Anyone who works in technology in the United Kingdom (UK) is familiar with the Public Services Network (PSN). This organization was established back in 2008 to help public service organizations to work together to share resources and reduce duplication. Over time, the Internet has become suitable for most of the work that was previously managed by the PSN, and the PSN is now considered a legacy network.
The UK government has adopted a “Cloud First” policy, and all public service organizations that were previously subject to PSN rules must now transition away from the PSN. However, this is not just a simple “rip and replace” operation. The entire structure of our work environments have changed, especially over the last year, adding more complexity to our already complex security challenges. How can we securely migrate from the PSN?
The PSN was a centrally managed network, so its elimination presents the possibility of many directions that an organization can take when migrating to one of the many types and providers of cloud services. In a way, we are looking at the same old problems but with a new approach. It all comes back to the idea of reducing complexity and adhering to security basics. Access control and access management will factor heavily into these practices.
Plan Early, Test Early
We don't know exactly when the PSN is going to leave us, but it is estimated that it will occur around 2023. The good news is that there is ample time to plan a safe migration. However, if we use history as a barometer, we need only look at the preparation that took place prior to the 2018 implementation of GDPR. Organizations had at least two years to prepare for GDPR, and yet, when the deadline approached, many organizations were unprepared.
Unlike GDPR, the absence of the PSN can have operational consequences if not addressed when the deadline arrives. It is critically important to plan a strategy whilst the PSN is there now and look at what services are relied upon through the PSN. Then, begin to build a strategy around that removing those critical areas. Perhaps you can move the less critical functions first so that becomes a test bed. Act slowly and deliberately so there is keen insight into the impact upon the organization.
Guidance in the Absence of the PSN
In the absence of the PSN, it is important to use industry-recognized procedures to build a working security solution. As with cryptography, it would be unwise for an organization to replace the PSN by cobbling together and building their own solutions internally. Companies should be looking for ways to use the systems that they are using currently and build on the processes they already have in place to replace the PSN before rushing out and buying something else.
One way that an organization can safely migrate is by looking to the guidance offered in many of the available standards such as those offered by the International Standards Organization (ISO), the National Institute of Standards and Technology (NIST), and the Center for Internet Security (CIS). In terms of all of these standards, when we're talking about control of your suppliers, what we need to recognize is it's about doing your due diligence, making sure that you have those audits, those regular reviews, and that onboarding process in place. An organization needs a cohesive strategy to onboard new suppliers and new services. This is an important way to avoid supply-chain fraud. It is all about making sure that the services that you're implementing haven't been rushed through. This approach has to be part of your larger strategy, as well.
Avoiding the Perfect Storm
One important aspect that should not be overlooked is that this is not just about technology. When we consider that the complexity of our systems includes data that exists on servers that have been decommissioned or are set to be decommissioned and you also have a very overworked and possibly underappreciated workforce, this increases the risk. If your staff is fatigued, it can create the perfect storm for cyber criminals.
Cyber criminals have also recognized that as people are increasingly working remotely, they are disjointed and separated from their organizations and from their colleagues. These are windows of opportunity in which the criminals can climb through. This is why security's such a fundamentally important part of everything that we think about now when it comes to digital transformation or changes in the way that we operate.
The Importance of Audits
To many IT professionals, audits can be one of the most painful experiences. However, this doesn’t have to be the case. Rarely is an audit a surprise. Usually, the audit schedule is decided early in the year, so planning for an audit can be very easy. The security team should recognize that every aspect of what they do is an auditable action, so they should always be in evidence-gathering mode. For example, was a change made to the password policy in the organization? Gather that evidence at the time of the change instead of scrambling for it at audit time.
Why is an audit discussion important in the context of the migration away from the PSN? There are two reasons. Initially, an information security audit can reveal gaps that can lead to an unintended discovery of a system that was previously excluded from the PSN migration plan. More recently, the immediate shift to a remote workforce has created an entirely uncatalogued asset collection that may be surreptitiously increasing the risks to an organization. A self-initiated audit can prevent many disastrous surprises.
Life After PSN
The best way to proceed towards a smooth migration away from the PSN is all about strategy.
Use an approach that is going beyond mere compliance. Build scalability and continue to keep availability at the front of mind. A clear strategy must include all of the key players in the organization that rely upon PSN. This inclusion will help to prevent any important items from being overlooked. Take everyone on the journey to a successful migration.
Interested in learning more? Watch my presentation on the topic below.
About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ at Cyberfort and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from the Dark Web to Cybercrime and Cyber Psychology.
You can follow Gary on Twitter here: @AgenciGary
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
