New guidance highlights importance of encryption, verification and assurance based on Whitehall feedback
Government organisations have been urged to follow new guidance on keeping email secure, with an emphasis on specific approaches for encryption, verification and assurance.
Nick Woodcraft, applications product manager for the Common Technology Services team of the Government Digital Service (GDS), has highlighted the measures in a blogpost, saying they come in response to one of the biggest issues for government technical teams, and follows work with big data owners including HM Revenue & Customs (HMRC) and the Department for Work and Pensions.
The team has also published a guidance document for sending and receiving email securely over the internet.
Woodcraft emphasises that using the Public Services Network (PSN) for exchanging data removes many of the worries about security, but acknowledges that every organisation uses email, encouraged by the low costs of services running on the cloud.
The Government Security Classifications are also cited as important, but the blog says that security is still a concern and that the team's research emphasised the need for the three pronged approach.
For encryption, it urges the use of transport layer security (TLS), which protects email in transit between email services, has the highest adoption and places a low burden on the user. CESG, the national technical authority for information assurance, has published guidance on using TLS and maintains a list of preferred cryptographic profiles.
Follow banking lead
In the case of verification, it recommends the use of domain-based message authentication, reporting and conformance (DMARC), which uses a combination of open standards and reporting to help an organisation understand how its email domains are being used and misused. This has been widely implemented in banking and online services, and is supported by HMRC, which has led much of government's work in the area.
GDS is aiming to improve assurance by building a tool to monitor TLS and DMARC use across government and provide a check on whether a service is secure. The aim is for it to provide a dashboard of domains in an organisation, a way to check whether an email sent between two domains should be secure, and a 'white list' of secure domains.
It is now being tested by users in alpha phase, and GDS is sending it to a number of people this week to deal with any problems.
Other measures under way including updating email gateways and filtering on the PSN.
“Making the changes needed will vary by organisation - common cloud based email services have all the options available out of the box - but where organisations need help we’ll work out the best way to provide it, through documentation and advice,” Woodcraft says.
“The goal is for all government organisations to meet this standard and implement it as soon as is practical. We’ll use the assurance tool to monitor implementation and see what other activity we might need to support this change.”