editor’s question
PAUL PARKER, CHIEF
TECHNOLOGIST,
FEDERAL AND
NATIONAL
GOVERNMENT AT
SOLARWINDS
W
e live and work
in the digital age,
yet many of us still
tend to approach
our work and
personal lives with
the assumption
that our high-value data is safe with
just a password, even in public-sector
organisations. Unfortunately, assuming
that ‘it won’t happen to me’ can be naïve
– and perhaps even irresponsible – in an
era that sees digital crime grow each day.
Awareness through education
Google has done much to elevate online
security awareness. Most account
users will be familiar with its two-step
verification process, introduced in 2011
and designed to add an extra layer of
protection that’s unique to each individual,
making it much harder for hackers to gain
access to files and information.
Known generally as two factor
authentication (2FA), this additional
28
layer of security requires not just a user
name and password, but also something
that is completely unique to that user,
whether it be a piece of information or a
physical token. It’s based on the concept
that only those users will achieve
access based on something they know
(knowledge) and something they have
(possession). Such a system makes
it much harder for cybercriminals to
access and steal information or identity.
The local 2FA landscape
From a UK public-sector perspective, a
growing number of government agencies
are deploying encryption to help
secure critical information properties.
For example, the Code of Connection
(CoCo) and public services network
(PSN) frameworks recommend that
any remote or mobile device should
authenticate to the PSN via 2FA.
While it is not a legal requirement, the
uptake in two-factor authentication
processes in public-sector organisations
is rising, with some vendors delivering
authentication-as-a-service that can be
used to authenticate cloud applications,
infrastructure and information.
The practical way forward
Using 2FA in the public sector makes
absolute sense but logistically it’s
understandable that it takes time and
work to implement. Organisations
wanting to use biometric or smartphone-
based authentication processes, for
example, will need to ensure that the
back-end solutions are designed and
in place to support the technology and
work properly for system users.
Thought also needs to be given to
education and awareness when
introducing new authentication systems. It
could become overwhelming, particularly
when considering that many public-
sector organisations may have only
recently started to develop a Digital
Transformation strategy. In the NHS
space for example, just 24% of trusts and
Clinical Commissioning Groups (CCGs)
have begun to develop strategies.
The good news, however, is that
processes such as cloud adoption and
2FA are all part of the same Digital
Transformation journey. Having the
appropriate tools to manage each
of these components will go a long
way towards helping public-sector
organisations understand the processes
and be able to do what is needed to best
support them and the public.
Striving for more secure authentication
systems that provide far more confidence
in the identity of both end users and
systems administrators is a great example
of this and is why it matters.
Unfortunately,
assuming that ‘it
won’t happen to
me’ can be naïve –
and perhaps even
irresponsible – in an
era that sees digital
crime grow each day.
Issue 08
|
www.intelligentciso.com