Mole Valley Case Study Introduction Mole Valley District Council is located in central Surrey and covers the main towns of Leatherhead, Dorking and surrounding areas providing local government services for the local population of approximately 80,000 people.

The first government department to switch off paperbased processes will be the Department for Work and Pensions (DWP) and from April 1st 2009, GCSx became the only method for councils to access and deliver housing benefit services for their citizens.

With more and more sensitive information held on local systems linked into Central Government, Mole Valley recently took the decision to enhance security controls for managing data at the Council as part of two main objectives; supporting the Code of Connection (CoCo) in order to join the Government Connect Secure Extranet (GCSx) and providing a secure environment for staff working from home.

Mole Valley have a long established home working policy in place. As part of their commitment to provide good value services and flexible working conditions, those able and willing to undertake their work from home - subject to complying with health and safety requirements,- are permitted to do so.

Background To ensure that classified information could be exchanged securely with local authorities, the UK government has created the GCSx Code of Connection (CoCo). CoCo is a list of approximately 90 security controls with which all local authorities must comply in order to connect directly with the central government intranet. This applies to Local Authorities(LA) that are taking a direct connection, or those that connect via an aggregated gateway. This secure infrastructure will become the preferred medium for local and central government systems communication. To achieve compliance, local authorities must provide secure access to data through multi-factor authentication, tailor their local mail services to be compatible with the secure Government Connect Mail solution and meet stringent information governance standards.

So the challenge for Bob Thomas, Head of IT at Mole Valley, and his team was how to comply and yet still provide council staff with the same flexible working arrangements - finding a way to continue providing a full range of services to citizens, all within a limited budget! Bob explained “It would be a huge task to change employment terms and conditions for staff, and we couldn’t afford to buy new council owned equipment for them to work with. So we had to find a way to make our existing system more secure to meet the Code of Connection requirements and allow staff to continue using their own equipment.”

Finding the right partner for the job...

Meeting the brief

Xpertex were chosen by Mole Valley to provide a flexible, cost-effective secure solution for allowing CoCo and non-CoCo users access to core Council services and applications. As a long term partner of Mole Valley, their knowledge of the Council, Local and Central Government was seen as invaluable to the team.

With a client brief to simplify ongoing support and reduce overall solution complexity, Xpertex aimed to select products for Mole Valley that could address more than one solution requirement where possible. Joel Sweeney, MD at Xpertex explains why this proved to be somewhat of a challenge “We found that each of the three main requirement were almost exact opposites. We needed to find a way to provide secure INTERNAL, user-based application access and secure, remote EXTERNAL application access with end user device verification.” The right solution, along with secure third – party supplier access, was clearly a challenge!

With aggressive timescales for implementation it would be important to get the right solution in place first-time, and Mole Valley showed confidence in Xpertex to deliver this for them, with the project in place for the April 1st 2009 deadline.

The Solution Working with the Mole Valley team Xpertex were able to identify three distinct use-cases for the solution. 1. Internal Access:

Mole Valley employee access to the Council network offered within the confines of Council buildings. Including walk-up PC’s for controlled data export.

2. External Access: S

Secure remote access to services and applications which conforms to GCSx CoCo requirements and meets the Mole Valley home working directive strategy.

3. Support Access:

Secure third-party supplier access to Council systems for suppliers working on subcontracted support contracts for the Mole Valley IT team.

Xpertex began by evaluating the key market players in each technical field. Across Remote Access, 2-factor authentication , disk encryption and trusted environments three manufacturers products were consistently on the considered products list; AEP Netilla Application Access, SWIVEL for PINSAfe Turing and SMS 2-factor Authentication and Becrypt Disk Protect disk encryption and Trusted Client™ products.

Application Access with AEP AEP Netilla SSL VPN is a secure application access gateway that enables secure, web browser access to a broad range of business applications. Xpertex found that Netilla offered Mole Valley secure Application Access through Authentication realms and gave the flexibility to offer the choice of Authentication methods on the same appliance for the range of security and application requirements. Joel summarised how Xpertex viewed the solution “AEP really met our requirement for users to operate internally and externally. With a Single management interface and Netilla local authentication store, Mole Valley could also manage support organisations where a user and password access was required without having an AD account. Making it ideal for us and Mole Valley”.

