Preparing for a world without a Utilities Network (PSN)

Anyone who works in technology in the United Kingdom (UK) is familiar with the Public Services Network (PSN). This organization was created in 2008 to help utility organizations work together to share resources and reduce duplication. Over time, the Internet has become suitable for most jobs that were previously handled by PSN, and PSN is now considered a legacy network.

The UK government has adopted a “Cloud First” policy, and all public service organizations that were previously subject to PSN rules must now move away from PSN. However, it is not just a simple “tear and replace” operation. The entire structure of our work environments has changed, particularly over the past year, adding more complexity to our already complex security challenges. How can we safely migrate from PSN?

The PSN was a centrally managed network, so its elimination presents the possibility of many directions an organization can take when migrating to one of the many cloud service types and providers. In a way, we are looking at the same old issues but with a new approach. It all comes back to the idea of ​​reducing complexity and respecting the basics of security. Access control and access management will be widely considered in these practices.

Plan early, test early

We don’t know exactly when PSN will leave us, but it’s estimated to be around 2023. The good news is that there’s plenty of time to plan for a safe migration. However, if we use history as a barometer, we only have to look at the preparation that took place before GDPR was implemented in 2018. Organizations had at least two years to prepare for GDPR, and yet , when the deadline approached, many organizations were unprepared.

Unlike the GDPR, the absence of the PSN can have operational consequences if it is not addressed by the deadline. It is extremely important to plan a strategy while the PSN is there now and to look at what services one relies on through the PSN. Then start strategizing around removing those critical areas. Maybe you can move the less critical functions first so it becomes a test bed. Act slowly and deliberately so that you fully understand the impact on the organization.

Advice in the absence of the PSN

In the absence of the PSN, it is important to use industry-recognized procedures to create a functional security solution. As with crypto, it would be unwise for an organization to replace PSN by tinkering and building its own solutions in-house. Companies should look for ways to use the systems they currently use and build on the processes they already have in place to replace PSN before rushing out and buying something else.

One way for an organization to migrate safely is to consult the guidance offered in many available standards, such as those offered by the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST), and the Center for Internet Security (CIS). With respect to all of these standards, when we talk about monitoring your suppliers, what we have to recognize is that it’s about doing due diligence, making sure that you have those audits, those reviews regularly and this integration process in place . An organization needs a coherent strategy to integrate new suppliers and new services. This is an important way to avoid fraud in the supply chain. This is to ensure that the services you implement have not been rushed. This approach should also be part of your overall strategy.

Avoid the Perfect Storm

An important aspect that should not be overlooked is that it is not just about technology. When we consider that the complexity of our systems includes data that exists on servers that have been decommissioned or are about to be decommissioned and you also have a very overworked workforce and perhaps underestimated, it increases the risk. If your staff are tired, this can create the perfect storm for cybercriminals.

Cybercriminals have also recognized that as people increasingly work remotely, they are disjointed and separated from their organizations and colleagues. These are windows of opportunity that criminals can squeeze through. This is why security is such a fundamental part of everything we think about today when it comes to digital transformation or changes in the way we operate.

The importance of audits

For many IT professionals, audits can be one of the most painful experiences. However, this need not be the case. An audit is rarely a surprise. Usually, the audit schedule is decided at the beginning of the year, so planning an audit can be very simple. The security team must recognize that every aspect of what they do is an auditable action, so they must always be in evidence-gathering mode. For example, has a change been made to the organization’s password policy? Gather this evidence at the time of the change instead of looking for it at the time of the audit.

Why is an audit discussion important in the context of migrating out of PSN? There are two reasons. First, an information security audit can reveal gaps that can lead to the unintended discovery of a system that was previously excluded from the PSN migration plan. More recently, the immediate shift to a remote workforce has created an entirely uncatalogued collection of assets that can surreptitiously increase risk to an organization. A self-initiated audit can avoid many disastrous surprises.

Life after PSN

The best way to go about a smooth migration out of PSN is a matter of strategy.

Use an approach that goes beyond simple compliance. Strengthen scalability and continue to keep availability in mind. A clear strategy must include all the key players in the organization who depend on the PSN. This inclusion will help prevent important elements from being overlooked. Take everyone on the path to a successful migration.

Interested in knowing more? Watch my presentation on the subject below.


About the Author: Gary Hiberd is the “Cybercommunications Professor” at Cyberfort and is a specialist in cybersecurity and data protection with 35 years of experience in IT. He is a published author, regular blogger, and international speaker on everything from the Dark Web to cybercrime and cyberpsychology.

You can follow Gary on Twitter here: @AgenceGary

Editor’s note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.