Delivering digital services: SC Roundtable report
Experts discuss digital service security at the SC Roundtable
At the London SC Magazine public sector roundtable in association with Akamai Technologies, Rik Turner, senior analyst at Ovum's IT security team's opening presentation described how the public sector is playing catch-up as digital platforms give citizens access to more information and services.
“The move [to digital services] is well underway, that's not going to change. ...(But) it has been traditionally much easier to keep that information guarded – but once it's open to the online world there is always going to be a challenge.”
Issues to tackle included phishing emails and DDoS attacks.
Cloud security was also raised, for whilst businesses use services like Amazon's AWS for development testing and reducing costs, there is a need to retain a level of control.
Yet what remains arguably the biggest problem is with developers rushing products and services out to market.
Steve Jones, senior information security officer at the Environment Agency, described how the old days of software being ‘frozen' for penetration testing, a two-week grace period, are gone in today's Agile environment. “We're having to come to arrangements with our developers, programme managers and scrum masters to say right, when we're about to go Alpha, we'll do the application pen test and I am relying on you to keep good records of what developments you continue to make.”
“I think we're having to re-establish a trust with developers and educate them into developing applications in accordance with OWASP or SANS 25.”
A senior member of the Metropolitan Police, added: “We've always had issue where project managers ignore information assurance. [It's] because it's not in their interests, their mind-set is focused on delivery of project.” He added “As information assurance professionals our job is to get in amongst them, to get involved early in the process, in what business needs from them in protecting the data.”
John Colley, Chair of the (ISC)2 EMEA Advisory Council, agreed adding. “Ask anyone what's the most important thing, its availability, integrity comes second, and then confidentiality. You produce something and get it right later.”
Education, education, education
It was noted that those on the edges of a digital society – the 18 percent who have never been online - might suffer lack of availability.
Brian Shorten, chairman of the Charities Security Forum, says “it's hard enough to have someone look after their own information when fully capable of doing so,” let alone the elderly. Referring to the Gov.uk Verify scheme as an authentication model, Big Brother Watch director Emma Carr adds: “How Big Brother Watch gets involved is educating people about how services work, the idea behind them, what data is gathered and what happens with that. They like to feel involved, things happening with them rather than to them.”
There are also increasing concerns over data privacy, especially in the public sector, and who owns data given the developments like care.data and even ‘smart' cities.
Malcolm Days, head of infrastructure services at Warwick University, warned of loss of privacy entirely, while Terry Willis, CTO at Age UK, warned that companies like Experian would be making profits from selling information on. “When you've got a digital profile in the world, you have to manage that,” he said.