Access Authentication with SWIVEL The Swivel PINsafe solution provides authentication for access to VPNs, Websites and Corporate WebApplications through mobile devices and web-browsers. PINsafe is designed to combat threats ranging from skimming, phishing and spyware to shoulder-surfing andkey-logging. Its unique combination of registered PINs and randomly generated security strings delivered simply to the user makes it the safest, easiest and most reliable and cost-effective authentication solution available. For Xpertex this solution met two main requirements at Mole Valley. Firstly, it allowed them to offer 2-factor authentication for internal users but without the need for tokens. Joel Sweeney explained further “PINsafe's single channel web-based solutions and Mobile Based Authentication made it simple for us to seamlessly integrate a web and SMS process at Mole Valley and offered an effective alternative to vulnerable username and password authentication”.

Disk Authentication and Trusted Clients

‘corporate’ data cannot leak onto the host. The impact for Mole Valley was a significant cost saving as they no longer needed to provide laptops for all those working outside of Council buildings.

Technical Briefing: Developing a Solution for Coco Compliance Xpertex were able to develop a working solution for Mole Valley by focusing on the secure access by employees in different scenarios and ensuring that these met the overall objective for compliance. Here we explore the solution for internal, external and support access in more detail.

Internal Access: Employee Access to Council Network: The overall objective for Internal Access at Mole Valley was to deliver a thin client, virtualised environment to all users compliant to GCSx CoCo requirements. This was seen as one way to also dramatically reduce the costs associated with managing the existing desktop estate. The solution, as shown in Figure 1 below, included:

Xpertex understood that all internal machines at Mole Valley required disk authentication from a CESG approved manufacturer for CoCo compliance. Becrypt DISKProtect met the requirement for laptop encryption and Xpertex used Media Client to protect data in transit on removable media such as CDs. Joel Sweeney explained “Becrypt Media Client offers us a simple and easy way of protecting data in transit with file and media encryption. Media Client resides on any removable device and has a zero footprint, allowing a recipient to access protected data without needing to install software". In addition, by using Becrypt Trusted Client™ , Xpertex could enable staff to continue to use home PCs whilst meeting the Code of Connection requirements to access GCSX. Trusted Client™ is used to protect data when outside the organisation and ensures that any malware from the host’s PC will not infect the network, and that

• Active Directory login • Internal AEP Netilla connection for secure access to Windows Terminal Services 2008 • 2 factor authentication via Swivel using Obfuscated Turing image • Windows Terminal Services 2008 Application delivery • iGel • All I/O ports (USB etc.) locked down by Becrypt Connect Protect.

At stage (1) the Internal Thin Client PC (or Walkup PC) boots up, logs on and presents the user with the Netilla Login page for the INTERNAL realm. The user then enters their Active Directory logon and password. As this realm requires a second stage of authentication (2) , the Netilla queries the SWIVEL server to generate the user Turing image.

INTERNET

Netilla SSL VPN Gateway

2

Firewall Council LAN

1

3 SWIVEL Server 4

Thin Client

Windows Terminal Servers

Figure 1: Internal Access at Mole Valley

In order to complete the logon process (3) the SWIVEL Server presents the Turing image on the Netilla login page and prompts the user to enter the digits corresponding to their own personal PIN. After successful authentication, the user accesses Internal resources according to their role (e.g. CoCo or non-CoCo user) via Windows Terminal Services (4).

Controlled data export with Becrypt This model proved to be successful but prohibited any data export whatsoever. In some cases, controlled data

export was required by Mole Valley so a small number of “walk-up” PCs were deployed to enable this. To maintain security this process is controlled, audited and reported on by Becrypt Connect Protect and all forms of media used for data download are encrypted and managed by Becrypt Media Client. In addition, Xpertex could ensure that this level of protection was extended to the Hard Drives of all walk up PCs and the remaining council owned laptops, with full disk encryption using Becrypt Disk Protect Standard.

External Remote Access to Council Network: To meet the objective for providing remote access, Mole Valley needed to ensure that they delivered controlled, secure remote access to services and applications located within the Council network which still conformed to the GCSx CoCo requirements. The challenge for Mole Valley was to offer secure access whilst, at the same time, reducing the overall number of Council-owned laptops being managed. Achieving this would enable Bob to deliver considerable savings back to the business and reduce the projected timeline for a return on their investment.

