networks
• Takes place at on-boarding and then annually
• Must be completed by all PSN customers and suppliers.
UNCLASSIFIED
• Initial contact from supplier.
• Discussion of Compliance process and general advice
• Programme Transition support (subject to resource availability) Dialogue
• Submission of application and supporting documentation Application
• PSNA conduct initial assessment of the application
• May require additional information or clarification Initial Assessment (1 week)
• PSNA confirms acceptability of the application
• Application passed to PGA for formal accreditation. PSNA Application approval
• PSNA require the applicants to provide independent verification of the code template responses
Independent Verification – non-IA
• 3-stage process: Scoping, Assurance (eg CAS(T) then Review
• PGA accredit the service and recommend accreditation to PSAB PGA Accreditation (up to 16
weeks)
• PSNA review the complete application
• Recommend to Ops Director PSNA Review (1 Week)
• PSAB review the recommendation and approves PSAB Review (up to 2 weeks)
• PSNA Ops. Director approves service for connection Ops Director Approval
• PSNA Issue PSN certificate for the service PSNA Certification (1 Week)
UNCLASSIFIED
• Initial contact from customer
• Discussion of Compliance process and general advice (not consultancy)
• Programme Transition support (subject to resource availability) Dialogue
• Submission of application and supporting documentation (network diagram, IT health check report, remedial action plan) Application
• PSNA conduct initial validation and assessment of the application
• PSNA may require additional information or clarification
• PSNA may confirm acceptability of application, perhaps subject to Paper Assessment or On Site Assessment (OSA)
Initial Assessment (1 week)
• Detailed review of applicant’s responses, including dialogue with applicant for clarifications
• PSNA may confirm acceptability of application, perhaps subject to OSA
Paper Assessment – as required (up to 4 weeks)
• CESG On Site Assessment
• On Site Assessment Report On Site Assessment – as required
(up to 16 weeks)
• Customer agrees any necessary Remedial Action Plan, and begins working to it Agree RAP
• PSNA review the application, and makes recommendation to Ops Director
• PSNA track any remedial actions, and escalate where necessary PSNA Review (1 Week)
• PSNA Ops. Director approves Customer Environment for connection Ops Director Approval
• PSNA Issue PSN certificate for the Customer Environment PSNA Certification (1 Week)
UNCLASSIFIED
What I can answer:
Anything compliance related
• Process
• Documentation requirements
• Completing the CoCo
• CoCo control queries
• Connectivity
What I can’t answer
Specific technical solution issues “If I use this product is that ok? ”
“Is this technical solution ok?” etc.
UNCLASSIFIED
PSN Website
http://www.cabinetoffice.gov.uk/content/public-services-network
Contact us:
PSNA Compliance Team, for compliance requests and questions
regarding compliance
UNCLASSIFIED
The PSN Authority is evolving into
The Public Sector Technical Services
Authority
UNCLASSIFIED
Management and Governance
Government IT Strategy and Policy Standards setting, risk appetite
Front Office
• Compliance
• Service Bridge and Security
• Standards Maintenance
• Core Technical Services
Back Office
• Finance
• Communications
• Information Management
• ICT
PSTSA
• PSN
• G-Cloud
• G-Hosting
• End User Devices
...
• Day-to-day
operational
decisions
• Evolving from
PSNA to support
wider IT reform
Latest news
PSN – Infrastructure Security & Cyber
Defence
John Stubley PSN Operations Director and Cyber Lead
July 2012
UNCLASSIFIED
The Challenge
The Public Sector must deliver more for less; better, more reactive and joined up services at less cost. This means allowing information to flow freely, and allowing wider access to data which organisations are legally obliged to protect
Most citizens in the UK are now comfortable living part of their lives on-line; shopping, social networking and business can all be conducted anywhere and anytime from laptops, tablets and mobile phones
The public sector needs to adapt, and has an ICT Strategy which will enable it to do so. But a change to the security model is required to enable the flow of information and agility in delivery of services whilst maintaining appropriate guards on the information.
