Increasingly, government at central and local levels is coming to realise the benefits to itself and its citizens by moving services on-line. Housing, health, benefits—you name it, the public want to be able to interact via the web, rather than having to travel to some poorly lit and low-spirited office somewhere to sit and wait for someone to go through some basic advice.
However, opening up to the citizen has its risks—and this has made many government departments shy away from going as far as they could. The risk of someone being able to get hold of the wrong information sends shivers down the spine of the average public sector manager, and sends ministers and mandarins into paroxysms as the thought of being forced to resign crosses their minds. The number of embarrassing press reports about public sector data leaks in recent years do not help.
Yet there is no reason why this should be the case. The problem seems to be that the government has been wrongly advised in the past when it comes to information security. The focus has been on database security—which misses the point completely. The focus has to be on information security—which needs a different approach.
Database security is predicated on making a given database secure. If the security is compromised, then the whole database is then available to the person who has compromised the system, unless complex rules have been put in place to try and lock down individual fields within the database—yet this then puts barriers in the way for normal working.
Information security turns the problem around—instead of trying to stop people from getting hold of data for which they do not have access rights, how do we give them access to what they should be entitled to? This then means that you start from a total locked down position—the starting point is that the person should have no access at all.
The first task then is to identify them uniquely and authenticate them—they have a name and other details that should be able to provide an outline to narrow this down to just the one person: things such as address, postcode, national insurance number and so on. However, these details are easily obtained by outsiders, and so do not provide the necessary overall security. Token based systems are theoretically OK, but with 60+ million citizens, the loss rate of tokens and the need to provide replacements and deal with exceptions while these are being provided would be prohibitively expensive.
However, biometrics should be more cost effective—and have reached a level of functionality where the risk of false positives and negatives is now negligible. Yes, there is a high initial cost involved with this, each household would require a biometric reader. However, by associating the reader with the house, the house with the inhabitants and the inhabitants with their own unique identifiers, it becomes very difficult for any security breaches to be initiated.
First contact between the individual and the public sector network should then be via a simple starting master database. Here, the credentials of the individual are checked, and rather than then giving them direct access to data held in the same database, the individual is assigned a one-time token or set of tokens. These tokens are then used to gain access to the other databases where the individual is seeking information from. Such an approach is already used for single sign on (SSO) solutions as available from the likes of Symantec 03, Ping Identity or AEP Networks’ Ultra Protect.
This is important, as what it allows is for the subservient databases to be anonymised; rather than having a health database that has fields of name, address, contact phone number and then all the fields to do with the individual’s health, all anyone would see that has not come in through the master database would be a hash key (which is aligned with the individual’s details) and the health records.
Without being able to recreate the hash key and match this with the master database, no-one can see any personal information in any database—and as the master database requires biometric information, compromising this is difficult.
So far, so good. But how about the public sector workers who need to access broader swathes of information? The approach still works for them. They still come in through the master database with a mix of credentials based on user identification and biometrics. They then pick up their own tokens—tokens which dictate what their levels of access are to the various different databases. Therefore, a housing benefits person would gain tokens that allow them access to the housing database, but nothing else. A nurse would gain access to complete patient records, whereas a paramedic on the road may only gain access to partial records.
Combined with data leak prevention (DLP) applied to information flows from public sector employees to citizens, ensuring that personal information cannot be accidently published and digital rights management (DRM) to ensure that off-line data is secured, has limits applied on what can be done with it and has time limits on its storage, a rounded approach to information storage can be put in place.
With the governments renewed commitment to cloud computing through the G-Cloud and a drive for greater citizen engagement, information security is critical. Taking old-style approaches just does not meet the needs of the government or the citizen—new thinking is required.