Psngb sunderland complete slide set 04 10 2012


Published on

The full set of slides used at the PSNGB event at Sunderland Software Centre on 4th October 2012

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Psngb sunderland complete slide set 04 10 2012

  2. 2. 09.30 Tea, coffee and registration10.00 Welcome and Introduction - PSN – The Inside Story .........10.40 Workshops Session 1 Framework Procurement – Lead - Martin Farncombe Compliance – Lead – Simon Foster Security – Lead – Andy Smith11.20 Coffee break, networking11.40 Workshops Session 212.20 Lunch, networking13.00 Workshops Session 313.40 Innovation14.40 The way forward, final Q and As - Cabinet Office and PSNGB15.15 Close© British Telecommunications plc UNCLASSIFIED
  3. 3. Tom Baker Head of ICT at Sunderland City Council© British Telecommunications plc UNCLASSIFIED
  4. 4. Martin Farncombe Commercial Manager PSN Delivering on the Promise PSNGB Seminar 4 October2012PSNGBThe Industry association for PSN suppliers UNCLASSIFIED
  5. 5. Now Why Change?• 2000+ networks• 5.5 million people,• 000’s sites• Inflexible• High cost• Difficult to share• Barriers to flexibility• Limited collaboration• Duplication• No optimisation• Complex• Legacy interconnections UNCLASSIFIED
  6. 6. Local authorities Government departments Common Standards • Technical standards improves interoperability over the same underlying infrastructure • Information Assurance standards enable us to trust oneBlue light services another to handle our data • Service Management standards enable services to operate Other public effectively within a multi-supplier environment services • Commercial standards enable us to operate within an open and transparent market place, adopt common portfolio Accredited private products and services and aggregate demand sector Common infrastructure services By aligning to these common standards we can: • Create a more unified market aligned to wider market investments • Harness our corporate buying power • Reduce procurement costs • Share services and reduce duplication of infrastructure services and business systems • Generate greater competition and innovation • Save money UNCLASSIFIED
  7. 7. How it works UNCLASSIFIED
  8. 8. • Core standards set • Central government mandate• Successful pilot being enforced• PSN Authority established • Substantial take up by Non Central Government• Focus on benefit realisation - £30m 11/12 target • Transition plans published significantly exceeded – • Major customers contracting actual £64.2m now for PSN services• PSN Connectivity Framework • 2012 standards now operational and first published competitions completed • Cyber work in progress• PSN Services Framework • Users and suppliers operational –competitions becoming PSN Certified underway UNCLASSIFIED
  9. 9. • The PSN marketplace is open for business• Delivery of PSN has begun, with wide scale adoption across all parts of the Public Sector continuing throughout 2012/13• There has been great progress by both Government and the supplier community: but there’s lots more to do• The big prize is ahead of us: we need to accept the challenge to exploit PSN, aim high, collaborate and drive business transformation UNCLASSIFIED
  10. 10.  PSN Website PSN Collaboration zone on Huddle Contact us:  General Communications with the PSN Programme and PSN Authority  PSNA Compliance Team, for compliance requests and questions regarding compliance  PSNA Service Bridge, for major incidents and security incidents UNCLASSIFIED
  11. 11. Neil Mellor PSNGBUNCLASSIFIED
  12. 12. Ask the Panel – PSNGB & Cabinet Office UNCLASSIFIED
  13. 13. The PSN Compliance processSimon Foster UNCLASSIFIED
  14. 14.  PSN Compliance  What it is, who has to do it and what has to be done.  Frequently asked questions UNCLASSIFIED
  15. 15.  PSN Compliance is the process by which we assure that all PSN connected organisations meet the minimum requirements for connection. • Based on commercial best practice for Information Assurance (IA) and networks • Takes place at on-boarding and then annually • Must be completed by all PSN customers and suppliers. UNCLASSIFIED
  16. 16. • Initial contact from supplier. Dialogue • Discussion of Compliance process and general advice • Programme Transition support (subject to resource availability) • Submission of application and supporting documentation Application • PSNA conduct initial assessment of the application Initial Assessment (1 week) • May require additional information or clarification • PSNA confirms acceptability of the application PSNA Application approval • Application passed to PGA for formal accreditation.Independent Verification – non- • PSNA require the applicants to provide independent verification of the code template responses IA PGA Accreditation (up to 16 • 3-stage process: Scoping, Assurance (eg CAS(T) then Review weeks) • PGA accredit the service and recommend accreditation to PSAB • PSAB review the recommendation and approves PSAB Review (up to 2 weeks) • PSNA review the complete application PSNA Review (1 Week) • Recommend to Ops Director • PSNA Ops. Director approves service for connection Ops Director Approval • PSNA Issue PSN certificate for the service PSNA Certification (1 Week) UNCLASSIFIED