Historically security is seen as a blocker or delay to progress in the public sector, adding time and cost to projects and limiting availability of current technology -
It must become a business enabler
UNCLASSIFIED
Drivers - Strategic
The Government ICT Strategy – March 2011 Action 25
“The Government will develop an appropriate and effective risk management regime for information and cyber-security risks for all major ICT projects and common infrastructure components and services”
The UK Cyber Security Strategy – November 2011 Objective 2, Action 5
“Through the Government ICT strategy, ensure that we build and maintain appropriately secure government ICT networks“
Civil Service Reform – June 2012 Action 4:
… plans to share a wide range of other services and expertise. … Sharing services should become the norm
Also mentioned: Common Identity approaches and the need to streamline security processes
UNCLASSIFIED
Current Environment
• Each public sector organisation creates its own stronghold
• Some common standards –but differently applied
• Some common suppliers – but different solutions
• Some bilateral arrangements for information/service sharing – but complex and cumbersome
• Trusted Networks (eg GSi) connecting customer sites – but poor policing of compliance at customer locations
• We have the ability to “turn-off the taps” – but seldom exercised
• No clear resilience plan across the public sector
There is no Common Security Model enforced and therefore no Common Trust – Sharing of information requires a variety of
solutions making it expensive and inefficient
UNCLASSIFIED
New Security Model - Principals
Simplify Risk Management Process
Do it Once, Do it Well, and Re-Use
Not ‘One Size Fits All’, rather common building blocks based on legislation
Pragmatic approach to IA encouraged through greater situational awareness and assurance and accountability of users – managed risk, not avoidance
Clarity on compliance with standards – and policing of compliance
Open standards where possible – avoid bespoke for HMG
UNCLASSIFIED
Fe
de
rate
d Ide
ntity
Asse
rtio
n
Mo
nito
ring a
nd A
wa
rene
ss
Anti-M
alw
are
& P
atc
hin
g
Go
ve
rna
nce
Re
sili
ence
Common Trust
Security Model
Security Model To achieve Common Trust the Security Model indicates that we need to create: • Governance to manage risk
•Monitoring to ensure that any operational anomalies are addressed
• Trust in systems through common anti-malware and patching standards
•Trust in the users asserted through common standards and federated authentication
• Resilience, to ensure that key capabilities continue, no matter what
UNCLASSIFIED
Security Model
UNCLASSIFIED
Cloud Services
IL0/2
DC
Internet
End User Devices
SOC
Cloud & Shared
Services
Resilient Core
RAS
Public Services Network
Consolidated DC
Authentication
Broker
ICT Futures
SCaRAB
Government SIRO
Ministers /
Government
Sets RA
Business SIRO’s
Gov IA view Gov CTO view
ICT Provisions
Strategy
Cyber Delivery
Gov Dep’t
Board
SIRO
IAOs
DWP
HO
XXX
Risk
Government Orgs
Risk
RFA
Research
CIO COUNCIL CUSTOMER RELATIONSHIP
SOC – Relationships
PSN
PSN SOC
consumer SOCs/ NOCs
consumer SOCs/ NOCs
Customer SOCs/ NOCs
Customer SOCs/ NOCs
Network / App / Cloud
Service Provider
SOCs/ NOCs
CSOC
Other SOCs, e.g.
GOSCC
Cyber Hub
Other PSN Central Services • Service Bridge • PKI • Authentication • DNS
PSN probes
Situational Awareness Info
Incoming Alerts / Blacklists / Whitelists / Signatures and knowledge sharing
Consum
er in
cid
ents
, eve
nts
and a
lerts
Other situational awareness communications
Other situational awareness
communications
PSNA
Management escalation and control
CE
RT
/ WA
RP
ale
rts
(thro
ug
h o
ther re
portin
g c
hannels
)
GovCertUK • Black/whitelists • Signatures
Other CSIRTs
WARPs
Other open sources
• Vendors etc
Oth
er o
pen s
ourc
e a
lerts
Fraud reports
Consumer SOCs/ NOCs
National Fraud
Identification Bureau (NFIB)
UNCLASSIFIED
Security Operations Centre
Version 0.5 UNCLASSIFIED 30
Only those external events/alerts which pass defined PSN thresholds / conditions at each management level will be escalated t o next level of SOC or directly to the PSN SOC. This includes those incidents classified as ‘Warning’, ‘Major’ or ‘Emergency’.
Filtered by Consumer SOC/NOC
Filtered by Service Provider
SOC/NOC
Filtered by DNSP
SOC/NOC
Se
cu
rity E
ve
nts
Other PSN Central Services
events/alerts
PSN probe events/alerts
PSN SOC would receive events/alerts from PSN Central Services and its own probes
Filtered by GCNSP
SOC/NOC
PSN SOC
Point-to-Point
(IDA Model)
Service Provider 2 (SP)
EmployeeAuthentication
Identity
IDs
Registration
Provisioning
Authentication Security Token
Management
Employee
AUTHENTICATIONTRUST
BUSINESSTRUST
Resources
Authorization
Access Control Services
Applications
Enrolment
.
.
.
PDP
Policy
PEP
Authentication
Identity
IDs
Registration
Provisioning
Authentication Security Token
Management
Service Provider 1 (SP)
Service Provider 3 (SP)
Identity Provider 1 (IDP)
Identity Provider 2 (IDP)
Security Domain
Security Domain
Security Domain
Resources
Authorization
Access Control Services
Applications
Enrolment
.
.
.
PDP
Policy
PEP
Resources
Services
Applications
.
.
.
Authorization
Access Control
Enrolment
PDP
Policy
PEP
Possible AuthenticationTrust Paths
Provider
Directory &
Orchestration
Number of Trust Paths for n Providers ®O(n2 )
Employee Authentication
UNCLASSIFIED
Resilience
• Currently all
Government network
traffic relies, at least in
part, on a high
resilience network from
a single supplier
• But HMG does have
investment in separate
networks, but don’t
currently provide full UK
coverage
• Investigating option to
use some of this
redundant available and
physically separate
capacity
Possible Option Based on Using Separate Network
UNCLASSIFIED
Resilience
Exploring as part of the
option analysis:
• Security
• Regulatory
• Commercial
• Financial and
• Operating model
Possible Option Based on Using Separate Network
UNCLASSIFIED
