Enabling secure connection to e-government

12 May 2003

At its heart, citizen-focused government demands fluid information exchange between departments. To achieve this goal, a stable and unified platform is necessary that permits data exchange and collaboration across departmental boundaries; enables remote access by staff and partners in the field; and facilitates secure payments to and from citizens.

The government virtual private network (GVPN) is a platform and joining it will be crucial to making fully-functional, transaction-enabled e-government a reality.

When Eircom and Vodafone Ireland won the contract for a national GVPN last year, they set about the task of building a platform for fluid information exchange between departments with the ultimate focus being on e-citizen. A VPN is one or more wide area networks (WAN) linked over a shared public network, typically over the internet or an internet protocol backbone from a network service provider (in this case Eircom). This network uses security mechanisms to ensure that only authorised can access the network and that the data cannot be intercepted.

Recently, a breakfast seminar organised by Entropy highlighted the benefits of the GVPN and also looked at various security issues. In attendance were IT representatives and officials from various government departments and state bodies.

According to Conall Lavery, managing director of Entropy, there are major benefits for government agencies and departments in connecting to the GVPN, including cost effectiveness and the removal of various IT complexities. “The GVPN is a ready-made interagency intranet and it removes the need to go through tender. The tendering process itself is time-consuming and can create problems in terms of getting things done … It is an excellent service with many benefits,” he says.

“The GVPN offers a very cost-effective connectivity solution for departments and agencies,” says Conor Flynn, technical director of Rits. “There are a number of security benefits once connected to the GVPN, such as basic spam email filtering at the GVPN hosting centres in Citywest and Crown Alley, which has positive implications for bandwidth at the agency; basic firewalling services at the internet connection before presentation to the hosting section of the GVPN for each agency; and routing of email messaging within the GVPN for interagency email.

“However, there are a number of security issues that are still left to the agencies themselves,” he warns.

IT security has to be careful managed by departments and state agencies to ensure that sensitive data is not exposed and, according to Flynn, if there was a security breach at one agency connected to the GVPN, all services being offered on the network may be unavailable.

“Risk analysis of the connections and services being subscribed to must be performed by each individual agency. Each agency must still implement a firewall. Based on the risk analysis, a multi-tiered architecture may be necessary. GVPN services must be firewalled from each other by each agency. Appropriate email content monitoring and anti-virus screening solutions must be implemented. Appropriate website filtering and content solutions must be implemented. Encryption requirements for data in transit across the GVPN must be determined by each agency.”

Chief informations officer of Entropy, David Bolger, offered some security advice for department and agencies connecting to the GVPN. For example, advice on control access and IT perimeter security, dealing with router access control lists, proxy servers and firewalls, and IT authentication, dealing with PINs, two-factor authentication, encryption and biometrics. “You need to control what users can bring into the system. Just like we have customs officials who use x-ray machines, sniffer dogs and physical searches, in IT there needs to be content management measures such as email content analysis, web content analysis and anti-virus scanners,” he says. Other security measures discussed include intrusion detection systems, authorisation and auditing such as systems logs and application logs.

It is believed that each agency and department will be responsible for its own IT security systems whilst connecting to the GVPN. Not surprisingly, Lavery suggests that a central IT security system is the best way forward. “Types of central IT security measures that could be implemented centrally for all government agencies and departments include central content screening, central authentication and central spam controls. The main benefits would be cost effectiveness and a better guarantee that security for the GVPN would be done right,” he says.

Flynn concludes: “The use of email for the communication of sensitive information must still be considered as untrusted as though the GVPN was not in place. The fact that email routing between agencies happens at the GVPN and not the internet is an improvement, but all the traditional email security risks still exist.”

By Lisa Deeney