  17. 17. • Initial contact from customer Dialogue • Discussion of Compliance process and general advice (not consultancy) • Programme Transition support (subject to resource availability) • Submission of application and supporting documentation (network diagram, Application IT health check report, remedial action plan) • PSNA conduct initial validation and assessment of the application • PSNA may require additional information or clarification Initial Assessment (1 week) • PSNA may confirm acceptability of application, perhaps subject to Paper Assessment or On Site Assessment (OSA) • Detailed review of applicant’s responses, including dialogue with applicantPaper Assessment – as required for clarifications (up to 4 weeks) • PSNA may confirm acceptability of application, perhaps subject to OSAOn Site Assessment – as required • CESG On Site Assessment • On Site Assessment Report (up to 16 weeks) • Customer agrees any necessary Remedial Action Plan, and begins working to it Agree RAP • PSNA review the application, and makes recommendation to Ops Director PSNA Review (1 Week) • PSNA track any remedial actions, and escalate where necessary • PSNA Ops. Director approves Customer Environment for connection Ops Director Approval • PSNA Issue PSN certificate for the Customer Environment PSNA Certification (1 Week) UNCLASSIFIED
  18. 18.  What I can answer:  Anything compliance related • Process • Documentation requirements • Completing the CoCo • CoCo control queries • Connectivity What I can’t answer  Specific technical solution issues “If I use this product is that ok? ” “Is this technical solution ok?” etc. UNCLASSIFIED
  19. 19.  PSN Website Contact us:  PSNA Compliance Team, for compliance requests and questions regarding compliance UNCLASSIFIED
  20. 20. The PSN Authority is evolving into The Public Sector Technical Services Latest Authority news Government IT Strategy and Policy Standards setting, risk appetitePSTSA Management and Governance• PSN• G-Cloud Front Office Back Office• G-Hosting • Compliance • Finance• End User Devices • Service Bridge • Communications ... and Security • Information • Standards Management• Day-to-day Maintenance • ICT operational • Core Technical decisions Services• Evolving from PSNA to support wider IT reform UNCLASSIFIED
  21. 21. PSN – Infrastructure Security & Cyber Defence John Stubley PSN Operations Director and Cyber Lead July 2012UNCLASSIFIED
  22. 22. The Challenge The Public Sector must deliver more for less; better, more reactive and joined up services at less cost. This means allowing information to flow freely, and allowing wider access to data which organisations are legally obliged to protect Most citizens in the UK are now comfortable living part of their lives on-line; shopping, social networking and business can all be conducted anywhere and anytime from laptops, tablets and mobile phones The public sector needs to adapt, and has an ICT Strategy which will enable it to do so. But a change to the security model is required to enable the flow of information and agility in delivery of services whilst maintaining appropriate guards on the information. Historically security is seen as a blocker or delay to progress in the public sector, adding time and cost to projects and limiting availability of current technology - It must become a business enabler UNCLASSIFIED
  23. 23. Drivers - StrategicThe Government ICT Strategy – March 2011 Action 25 “The Government will develop an appropriate and effective risk management regime for information and cyber-security risks for all major ICT projects and common infrastructure components and services”The UK Cyber Security Strategy – November 2011 Objective 2, Action 5 “Through the Government ICT strategy, ensure that we build and maintain appropriately secure government ICT networks“Civil Service Reform – June 2012 Action 4: … plans to share a wide range of other services and expertise. … Sharing services should become the norm Also mentioned: Common Identity approaches and the need to streamline security processes UNCLASSIFIED
