The gateway to internet security

From Stuxnet to the 'Flame' virus government networks are under constant fire and as agencies move to consolidate their internet gateways they will need to answer some tough questions.

As government agencies move towards a consolidated internet gateway system, they face a number of choices around who should maintain and bear responsibility for these gateways. Lead Agencies will have to decide on whether to outsource their gateways or maintain them in-house, as well as what services and protocols best balance cyber security and flexibility as core priorities. These Lead Agency Gateways (LAG) must provide platforms for internet access which can sustain the combined requirements of dependent agencies in a secure and scalable manner for the long term.

The key goal of the federal government’s Internet Gateway Reduction program is to drastically improve security. In its 2009 cyber security strategy, the government found that its computer networks were increasingly under threat from malicious cyber attacks, prompting the move to reduce its internet gateways from 124 to only eight – all of which must be located within Australia. This consolidation process would allow cyber security efforts to focus on protecting a far smaller number of gateways, which government agencies will share to access the internet, in a consistent territorial space.

Each of the eight gateways is administered by a “Lead Agency”, a selected government agency which then has responsibility to establish and maintain shared access for a larger group of dependent agencies. The overall gateway system is also closely aligned with other AGIMO procurement programs including the Data Centre Facilities Panel (DCFP), Internet-Based Network Connection Services (IBNC Services) and the soon-to-be-established Datacentre-as-a-Service Multi-Use List panels.

All of these currently or will soon provide strong guidance for agencies in choosing the most secure and able data service providers. The ultimate goal of the LAGs is to boost security through consistency, dramatically reducing the number of processes and protocols open to attack. 

Secure and protected gateway choices

As the eight lead agencies begin going to market for their respective gateways, the broader government agency environment must consider how best to achieve this goal. The gateways will dictate not only security policy, but also any future government convergence policy, meaning decisions now will have significant flow-on effects in the next decades.

Some lead agencies are pursuing entirely in-house technical solutions, while others are aiming to outsource the consolidated gateways to private-sector providers. In all cases, however, lead agencies need to consider three main issues which will have significant implications for government usage of the internet, and the broader security and productivity of governmental functions which this usage will influence.

As made explicit in the goals of the Lead Agency Gateways, improved and future-proof security is the highest priority. In today’s “always on” world, this requires the capability to provide 24-hour proactive security management, analysis and response –  particularly as we move from a perimeter-edge style of security model to protection (and detection) at the data-element level. 

Lead agencies, however, also need to be thinking not just of the technical security of access and data, but legal and privacy issues as well – especially with growing uptake of cloud computing technologies. The Defence Signals Directorate, which is responsible for Commonwealth information security, has issued a policy statement on the security implications of cloud adoption. DSD explicitly recommends any vendors to be entirely Australian-based and preferably Australian-owned. This requirement ensures that government agency data is only ever subject to Australian law and cannot be acted upon by foreign legislation, particularly laws like the Patriot Act which have deep implications for data privacy and security.

The physical location of gateway hardware is also relevant to issues around technical security and performance. Macquarie Telecom, for example, maintains ASIO T4, DSD “Protected” and DSD “Government Systems Information” certifications. While lead agencies can adhere to these standards through in-house architecture, doing so can incur significant capital costs to both establish systems which meet these standards, and maintain compliance as security protocols and requirements evolve. Lead agencies must evaluate the relative cost-effectiveness between in-house and outsourcing (including the ability to attract and retain top talent) to make sure their gateway can sustain top-level security in the long term.

Maintaining total reliability

They must also consider uptime and redundancy as a corollary to gateway security. Gateway reliability is even more essential given that multiple (often 20 to 30) agencies will rely on a single gateway, meaning that any performance issues or outages will have a multiplied effect. Even a minor outage can potentially disrupt agencies services over a broad range of areas and levels of criticality. Lead Agency Gateways should not only have systems in place to insure against power outages or system crashes, but the redundancy to failover to secondary systems which can fully support the combined requirements of all dependent agencies.

As with all data management, risk mitigation remains the top priority for gateway strategy. Lead agencies will be able to mitigate potential risks much more effectively if they opt for providers who can offer, deliver and manage completely end-to-end gateway solutions. In the LAG context this includes integrating the data network, the internet access and the data centre layer with the physical secure internet gateway environment.  This meshes with other coordinated procurement frameworks managed by the Australian Government Information Management Office (AGIMO).Not only does this bolster security – only one provider ever deals with any data – it also means far higher internal compatibility and ease of maintenance compared to dealing with multiple providers at every stage. Macquarie Telecom’s $5 million investment in building MacquarieHub, a completely onshore and highly accredited service centre for its clients, is an example of the level of infrastructure needed to provide this sort of integrated, holistic approach to data and connectivity.

The best gateway providers will also deliver secure data centre services and uptime guarantees that can fully support agency function in any event up to a catastrophic network failure. Even if lead agencies choose to adopt an in-house model, they should consider approaching a third-party to provide co-located failover systems: maintaining a physical and operational distance between primary and secondary systems may require more management, but further reduces the number of factors which might take a gateway offline.

Future-ready infrastructure

Finally, the scalability for future operations should weigh into how the agencies structure their gateways in the present. LAGs should be easily scalable to cope with projected increases in agency internet traffic and bandwidth requirements; they should also be compatible with expected changes in technology, such as the rollout of the NBN and gradual deployment of IPv6 as standard protocol. Most of all, scalability and upgrades should take place within a cyber security framework which readily adapts both to new demands and emerging threats as and when they occur.

The LAG program will underpin the performance of all government agencies and, as a result, have myriad implications for the society they serve. Lead agencies will need to ensure that gateway consolidation brings with it improvements in security, reliability and technical performance, not only as a one-off gain but a process of continual future advancement. Outsourcing to Australia-located providers with superior data management and uptime will be a critical part of this equation.

The agencies aligned to a particular agency will need to contribute to the assessment of the above criteria, and also assess the ability of the proposed solution (in-house or outsourced) to meet their own individual needs and priorities now and into the future. 

Derek Fittler is the National Manager of Government Hosting at Macquarie Telecom