Embedding Network Security Rules and Controls to Protect Public Sector Network Architecture
HIGHLIGHTS: Government Keynote: Securing a Large Scale Network: Ensuring Your Network is Robust and Resilient
Steve Woodhouse
Chief Information Security Officer
Department of Education (QLD)
Keeping the Network Safe
In our connected world, when all industries are using technology and the internet for work as much as for communication and entertainment, it is important to ensure that the networks are safe and secure, and that the policy settings are appropriate.
Steve Woodhouse , the Chief Information Security Officer at the Queensland Department of Education, says that in their agency, security is now more important than ever, especially given their size. “We have over 1,320 sites across the state, with the furthest being over 2,280 kilometres from Brisbane, in the Torres Strait.” Sites include schools, child care centres and universities, whilst Brisbane is of course where the department and most of the IT personnel are based. Across all the sites, there are “over 713,000 active users made up of over 600,000 students and a little over 100,000 staff.” And across all the sites there are “434,000 endpoints,” which includes things like servers, routers, laptops, desktops and other devices. The IT team is responsible not just for maintaining and looking after all the users and endpoints, but for keeping everyone safe.
““Securing our networks is about people, processes and technology. Our job is to protect the organisation from the world, but also to protect the world from our organisation. Last year we blocked over 190,000 viruses, and we also had to stop inquisitive students trying to penetrate our systems.””
Steve Woodhouse, Chief Information Security Officer, Department of Education (QLD)
The focus for the IT team is on people and processes. The technology component is somewhat out of their control as it changes so regularly. To mitigate security risk, “you need to apply a risk management and governance system to your environment.” That worked reasonably well before, but the past 18 months have “turned the typical enterprise inside out. COVID-19 has rapidly accelerated the modernisation of our information technology. We have probably done more digital transformation in the past year than some organisations have done in the past 10 years.” Particularly for a department like Education, the pandemic forced them into “new ways of working, forcing the fast and swift implementation of new systems and policies to facilitate remote work.” In mid-March 2020 , the Department “deployed Microsoft Teams for remote learning and working to over 700,000 users in under two weeks.”
However, as much as that was a great accomplishment, “many long simmering cybersecurity risks have come to the forefront.” In fact, it is not an exaggeration to assert that “home offices or remote working locations will now be the new criminal heart.” Most home networks are unpatched (ie: not regularly maintained for cyber risks) and “we have no control over home office internet connections, mobile phones or things like that.” This means that they are much more vulnerable and open to hacking. For teachers or students using the internet at home, this may therefore result in “home networks becoming the launch point for cyber criminals to gain a foothold into the Department’s network.”
Creating a Robust and Resilient Network
To overcome the challenges that the pandemic in particular has brought to the surface, with a limited budget, the IT team has come up with “six important things that need to be applied to ensure network robustness and resilience:”
Information Security Management System (ISMS) – The ISMS “provides a systematic approach for managing your organisation’s information security. It identifies the risks and the vulnerabilities, as well as the actions and solutions required to ensure that the Department is adequately protected.” It is about constantly monitoring and reviewing the processes in order to continuously improve them.
Remediate technical debt – Though the IT team set up the processes that people use at home, many staff and students are still using hardware or software “that are not supported by the vendors, and are unpatched. Vulnerabilities therefore exist. This is technical debt.” To be secure and not exposed to threats, this debt needs to be “remediated” and that means having “a technology roadmap or a clear plan to bring new controls into place so that there aren’t any legacy systems creating risk.”
Managing identities – Having secure identities is not a new thing. Ever since cyber threats were detected, protecting identities became important. However, since the start of the pandemic, and particularly since the beginning of 2021, “the email spam and phishing attempts have twisted to include social engineering lures related to vaccine issues and other health response efforts.” Identity management is therefore about ensuring that “only authenticated users are granted access to specific applications, systems or IT environments.” This way, as a system, “we know who the people are, what they’re doing, and what they have access to.”
Strong passwords – Some argue that passwords simply put an “unjustified onus on users.” Whether that is true or not, as part of the management of identities, “passwords definitely do provide the first line of defence against unauthorised access.” And to ensure that they remain effective, staff need to have different characters within them and are “required to change them regularly.” Students “don’t change their passwords often enough, but equally have limited privileges on our network.”
Multi-Factor authentication (MFA) – With an ever-increasing number of applications and programs available online, “MFA has become an incredibly important part of our protective arsenal.” Even if or when a password becomes compromised, “MFA makes it harder for the attacker to access our network or access a particular application.” MFA used to be difficult to implement, but is now relatively cheap and easy to install, and “is easy for the users to use, either through a token or an app on a phone.”
Understand Edge computing – In some ways, Edge computing is the future. It is about the Internet of Things (IoT) and using the internet in different ways. Put simply, Edge computing allows raw data to be processed closer to the point of collection. In an educational sense, this means using IoT “in our schools, in robotics, weather stations, solar panels, etc. The Edge is everywhere, and understanding what that Edge is and how it is changing is critical to understanding how you apply risk management to ensure the robustness and reliability of your environment.” Worldwide, 40% of large enterprises are already integrating Edge computing, “up from less than 1% in 2017.” Edge is also part of cloud computing, and having interoperability is important, so understanding the Edge and how it operates allows for the application “of risk management to that changing Edge.”
