Setting the standard in public sector cyber security
CyberArk shows that as more public services become digital, the government’s ability to retain the trust of the public will depend on being able to offer assurances that our personal information is safe
In June 2018, the UK Government issued its first departmental ‘Minimum Cyber Security Standards’ (MCSS).
The Standards, as the name suggests, outline the minimum cyber security measures with which departments and their suppliers are obliged to comply. The hope was that whilst they were primarily public sector focused, they would gradually permeate the private sector as well.
The Standards were welcomed; the Government was taking steps to set a level below which cyber security could not drop. Considering that many public sector organisations had struggled to create a coherent structure for their cyber security needs, these were a welcome addition to existing guidelines.
Evolving to maintain public trust
Crucially, the introduction to the MCSS stated that “Over time, the measures will be incremented to continually ‘raise the bar’, address new threats or classes of vulnerabilities.”
This is an important commitment.
Since 2018, we have continued to see rapid digitisation of public services, greater movement of government infrastructure to the cloud, and more third-party suppliers being given access to critical IT infrastructure. All of these developments have increased the attack surface available to criminals.
In this context, and as Government transforms and asks citizens to not only embrace new digital public services but also trust that their personal data is being handled securely online, getting the public sector’s approach to cyber security right is critical. At a time of national crisis, when we are being asked more than ever before to trust government with our data, for example to facilitate the rollout of a nationwide contact tracing app, ensuring security is more critical than ever.
In addition, Coronavirus has accelerated timelines and forced many departments to rollout new services more quickly than normal – in this situation there is always a risk that security can be overlooked in the process. Not to mention, with millions of civil service employees now working from home, departments face even more potential routes for criminals to exploit weaknesses in their cyber security protocols.
The importance of 'identity' to security
In light of these developments, it is right that guidance such as the MCSS are regularly reviewed and augmented. An answer to a recent Parliamentary question revealed that a review into the Standards is now underway, which is to be welcomed.
But regardless of the Review, the most forward thinking government departments and IT specialists have already supplemented the advice in the Standards with guidance from other sources, such as the Centre for Internet Security and the National Cyber Security Centre’s 10 Steps to Cyber Security.
In particular, this will have included a focus on steps to ensure that securing ‘identity’ is a core component of an organisation’s cyber security approach, recognising that this is central to the success of digital services.
Securing ‘identity’ goes beyond trust-based models as it requires every access request to be approved and users’ access to be constantly audited. This means that government departments can proactively audit and manage users’ identities, and verify requests automatically based on the current access afforded to that user.
As customers, most of us are familiar with the ways in which banking apps, for example, secure the identity of a user with multi-factor verification, through a username and password, combined with a code from a smartphone and/or a finger print.
These types of verification processes now need to be as commonplace in the public sector, as they are in the private. Some citizen facing services do employ this robust form of securing ‘identity’ already, but it is important that internally within departments, access to critical servers and data is suitably secured in a similar way. As government departments move IT resources to the cloud, accelerate automation and digital transformation initiatives, the number of privileged credentials associated with human users, applications and machines grows exponentially; and with them, the risk.
What is more, there will be instances when some data is particularly privileged, and must require additional verification steps for a user to reach it. This is when the role of Privileged Access Management (PAM) becomes crucial.
PAM is underpinned by two principles: firstly, zero trust – that a system never grants access on trust, but rather always demands verification; and secondly, least privilege - the concept that each user is only granted access to what they absolutely need to do their job.
Today’s software applications and network components rely on seamless authentication and access to interact with one another, making privilege management fundamental to the security of systems and applications. Proactively managing privileged accounts is therefore a vital component of public sector cyber security.
PAM tools can be applied to control the access privileges and permissions of human users, computers and automated systems, and manage endpoint devices. This ensures that only those who really need access to sensitive data or system controls to fulfil the requirements of their role can do so. If a breach does occur, infected areas of the network can be identified and isolated so that other areas, and the information they contain, can remain safe and accessible.
The benefits include enhanced protection against accidental breaches and attacks by hackers, better compliance as a result of increased visibility and transparency of access across systems, and stronger security throughout complex supply chains.
Awaiting the review
The review into the Minimum Cyber Security Standards should help to improve and update the existing guidance, and build that trust. While forward-thinking public-sector organisations will already be using other sources of information to determine their approaches to cyber security, it is important that the updated Standards include a robust approach to Identity and Access Management.