Australian cloud computing chauvinists are prepping the “#GovDoesn’tGetIt” hashtag after the Australian National Audit Office (ANAO), with a bit of help from the spooks in the Defence Signals Directorate, identified services like Hotmail and Gmail as key vulnerabilities in government information security. As noted many years ago …
One of our politicians (I think it was one of ours)...
...several years back, admitted he couldn't watch Yes Minister because it was too disturbingly close to reality.
back in the day PM&C were convinced their network was "highly protected" when it was only "protected" - "We need access to the HP room", "Why, your boxes are here". "No, they're in there". "Hmm, let's go in the HP room and SSH into your boxes from there"
Yes Minister script writers could have turned that into pure green.
Paris - 'cause she knows where her box is
Britain is as bad
The NHS in the UK has done better than that. They have set up their own webmail system!
It has been officially labelled as secure. Staff are being told to use it to send confidential data from one location to another. They are told that as long as they send to another address on this system, it is secure. Presumably, they have ignored the possibility of any reading it from an unsecure computer. Yes, it can be seen on non-NHS computers - public libraries, your own virus ridden one or apparently ones abroad if you ask them.
Lets have a competition to see who can have the biggest official security hole.
To be fair it's more secure than using just about any desktop mail client, assuming you allow it to be used on anything other than heavily locked down it controlled desktops.
In reality it needs to be accessed from many more locations and devices than IT could ever provide support and assure security for, so yeah, webmail is okay. I'd add 2-factor security for unknown / new login locations but that's all (needn't be too onerous, sms would do).
The NHS Trust my husband works at has provided an MS Exchange/Outlook webmail service in recent years. This does require interaction with his phone to get a session specific code by text message - which was better than the previous system.
Unfortunately they allow him to set up forwarding rules from his system to ANY external address. This means that he can and does receive all sorts of confidential material when he switches on his out of office reply and forwarding.
Inept staff in the NHS, generally female managers above him, seem to delight at copying as many people as possible on trivial matters - without ever trimming material.
Posting anonymously this week as he is being made redundant from the end of next week.
Are you sure about that?
I lost access to NHS.net on my home PC, 2 years ago. Could only get to it over an N3 connection, last time I tried (admittedly, this was a while ago).
There is a difference...
State handles "confidential information" - It SHOULD leak. Sometimes it MUST leak.
State also handles "privacy-sensitive information" data - It SHALL NOT leak.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.