Monthly Archives: December 2013

How to do BYOD, Mobility, Remote Working AND Maintain PSN Compliance

My Local Authority has recently achieved PSN accreditation (measured against the latest version of the CoCo). compliant

We allow BYOD for anyone who wants it and we have access to Council systems from smartphones and tablets (these can be Council owned or employee owned – it doesn’t really matter).

Around half of our 4500 computer users have the ability to work from home/remotely – should they want/need to – and many of them do.

We take data security very, very seriously so we were delighted when the PSN/CESG people vetted our approach and confirmed that we’re complying with the rules.

We are all aware that the PSN regime is causing much pain for some Councils. Some have had to (temporarily) withdraw mobile working altogether. Others have been threatened with disconnection if they don’t change their architecture.

I’m not privy to the details of the solutions that these Councils have in place – but I feel their pain. My organisation now has a desk to person ratio of about 0.6 to 1 – so for every 1000 Scareoffice based employees we have around 600 desks. This way of working is largely enabled by technology – i.e. we have lots of people working somewhere other than the office. If we were told that we had to shut down our remote working solutions, well, it doesn’t bear thinking about.

So I thought it would be useful if I shared our 3-point plan to achieve PSN compliance whilst still enabling BYOD and remote working for all staff:

            1. Control the end points.

            2. Secure the connection.

            3. That’s it really.

‘Controlling the end points’ means different things for different devices, but for the purpose of this discussion there are really only 2 categories of end point:

  1. Laptopsdevices
  2. Smartphones and Tablets

For ‘proper’ computing – which covers most day to day tasks – your users need a Council issued laptop. Around 80% of our 4500 office-based staff have laptops as their main computing device. They can’t use their own laptop as this makes it too hard/impossible to secure – you need to give them a Council owned laptop. This is a simple move, but it unlocks a whole world of agility and efficiency:

  1. Laptops make it easy to work from any desk – this enables you to shrink your property estate (you also need softphones and ‘follow me’ VOIP numbering).
  2. Laptops can be taken to meetings and thereby remove the need for printing hard-copy agendas and reports. Most people in most of our meetings have a laptop with them – our printing costs have plummeted.
  3. Laptops make it easy to work from the train – the commute becomes productive.
  4. Finally, and most importantly, laptops make it easy to work from home.

Needless to say you have to encrypt the device – but you knew that already. You also have to secure the connection – as per ‘point 2’ of our plan. This is relatively easy to do – we use Cisco’s AnyConnect product to deliver a VPN with 2-factor authentication. When you put these 2 things together (a Council owned laptop and a secure connection) you have, in essence, turned the employee’s home (or wherever they are working) in to a Council office. Whatever they do in the office they can do at home – with no exceptions. Work, after all, is a thing you do – not a place you go.

The other category of ‘end point’ is smartphones and tablets. I’m talking about iOS and Android tablets here – not Windows 8 tablets such as the MS Surface as these are basically just laptops which can easily connected to the Council’s network.

You don’t need to get hung up about whether these devices are Council owned or employee owned – the means of controlling them is the same regardless of ownership. You need to deploy technology which ‘containerises’ the Council’s data. We use Good for Enterprise for this – but there are several solutions to choose from. Good allows our employees to access lots of useful data from a smartphone or tablets, such as:

  • good-for-enterprise-appTheir email
  • Their calendar
  • Their contacts
  • Their task lists
  • The Council’s Intranet (and, therefore, a wealth of self-service resources).
  • The Internet (filtered and logged)

If someone loses their phone/tablet they let us know and we can remove Good and any Council data in a flash. What’s more, data can’t be transferred out of Good and deposited elsewhere on the device.

This technology is available to all staff (with line manager’s approval/business case). If employees elect to have Good installed on their own, personal, smartphones or tablets (BYOD) then that’s great – it saves the Council some money. But if they prefer to have a Council owned smartphone with Good on board then that’s fine too (we are phasing out Blackberries entirely and replacing them with smartphones + Good).

In addition to Good many of our Members and senior officers use the Mod.gov app to give them access to Committee papers. This is wonderful app – it’s completely secure and allows documents to be annotated in a really intuitive way.

Now, to be super clear – we don’t allow access from phones and tablets to GCSx email accounts or any PSN data or systems.

At this point I’ll quote Steve Halliday who has blogged eloquently on Solihull’s BYOD solution, (which is very similar to ours):

“For the avoidance of doubt BYOD access to PSN is not compliant. But it is possible to have PSN compliance and allow users BYOD access for most systems and information – so long as the BYOD devices can’t access PSN data.”

Like Steve, I believe that PSN data will one day be allowed via BYOD but, honestly, I’m not sure we’d ever be interested in enabling this. I don’t see the need to access sensitive data from mobile devices – that’s not what mobility is about. Smartphones and tablets (BYOD or Council owned) are great at allowing you to stay connected when away from your laptop – but I don’t think there’s a real business need (now or in the future) to deliver our most sensitive data through an iPhone. By implementing a ‘walled garden‘ architecture you can allow BYOD to get in to the ‘day to day’ stuff whilst keeping PSN data/systems/accounts safely walled off. Everybody is happy.Walled Garden

.

Tension

It is undeniable that some Councils have ‘kicked the can down the road’ under previous compliance regimes. “Oh yes, of course I will fix X, Y and Z – just leave it with us” – 3 years go by and X, Y and Z are still extant. It’s this kind of behaviour that the zero tolerance approach is designed to tackle. Having said that, I would agree with John Jackson (CIO at Camden) when he warns that draconian PSN rules are a real threat to efficiency, innovation and transformation. In my opinion, the biggest challenge does not come from the controls in the PSN CoCo, rather it comes from the language/body-language being used. It’s all a bit ‘us and them’ at the moment. I would ask that the Cabinet Office makes 2 simple changes which should reduce tension for all concerned:

1) Please try to remember that Local Government is different to the MOD, MI5 etc. Sure we store some important data – but the vast majority of what we hold is low level stuff.

2) Please do more to help Councils towards the right answers. As well as telling us “This is not allowed” we also need you to follow up with “but you might want to consider doing it like this”. Or, to put it another way – we need the Cabinet Office to work with us on solutions. It’s in everybody’s interest to find a way to allow mobile access to data – if I were a MI5 spook, for example, I’d be nervously eyeing BlackBerry’s predicament and wondering how I’m going to be able to get at my email if/when BlackBerry has gone.

Of course it’s not always Central Government who are saying ‘no’ to BYOD. Many IT Departments are scared of BYOD – they just don’t like it because it feels wrong and it threatens their hegemony. Sometimes they will hide behind the CoCo when telling senior management that they can’t use their iPhone for work – this is folly. Much better to sweeten the bitter pill that is Outlook Web Access removal with the wonderful alternative of iPhone access to Council email.

BYOD is not a tide that the IT Department should be attempting to hold back – it’s futile. If you don’t enable access to Council data from smartphones and tablets then you are canuteputting your data at risk. If you don’t find a secure way to give your users the convenience of access from the devices that they know and love then they will find a way to go around the IT Department:

Fine, I’ll just send the document to my Gmail account!

Aaaarghhhh! The data has left the network and is now in the wild – this is not the kind of behavior that you want to encourage – but that’s just what you’re doing if you don’t give your users an alternative. BYOD is here to stay and your users will do it – either with you or despite you – make sure it’s the former.

Advertisements