  24. 24. Current Environment• Each public sector organisation creates its own stronghold• Some common standards –but differently applied• Some common suppliers – but different solutions• Some bilateral arrangements for information/service sharing – but complex and cumbersome• Trusted Networks (eg GSi) connecting customer sites – but poor policing of compliance at customer locations• We have the ability to “turn-off the taps” – but seldom exercised• No clear resilience plan across the public sector There is no Common Security Model enforced and therefore no Common Trust – Sharing of information requires a variety of solutions making it expensive and inefficient UNCLASSIFIED
  25. 25. New Security Model - Principals Simplify Risk Management Process Do it Once, Do it Well, and Re-Use Not ‘One Size Fits All’, rather common building blocks based on legislation Pragmatic approach to IA encouraged through greater situational awareness and assurance and accountability of users – managed risk, not avoidance Clarity on compliance with standards – and policing of compliance Open standards where possible – avoid bespoke for HMG UNCLASSIFIED
  26. 26. Security ModelTo achieve Common Trust theSecurity Model indicates thatwe need to create: Common Trust• Governance to manage risk Federated Identity Assertion Monitoring and Awareness•Monitoring to ensure that Anti-Malware & Patchingany operational anomaliesare addressed Governance Resilience• Trust in systems throughcommon anti-malware andpatching standards•Trust in the users assertedthrough common standardsand federated authentication• Resilience, to ensure that Security Modelkey capabilities continue, nomatter what UNCLASSIFIED
  27. 27. Security Model Cloud Services Cloud & Shared IL0/2 ServicesDC SOC Authentication Broker Consolidated DC Resilient CoreInternet Public Services Network End User DevicesRAS UNCLASSIFIED
  28. 28. Government Ministers / SIRO Government SCaRAB Sets RA RFAICT Business SIRO’s Cyber Delivery RiskFutures ICT Gov IA view Provisions Gov CTO view Strategy Risk Government XXX Orgs HO DWP Research Gov Dep’t Board CIO COUNCIL CUSTOMER RELATIONSHIP SIRO IAOs
  29. 29. SOC – Relationships Cyber Other open CSOC Other situational awareness Other situational awareness Hub sources Other open source alerts communications communications • Vendors etc PSNA GovCertUK • Black/whitelists Management • Signatures escalation and control Other CSIRTs Other Situational Awareness Info SOCs, e.g. PSN Incoming Alerts / Blacklists / Whitelists / Signatures GOSCC and knowledge sharing WARPs SOC Other PSN Central Services events and alerts Consumer incidents, (through other reporting channels) CERT / WARP alerts National • Service Bridge Fraud • PKIIdentification • Authentication • DNSBureau (NFIB) PSN probes Network / consumer Consumer App / Cloud Customer consumer SOCs/ NOCs SOCs/ Service Customer Fraud reports SOCs/ Provider SOCs/ NOCs SOCs/ NOCs SOCs/ NOCs PSN NOCs NOCs UNCLASSIFIED
  30. 30. Security Events Security Operations Centre PSN SOC Other PSN Central PSN probe Services events/alerts events/alerts Filtered by Filtered by Service Filtered by Filtered by PSN SOC would receive Consumer Provider DNSP GCNSP events/alerts from PSN Central SOC/NOC SOC/NOC SOC/NOC SOC/NOC Services and its own probes Only those external events/alerts which pass defined PSN thresholds / conditions at each management level will be escalated t o next level of SOC or directly to the PSN SOC. This includes those incidents classified as ‘Warning’, ‘Major’ or ‘Emergency’.Version 0.5 UNCLASSIFIED 30
  31. 31. Employee Authentication Security Domain Identity Registration Resources Provisioning IDs Access Control Services . PEP . Management . Point-to-Point Applications Authentication Employee PDP Authentication Security Token (IDA Model) Employee Enrolment Identity Provider 1 (IDP) Policy Authorization Service Provider 3 (SP) AUTHENTICATION TRUST BUSINESS TRUST Resources Access Control Services Provider . Directory & PEP . . Orchestration Resources Applications Services Access Control . PEP . . PDP Applications Policy Enrolment PDP Authorization Policy Enrolment Service Provider 1 (SP) Authorization Security Domain Service Provider 2 (SP) Identity Security Domain Registration Provisioning IDs Management Authentication Authentication Security Token Identity Provider 2 (IDP) Possible Authentication Number of Trust Paths for n Providers ® O(n 2 ) UNCLASSIFIED Trust Paths
  32. 32. ResiliencePossible Option Based on Using Separate Network• Currently allGovernment networktraffic relies, at least inpart, on a highresilience network froma single supplier• But HMG does haveinvestment in separatenetworks, but don’tcurrently provide full UKcoverage• Investigating option touse some of thisredundant available andphysically separatecapacity UNCLASSIFIED
  33. 33. ResiliencePossible Option Based on Using Separate Network Exploring as part of the option analysis: • Security • Regulatory • Commercial • Financial and • Operating model UNCLASSIFIED