Figure 2: An example of SWIVEL PINsafe technology

Delivered by: • Becrypt Trusted Client™ (Bootable OS) • External AEP Netilla VPN for secure access to Windows TS 2008

1

INTERNET

• 2-Factor authentication using AEP Client Integrity checking to verify presence of Trusted Client™ clientside certificate;

3

• Windows Terminal Services 2008 Application delivery

Firewall Council LAN

• iGel.USB

At stage (1) the Home or Remote user inserts Trusted Client™ USB pen or stick and turns on PC. The PC boots and loads Trusted Client™ and is configured to automatically load the browser and presents the user with the Netilla Login page for the EXTERNAL realm (2). After the user enters their Active Directory logon and password, the Netilla then checks for the presence of a specific client certificate on the host PC (3). This allows us to verify that the user has booted from the Trusted Client™ and not their native PC. Once the certificate presence is verified, the user accesses Internal resources according to their role e.g. CoCo or non-CoCo user via Windows Terminal Services 2008 (4) and iGel – the identical environment as they would access from within the office walls.

USB Trusted Client

4

• Active Directory login

2

Windows Terminal Servers

Figure 3: External Access at Mole Valley

needed to integrate a solution which enabled support requirements to be conducted in a managed and secure way.

Delivered by: Remaining laptops not being replaced by Trusted Client™ are all encrypted with becrypt Disk Protect, and the council security policy dictates that only presentation materials are held on the hard drive. All remote/home users are permitted to use their own equipment, as they will boot from the Trusted Client OS onto the AEP Netilla SSL VPN which using client integrity verifies the presence of TC’s client-side certificate. The user then gains access to the Council’s network and services via TS2008 and iGel – the identical environment as they would access from within the office walls. External Access – Connections for IT Support With a number of external suppliers to the Mole Valley IT team requiring access to Council systems, Xpertex

• External AEP Netilla VPN for secure access to Windows TS 2008 • Swivel 2 factor authentication using Swivel PinSafe token-less access via mobile telephone • AEP Local database login – NO Active Directory login required • Windows Terminal Services 2008 access for troubleshooting

Swivel PINsafe SMS Gateway

4 INTERNET

Support Phone Support PC

1

3 Firewall

5

2

Council LAN

SWIVEL Server

Windows Terminal Servers

Figure 4: SWIVEL Server for Support Management at Mole Valley

Mole Valley Council have placed all permitted 3rd Party organisations on the Swivel database and set temporary, strong Netilla VPN passwords. When the Council logs a support call with a 3rd party helpdesk , that requires access to a system to enable a fix, a process is initiated which enables access without compromising on security. At stage (1) the 3rd party must assign a technician and detail their name, role, organisation and mobile telephone number in an email to the Council. Once the Technician is verified through the SWIVEL server (2) the Council opens domain access to the 3rd party account for an agreed time frame(3). The Technician then receives a PIN code via SMS (4) and enters the one time password combination of PIN and PinSafe code to access the system (5). This has clearly improved on 3rd party support for applications at Mole Valley. Previously, each supplier was offered a locked account which they had to request to open by email. The secure solution also helps to

streamline tasks as the IT team no longer need to get involved in individual requirements. This has resulted in the fact that this process is now managed and tracked by a single person.

Future Use-Cases Bob Thomas from Mole Valley highlighted that the solution offers a number of future use -cases that have now been identified such as that for Disaster Recovery and Business Continuity including Pandemic response. Bob explained “The Council envisage individuals being unable to attend the office when they are either looking after ill dependents or are recovering but quarantined for a period of time before returning to work. In these cases we expect to be able to deliver Trusted Client™ to enable the user to connect to the Council’s network and resume work”.

Should the delivery of the Trusted Client™ not be possible due to the invocation of a DR scenario (whereby physical access to the office is prevented), there is a special DR method of access available that will allow access to the Netilla VPN without the Trusted Client™ stick being attached.

Recommendations from Mole Valley Having experienced the solution and working with Xpertex to implement, Bob Thomas had some recommendations for those looking to implement a similar solution in the future.“I’d strongly recommend that you don’t re-invent the wheel with these solutions. Overall costs can be greatly reduced if you focus on the mechanism to connect rather than trying to buy new equipment and services to meet the CoCo requirement” Bob also added his support to finding the right reseller for your solution. “Choose a partner with experience in Local and Central Government communications. Xpertex provided us with some good insight to the controls required and their knowledge of the solutions available on the market gave us a good fit for our needs and budget.”

Figure 5: PINSafe2-Factor Authentication for External Support Partners

To understand more about how Xpertex helped Mole Valley or to discuss your own requirements for a Coco Compliant solution please contact us now telephone 08450341412 email [email protected] or visit our website at www.xpertex.co.uk