Public Services > Central Government

Meaningful compliance - learning from PSN

Published 21 January 2015

Des Ward the compliance lead at PSNGB, the industry association for PSN suppliers, gives his views on proposed changes to the PSN compliance process

 

It's inappropriate to comment on the compliance changes to the PSN at present; they are in alpha and may be subject to change. PSNGB does, however, welcome any evolution from the current rigid technical control implementation approach towards accountability and ownership at a local level. This is a good thing.

That said, from recent published articles, there appears to be a misunderstanding by GDS about what the key benefit that the compliance regime for suppliers provides for end users within the PSN. In 2010, Government asked suppliers to set aside their commercial differences and deliver a services and network environment, based on commercial good security practice, that allowed entry to new suppliers of any size and a service management regime that contractually required suppliers to work together to resolve service issues. And, that is exactly what we delivered with PSN.

The compliance regime for suppliers essentially means that that customers can buy compliant components knowing they would work with each other and that service issues would not only be resolved quickly through collaboration but they would have the right to know when issues may affect their ability to deliver services to the citizen. This delivery, using open standards held within the PSN Operating Model, is a significant achievement and has already resolved outages quicker than is possible with other commercial approaches.

I can state, from my own experience, that any security requirements were proportionate and entirely in keeping with practices experienced within the private sector; certainly, the approaches were no more onerous than experienced within the financial/energy sectors.

There is nothing, in terms of supplier compliance requirements within the current PSN compliance process, which has been beyond the goal of commercial good practice with regards to the delivery of a service regime of benefit to end users.

What we can comment on at this stage are published details about plans for service management and the PSN in general, and the impact this approach will have on supplier compliance requirements.

Namely, the approach to using the internet appropriately to share and access information is laudable (a view that PSNGB expressed, in part, last year here), as it uses exactly the same links and datacentres as PSN (and a multitude of other government networks). This is significant as most of these connections are already assured to government security standards. PSNGB has already agreed that the PSN is arguably too complex in its design, so there is merit in this proposition.

However, the recently published terms for service management move away from a multi-supplier regime to an approach that requires suppliers do little more than confirm the root cause of the incident is not their fault and report back. In essence, the compliance approach appears to be a move away from the open standards for interoperability and service management delivered from consensus within the supply community that have already allowed new SME entrants to the marketplace.

Why should anyone care if this significant change to supplier compliance obligations does occur? In short, the public sector has a legal obligation under the Civil Contingencies Act 2004 to ensure their services are robust. With the move towards a Cloud first policy, we therefore must allow end users to understand if their suppliers are robust. With the current PSN operating model, it's easy as suppliers have to work together. With Cloud it's less clear, as Cloud Service Providers are likely to be hosted on one of three main vendor environments (Microsoft, Amazon and Google).

There have been many arguments made regarding how more secure Cloud is than existing government systems, with even the Cabinet Office using services such as Google Apps in a widespread manner.

The question of security is misplaced in this case though; the issue is one of ensuring that services meet the requirements of the end users (which security is part of). Recent reports highlight the widespread disruption caused on customers by the outage of the Microsoft Azure cloud for example. So, how do end users understand if they have an exposure to overreliance on one vendor environment without having the right to transparency and multi-supplier service management provided by the current PSN Operating Model?

It may well be argued that G-Cloud, and the CESG Cloud Security Principles, are mature as G-Cloud enters its sixth iteration. However, with Mark Craddock (a founding G-Cloud architect) estimating that 16,000 service definitions require review, maybe we need to reuse more existing open standards to ensure that compliance for suppliers delivers value to the end user in delivering the digital government we all hope for. PSNGB certainly hope that compliance for suppliers retains value for end users beyond mere security, as we agree that the delivery of safe and robust services for end users to share information must be a priority.








We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.