eGov monitor and Insite
This article appears in eGov monitor Weekly

3 November 2003

Meeting the Demand for Constant Vigilance
Luton Borough Council demonstrates how good policy and best practice delivers a more secure computing environment

 Luton Borough Council is regarded as a leading advocate of best practice in change management and information security and has been working with Microsoft Windows™ solutions since the earliest days of Windows NT™. With its local government offices and departments dispersed between one hundred different buildings around the Borough, meeting the highest standards of information security and reliability of service, remain two vital pillars of the council's IT strategy. 

Relying on its Microsoft Windows 2000™ infrastructure to provide the flexibility and resilience it requires, Luton's IT department has found that a properly configured computing environment, in conjunction with both a strong security policy and a consistent patch-management process, can significantly reduce risk and offers an effective solution to its information security needs.

Luton Borough Council

Since its re-organisation in 1997 Luton Borough Council (LBC) has pursued the objective of engaging with citizens in a secure and controlled environment to facilitate the progress of eGovernment. With a diverse community of over 185,000 people and the challenges of changing economic needs, it is essential to engage the population in as many ways as possible. Building a trusted network and technology base is a key part of this foundation. Becoming the first UK Authority to achieve ISO/BS7799 was a step-change in the way staff and internal units used LBC services. Since 2000 the organisation has been developing the platforms required for successful engagement with the citizen.

Situation

Luton's Head of ICT, Chris Kadwill, has over two decades of local government experience in the management of complex, heterogeneous, IT environments, and firmly believes that "Putting good solid processes and good solid people in place minimise risk". Kadwill has watched the security challenge to his operational resource increase as Luton has continued to expand the scope and reach of its eGovernment services, increasing the number of 'touch points' between local authority systems and the Internet.

 
Chris Kadwill, Luton's Head of ICT: "As risks increase, a just-in-time approach to security management isn't good enough."

Where the management of Luton's IT infrastructure is involved, Kadwill is a strong advocate of a 'Back to Basics' approach to security. "It's a question of planning", he remarks. "You need to draw up the strengths and weaknesses of a product and then try and ensure that you are left with no single point of failure.

"We run regular and independent penetration exercises to give us a true picture of our limits and to remind us that no organisation is one hundred percent secure. Our experience with the Blaster worm taught us that when a moment's complacency opens the door to a threat, having the appropriate contingency plan available to deal with the threat is enough to turn a potential disaster into a manageable problem".

Flexible Working

Like many local government organisations in the United Kingdom, Luton, by recognising the needs of its employees, is in favour of promoting flexible working practices and takes a view that a "one size fits all" approach will not be a solution to delivering a basket of applications to council officers, which in turn, need to be 'married' against different styles and work preferences. "Everything needs to be Web-based", says Kadwill. "We have to deliver a mix of services to over a hundred different buildings and much of this information, such as Social Services case management records, is highly sensitive and has to be handled as such."

In order to achieve its flexible working environment, Luton has settled on a Microsoft Terminal Services solution, involving Citrix clients for strong authentications and secure remote access, encrypted through its Cisco firewall. "Local government employees", says Kadwill, "are cautious about the introduction of new technology, so using Windows Terminal Services™ fits a good 90 percent of our security needs, leaving a remaining 10 percent who need to keep their files locally and which leaves us with an encryption challenge. RAS is however standard on any connection provided by the council and using Windows Terminal Server drives down our total cost of ownership and offers us the level of fine control over who is using what and from where on our network".

Change Control Management

In addition to its ISO/BS17799 information security certification, Luton is adopting the (BS) 15000 standard for change control and service management. The IT department receives its regular Microsoft updates from the company over SMS and will normally "Store-up" patches for regular installation, based on their importance, on the basis that "If it ain't broke, don't fix it", says Kadwill. "Rebooting a system", he continues, "is a potential risk to our production environment and applying a constant stream of patches across our Solaris and Windows environments as they arrive, presents us with an obvious change control problem."

"Normally", remarks Kadwill, "critical security patches are applied within hours of receiving them and we rely very much on our processes to deal with the unexpected. The Blaster worm caught us by surprise, simply because we found ourselves caught between the August vacations, a change of anti-virus suppliers in the same week". "What happened next", says Kadwill "is that an infected laptop was brought in for repair and connected inside our firewall and from that moment on, we had to move swiftly to take the crisis element out of the picture with a controlled response".

A Robust Strategy

With the Blaster worm now starting to infect other machines on the Luton network, Kadwill's incident team put their contingency plan into action and immediately placed a 'box of tricks', a laptop, configured with intrusion detection software onto the network to act as a decoy device for the Blaster worm and start capturing the IP address broadcasts of other Luton systems as the infection spread. Servers that were not infected were immediately shut down to prevent the worm from finding more potential hosts and as the locations of infected systems were identified, one by one, by cross-referencing with Luton's asset management system, the incident team then had these, shut-down, disconnected from the network and patched to prevent the worm spreading further.

"There was a level of complacency in our organisation and staff and it was good to have a wake-up call"

"It took us six hours to bring the Blaster outbreak under control", says Kadwill. "And 10 percent of our systems were infected. This was the first time in five years and since my responsibility for the council's IT that we have had a problem and there were real lessons to be learned from our mistake. First among these, was that there was a level of complacency in our organisation and staff and it was good to have a wake-up call".

Confident Computing with Windows

Luton's experience with the Blaster worm has not caused it to change its opinion of Microsoft Windows as the best operating platform solution to its varied business requirements. "This wasn't a Microsoft problem", says Chris Kadwill. "It was a temporary loss of attention and our mistake. We are committed to Microsoft as part of our enterprise strategy and replacing our Solaris environment with Windows has given us a five-fold performance improvement, as well as offering us significant cost savings into the future".

Luton now has 110 Windows 2000 servers, "And", says Kadwill, "we recognise that internet security is an industry problem that demands a response on both sides of the firewall.

"We have resisted the community software argument and will continue to do so, because you cannot run global organisations on a spindle of credibility, you need a strong, robust strategy and a reliable and consistent point of contact".

"We demonstrated", says Kadwill, "that even an event as potentially damaging to our organisation as Blaster, can be managed if both the right contingency plan is in place and the team involved has a practiced drill to fall back-upon if the unforeseen occurs. Five years without significant business interruption is a good record but as the risks increase, keeping-up with security patches becomes more important and a just-in-time approach to security management isn't good enough".

"Luton Borough Council is an excellent example of how the presence of good procedures can make a quick recovery possible when the unforeseen occurs".

Microsoft's Director of Trustworthy Computing (EMEA), Detlef Eckert is strongly supportive of Kadwill's strategy. "Good information security", says Eckert, "is a constant process and Luton Borough Council is an excellent example of how the presence of good procedures can make a quick recovery possible when the unforeseen occurs".

Kadwill believes that properly configured, the Microsoft Windows environment is a highly resistant and resilient platform and Luton's IT department will be migrating all its systems to Windows Server 2003™, to better maintain its commitment to superior security and a more cost-effective Windows Terminal Service environment.

Final Words

Summing-up his experience of the Blaster worm, Kadwill remarks: "To survive in today's modern Internet environment, an organisation of our size, needs good people, good systems and good planning. Luton has all three and with them, the confidence of knowing that when we do make a mistake, that these three elements are the key to solving any problem, however large, with confidence".

For further information, contact Detlef Eckert at Microsoft on: detlefeckert@microsoft.com

*