The document outlines the agenda for a PSNGB seminar on October 4th, 2012, including sessions on framework procurement, compliance, security, innovation, and the future direction of PSN. There will be workshops in the morning and afternoon with topics like procurement, compliance, security, and innovation. The event aims to provide an update on PSN and get input from attendees.
4. Martin Farncombe
Commercial Manager
PSN Delivering on the Promise
PSNGB Seminar
4 October2012
PSNGB
The Industry association for PSN suppliers
UNCLASSIFIED
5. Now
Why
Change?
• 2000+ networks
• 5.5 million people,
• 000’s sites
• Inflexible
• High cost
• Difficult to share
• Barriers to flexibility
• Limited collaboration
• Duplication
• No optimisation
• Complex
• Legacy interconnections
UNCLASSIFIED
6. Local authorities Government
departments
Common Standards
• Technical standards improves interoperability over the same
underlying infrastructure
• Information Assurance standards enable us to trust one
Blue light services another to handle our data
• Service Management standards enable services to operate
Other public
effectively within a multi-supplier environment
services
• Commercial standards enable us to operate within an open
and transparent market place, adopt common portfolio
Accredited private products and services and aggregate demand
sector
Common infrastructure
services
By aligning to these common standards we can:
• Create a more unified market aligned to wider market investments
• Harness our corporate buying power
• Reduce procurement costs
• Share services and reduce duplication of infrastructure services and business systems
• Generate greater competition and innovation
• Save money
UNCLASSIFIED
8. • Core standards set • Central government mandate
• Successful pilot being enforced
• PSN Authority established • Substantial take up by Non
Central Government
• Focus on benefit realisation -
£30m 11/12 target • Transition plans published
significantly exceeded – • Major customers contracting
actual £64.2m now for PSN services
• PSN Connectivity Framework • 2012 standards now
operational and first published
competitions completed • Cyber work in progress
• PSN Services Framework • Users and suppliers
operational –competitions becoming PSN Certified
underway
UNCLASSIFIED
9. • The PSN marketplace is open for business
• Delivery of PSN has begun, with wide scale
adoption across all parts of the Public Sector
continuing throughout 2012/13
• There has been great progress by both
Government and the supplier community:
but there’s lots more to do
• The big prize is ahead of us: we need to
accept the challenge to exploit PSN, aim
high, collaborate and drive business
transformation
UNCLASSIFIED
10. PSN Website
http://www.cabinetoffice.gov.uk/content/public-services-network
PSN Collaboration zone on Huddle
https://psn.huddle.net
Contact us:
General Communications with the PSN Programme and PSN
Authority
psn@cabinet-office.gsi.gov.uk
PSNA Compliance Team, for compliance requests and questions
regarding compliance
psna.compliance@cabinet-office.gsi.gov.uk
PSNA Service Bridge, for major incidents and security incidents
psna.servicebridge@cabinet-office.gsi.gov.uk
UNCLASSIFIED
14. PSN Compliance
What it is, who has to do it and what has to be done.
Frequently asked questions
UNCLASSIFIED
15. PSN Compliance is the process by which we assure
that all PSN connected organisations meet the
minimum requirements for connection.
• Based on commercial best practice for Information Assurance
(IA) and networks
• Takes place at on-boarding and then annually
• Must be completed by all PSN customers and suppliers.
UNCLASSIFIED
16. • Initial contact from supplier.
Dialogue • Discussion of Compliance process and general advice
• Programme Transition support (subject to resource availability)
• Submission of application and supporting documentation
Application psna.compliance@cabinet-office.gsi.gov.uk
• PSNA conduct initial assessment of the application
Initial Assessment (1 week) • May require additional information or clarification
• PSNA confirms acceptability of the application
PSNA Application approval • Application passed to PGA for formal accreditation.
