Microsoft UK Public Sector - Information Governance - Government Connect – Get CoCo while it’s hot!

CoCo is the set of standards on which the future of communications between local and central government organisations is built. Whatever form the infrastructure ultimately takes, the deadline for councils to comply with CoCo is looming fast. Kim Thomas finds out how Microsoft can help local authorities meet their obligations.

Time is running out for local authorities to comply with the Government’s Code of Connection (CoCo). Once they have achieved compliance, they will be given access to GCSx – the secure infrastructure that will become the preferred default way local and central government systems can communicate.

The first government department to switch off paper-based processes will be the Department for Work and Pensions (DWP): unless there is an agreed exemption in place, from April 1, GCSx will become councils’ only means of accessing and delivering housing benefit services for their citizens.

To achieve compliance, local authorities have to put in place rigorous security processes and ICT controls. This isn’t an easy challenge to meet, and for many, it will involve an overhaul of existing practices. To comply with CoCo, local authorities must provide secure access to data through multi-factor authentication, tailor their local mail services to be compatible with the secure Government Connect Mail solution and meet stringent information governance standards.

Not surprisingly, not everyone is there yet. Although 410 local authorities and partnerships have signed up to the code, only 300 are expected to achieve compliance by the April 2009 deadline, while one hundred have requested a six-month extension to the deadline. Another 50 authorities have yet to initiate the Government Connect process.

Microsoft has identified five key areas that provide particular challenges for councils:

• Securing remote devices. To achieve CoCo compliance, all remote devices need to be secure, encrypted and accessed through two-factor authentication. As Nigel Tilley, industry strategy consultant for Microsoft points out, this is difficult when so many staff use mobile devices such as Blackberries, mobile phones and laptops or work from home: “It’s a real problem because more and more councils are allowing people to access email from their home PCs, which have now been deemed not secure.”
• Developing secure processes and auditing those processes. This includes administering employees, authenticating users and providing secure access to buildings and systems. “It’s not just an IT process – by definition it involves other parts of the business and they might be using different systems and have different policies, but you need to interact in a consistent way,” says Tilley.
• Managing software centrally, so that employees are working with a set of standard applications and data, security can be assured, and an audit trail maintained.
• Managing a cultural change: training employees to understand the importance of security and to use secure processes. “Just asking people to work in a different way is not a simple task,” Tilley points out.
• Maintaining ongoing compliance. That means developing secure processes and making sure that employees adhere to them. Regular checks and audits will need to be carried out.

Many risk analyses also make the mistake of failing to take into account the probability of more than one adverse event striking at the same time, says Titterington: “Most of the things [in a risk analysis] are relatively unlikely. You think of all these unlikely things and think, ‘We’ve put in place some sort of plan to deal with them when they happen, so we’re OK.’ We assume that because they’re unlikely, the chance of two of the things happening is minuscule, but sometimes two unlikely events might be triggered by a common cause. The chances of the second one happening once the first has happened are quite high. And if your fallback procedure relies on the second one, that’s not a very good policy.”

As an example, Titterington cites the incident in 2002 when a JCB digging up the road in central Manchester cut through a broadband cable. Not only did many organisations find themselves offline for a fortnight, but mobile phones no longer worked because the mobile transmitters had been cut off, too.

You can guard against this by taking into account the possible knock-on effects of an interruption to service, such as an increase in demand elsewhere. “When something goes down, the demand for alternative service drastically increases, and sometimes services are configured in such a way that excess demand can cause total failure,” says Titterington. This happened during the North America power cut in 2003: the reserve routes on the grid were knocked out by the repercussions of the first failing.

Despite the tight deadline, councils should not be looking at short-term tactical measures to meet CoCo compliance. Central government will continue to develop more stringent security requirements, including the Employee Authentication Service (EAS) – a shared service across government that enables council employees to authenticate themselves using a smartcard in order to gain access to services in other departments.

Focusing on quick fixes will “cost more in the long run,” says Tilley. “You’re going to have to roll out more and more employees over time.” Taking a more strategic approach will enable councils to address the broader government requirements on efficiency and improving citizen services.

So how can Microsoft help? To begin with, we’ve developed the Compliance Accelerator, a short engagement that will help you identify outstanding compliance issues and advise you on how to resolve them. This is based on our experience of working with councils in achieving compliance as well as experience gathered from a variety of consulting and custom support engagements about how best to deploy and integrate Microsoft’s product to enable business priorities in local government.

Basingstoke and Deane Borough Council, for example, are addressing a number of related issues, such as providing secure home worker access to council systems, integrating secure mail services into existing business processes and implementing end point security on a variety of different devices. By using the Compliance Accelerator, the council is creating a clear set of goals for meeting the March 31 deadline and using existing Microsoft software to help meet those goals. In doing so, Basingstoke and Deane will create a flexible infrastructure that will provide a consistent way to enhance security across the whole network.

Microsoft also offers custom consulting engagements, which involve designing and deploying a solution based on infrastructure optimisation. This serves both to achieve compliance and also deliver a leaner infrastructure – by using the Microsoft Infrastructure Optimisation Model to consolidate its IT systems, Edinburgh Council has saved £5m in direct IT costs. A solution based on optimisation addresses the key issues of access control, desktop and server management, mobile working, monitoring and Microsoft Exchange email configuration.

No-one pretends that achieving CoCo compliance is going to be easy. However, you can meet about half of the compliance metrics relating to ICT by configuring existing Microsoft products. You can use the Security Configuration Manager tool in Windows Server, for example, to secure mobile devices. Vista comes with Hyper-V and Virtual Machine Manager, virtualisation tools that make it possible to deploy security solutions more quickly as well as slashing running costs.

Where there are gaps, Microsoft is working with customers to build solutions by changing the configuration of existing infrastructure or adopting the relevant security products, such as Intelligent Application Gateway (IAG), which offers a virtual private network (VPN), a web application firewall, and endpoint security management, to help fulfil the requirement to provide secure network access for mobile workers.

Microsoft’s Identity Lifecycle Manager enables councils to manage the lifecycle of user identities and their credentials. Strong authentication tools, such as smart cards and digital certificates, can be incorporated easily, making it possible for administrators to have a single, centralised method for managing user access and user credentials. This means that if you adopt smartcards, the user will be able to use a single card to access multiple applications. Uniquely, Microsoft is able to provide a smartcard (or token) solution for strong authentication that meets the immediate needs for secure mobile working but also integrates access to the EAS service. The first service identified to use the EAS service is ContactPoint. One smartcard that provides corporate services to employees, such as the increasingly popular “follow me” printing and shared services across government.

In conjunction with our partners, we are working to provide even more sophisticated security solutions. Led by the London Borough of Newham, the 10 councils in Microsoft’s Shared Learning Group have been piloting the use of information cards to share internal documents. The solution is based on Eduserv’s OpenAthens technology integrated with Windows CardSpace, and uses federated identities, enabling users to be authenticated once across many systems. One of the benefits it offers is scalability, says Geoff Connell, CIO at Newham: “We can easily increase the rate of sharing the site with different partners and the number of users can reach into the thousands.”

By contacting Microsoft now, councils have the opportunity to put in place a robust plan that will help them both to meet the compliance deadline and lay the foundations for a secure, flexible infrastructure to provide long-term efficiency gains and improvements to citizen services.

• The Code of Connection
• Infrastructure Optimisation in UK public sector bodies
• Identity Lifecycle Manager

Kim Thomas is a freelance journalist, who specialises in writing about technology, business and education. Her clients include the Financial Times, the Economist Intelligence Unit and The Guardian as well as a number of B2B publications.