Independent Verification – non- • PSNA require the applicants to provide independent verification of the
code template responses
IA
PGA Accreditation (up to 16 • 3-stage process: Scoping, Assurance (eg CAS(T) then Review
weeks) • PGA accredit the service and recommend accreditation to PSAB
• PSAB review the recommendation and approves
PSAB Review (up to 2 weeks)
• PSNA review the complete application
PSNA Review (1 Week) • Recommend to Ops Director
• PSNA Ops. Director approves service for connection
Ops Director Approval
• PSNA Issue PSN certificate for the service
PSNA Certification (1 Week)
UNCLASSIFIED
17. • Initial contact from customer
Dialogue • Discussion of Compliance process and general advice (not consultancy)
• Programme Transition support (subject to resource availability)
• Submission of application and supporting documentation (network diagram,
Application IT health check report, remedial action plan)
psna.compliance@cabinet-office.gsi.gov.uk
• PSNA conduct initial validation and assessment of the application
• PSNA may require additional information or clarification
Initial Assessment (1 week) • PSNA may confirm acceptability of application, perhaps subject to Paper
Assessment or On Site Assessment (OSA)
• Detailed review of applicant’s responses, including dialogue with applicant
Paper Assessment – as required for clarifications
(up to 4 weeks) • PSNA may confirm acceptability of application, perhaps subject to OSA
On Site Assessment – as required • CESG On Site Assessment
• On Site Assessment Report
(up to 16 weeks)
• Customer agrees any necessary Remedial Action Plan, and begins working to it
Agree RAP
• PSNA review the application, and makes recommendation to Ops Director
PSNA Review (1 Week) • PSNA track any remedial actions, and escalate where necessary
• PSNA Ops. Director approves Customer Environment for connection
Ops Director Approval
• PSNA Issue PSN certificate for the Customer Environment
PSNA Certification (1 Week)
UNCLASSIFIED
18. What I can answer:
Anything compliance related
• Process
• Documentation requirements
• Completing the CoCo
• CoCo control queries
• Connectivity
What I can’t answer
Specific technical solution issues “If I use this product is that ok? ”
“Is this technical solution ok?” etc.
UNCLASSIFIED
20. The PSN Authority is evolving into
The Public Sector Technical Services
Latest Authority
news Government IT Strategy and Policy Standards
setting, risk appetite
PSTSA
Management and Governance
• PSN
• G-Cloud Front Office Back Office
• G-Hosting • Compliance • Finance
• End User Devices • Service Bridge • Communications
... and Security • Information
• Standards Management
• Day-to-day Maintenance • ICT
operational • Core Technical
decisions Services
• Evolving from
PSNA to support
wider IT reform UNCLASSIFIED
21. PSN – Infrastructure
Security & Cyber
Defence
John Stubley
PSN Operations Director and Cyber Lead
July 2012
UNCLASSIFIED
22. The Challenge
The Public Sector must deliver more for less; better, more reactive and joined
up services at less cost. This means allowing information to flow freely, and
allowing wider access to data which organisations are legally obliged to protect
Most citizens in the UK are now comfortable living part of their lives on-line;
shopping, social networking and business can all be conducted anywhere and
anytime from laptops, tablets and mobile phones
The public sector needs to adapt, and has an ICT Strategy which will enable it to
do so. But a change to the security model is required to enable the flow of
information and agility in delivery of services whilst maintaining appropriate
guards on the information.
Historically security is seen as a blocker or delay to progress in the public sector,
adding time and cost to projects and limiting availability of current technology -
It must become a business enabler
UNCLASSIFIED
23. Drivers - Strategic
The Government ICT Strategy – March 2011
Action 25
“The Government will develop an appropriate and effective risk management regime for
information and cyber-security risks for all major ICT projects and common infrastructure
components and services”
The UK Cyber Security Strategy – November 2011
Objective 2, Action 5
“Through the Government ICT strategy, ensure that we build and maintain appropriately secure
government ICT networks“
Civil Service Reform – June 2012
Action 4:
… plans to share a wide range of other services and expertise. … Sharing services should become
the norm
Also mentioned: Common Identity approaches and the need to streamline security processes
UNCLASSIFIED
24. Current Environment
• Each public sector organisation creates its own stronghold
• Some common standards –but differently applied
• Some common suppliers – but different solutions
• Some bilateral arrangements for information/service sharing –
but complex and cumbersome
• Trusted Networks (eg GSi) connecting customer sites – but poor
policing of compliance at customer locations
• We have the ability to “turn-off the taps” – but seldom exercised
• No clear resilience plan across the public sector
There is no Common Security Model enforced and therefore no
Common Trust – Sharing of information requires a variety of
solutions making it expensive and inefficient
UNCLASSIFIED
25. New Security Model - Principals
Simplify Risk Management Process
Do it Once, Do it Well, and Re-Use
Not ‘One Size Fits All’, rather common building blocks
based on legislation
Pragmatic approach to IA encouraged through greater
situational awareness and assurance and accountability of
users – managed risk, not avoidance
Clarity on compliance with standards – and policing of
compliance
Open standards where possible – avoid bespoke for HMG
UNCLASSIFIED
26. Security Model
To achieve Common Trust the
Security Model indicates that
we need to create: Common Trust
• Governance to manage risk
Federated Identity Assertion
Monitoring and Awareness
•Monitoring to ensure that
Anti-Malware & Patching
any operational anomalies
are addressed
Governance
Resilience
• Trust in systems through
common anti-malware and
patching standards
•Trust in the users asserted
through common standards
and federated authentication
• Resilience, to ensure that Security Model
key capabilities continue, no
matter what
UNCLASSIFIED
27. Security Model
Cloud Services Cloud & Shared
IL0/2 Services
DC
SOC
Authentication
Broker
Consolidated DC Resilient Core
Internet
Public Services Network
End User Devices
RAS
UNCLASSIFIED
28. Government Ministers /
SIRO Government
SCaRAB Sets RA
RFA
ICT Business SIRO’s Cyber Delivery
Risk
Futures
ICT
Gov IA view Provisions
Gov CTO view Strategy
Risk
Government
XXX Orgs
HO
DWP
Research
Gov Dep’t
Board CIO COUNCIL
CUSTOMER RELATIONSHIP
SIRO
IAOs
29. SOC – Relationships
Cyber Other open
CSOC
Other situational
awareness
Other situational
awareness Hub sources
Other open source alerts
communications communications
• Vendors etc
PSNA GovCertUK
• Black/whitelists
Management • Signatures
escalation and
control
Other
CSIRTs
Other Situational
Awareness Info
SOCs, e.g. PSN Incoming Alerts / Blacklists / Whitelists / Signatures
GOSCC
and knowledge sharing
WARPs
SOC
Other PSN
Central Services
events and alerts
Consumer incidents,
(through other reporting channels)
CERT / WARP alerts
National • Service Bridge
Fraud • PKI
Identification • Authentication
• DNS
Bureau (NFIB) PSN
probes
Network /
consumer
Consumer App / Cloud
Customer
consumer
SOCs/ NOCs
SOCs/ Service
Customer
Fraud reports SOCs/
Provider
SOCs/
NOCs SOCs/
NOCs
SOCs/ NOCs
PSN NOCs NOCs
UNCLASSIFIED
30. Security Events Security Operations Centre
PSN
SOC
Other PSN Central
PSN probe Services
events/alerts events/alerts
Filtered by
Filtered by Service Filtered by Filtered by PSN SOC would receive
Consumer Provider DNSP GCNSP events/alerts from PSN Central
SOC/NOC SOC/NOC SOC/NOC SOC/NOC Services and its own probes
Only those external events/alerts which pass defined PSN thresholds / conditions at each management level will be escalated t o next level of
SOC or directly to the PSN SOC. This includes those incidents classified as ‘Warning’, ‘Major’ or ‘Emergency’.
Version 0.5 UNCLASSIFIED 30
31. Employee Authentication
Security Domain
Identity
Registration
Resources
Provisioning IDs
Access Control Services
.
PEP
.
Management .
Point-to-Point
Applications
Authentication
Employee PDP
Authentication Security Token
(IDA Model)
Employee
Enrolment
Identity Provider 1 (IDP) Policy
Authorization
Service Provider 3 (SP)
AUTHENTICATION
TRUST
BUSINESS
TRUST
Resources
Access Control Services
Provider
.
Directory & PEP
.
.
Orchestration
Resources
Applications
Services Access Control
.
PEP
.
. PDP
Applications
Policy Enrolment
PDP
Authorization
Policy Enrolment Service Provider 1 (SP)
Authorization
Security Domain
Service Provider 2 (SP)
Identity
Security Domain
Registration
Provisioning IDs
Management
Authentication
Authentication Security Token
Identity Provider 2 (IDP)
Possible Authentication Number of Trust Paths for n Providers ® O(n 2 )
UNCLASSIFIED Trust Paths
32. Resilience
Possible Option Based on Using Separate Network
• Currently all
Government network
traffic relies, at least in
part, on a high
resilience network from
a single supplier
• But HMG does have
investment in separate
networks, but don’t
currently provide full UK
coverage
• Investigating option to
use some of this
redundant available and
physically separate
capacity
UNCLASSIFIED
33. Resilience
Possible Option Based on Using Separate Network
Exploring as part of the
option analysis:
• Security
• Regulatory
• Commercial
• Financial and
• Operating model
UNCLASSIFIED