Ewan Davis wrote
> Subject: RE: Locality Communications
> I find John's comments rather strange. Are we not already being asked
> to pay through the nose for security on NHS (the belt braces and
>spare pair of trousers approach to authentication to name but on
>
I don't know what you are being asked to pay for security. But if it
is anything more than the cost of running a CERT activity, to alert
you to hazards, then it is too much.
> The security model applied to NHSNet is inappropriate seeking as
> it does to provide security at the perimeter and assume all
> authorised user can be trusted.
This does seem to be what is proposed, and it is a complete nonsense.
It won't keep out the hackers, it may induce a false sense of
security, and it will almost certainly make life harder for those
users who have a good and proper reason for crossing the boundary
between the NHSNet and the rest of the world. As I have pointed oput
before, the real threats to security come from within the NHS, which
probably employs about 10,000 folk with criminal tendencies. Add to
this the fact that there are also large numbers of folk in Central
Governement and the like who would love to get access to patient
records, sometimes for good reasons, but not always, and the use of a
firewall to coral off the rest of the world begins to look decidedly
shakey.
>
> Adequate security requires simple firewall protection between the
> network and end systems and message content needs to be protected
> via encryption. This can probably be provided at lower cost than the
Absolutely right. Encryption, and the other associated services,
(authentication, signatures, non-revocation) can all be provided at
low cost, by distributed methods. The only one that I know cannot be
provided in this way is time stamping, which does need a universally
accepted clock operated by a Trusted Third Party; but that will
surely be offered on a commercial basis.
>
> We can forget white paper targets until NHSnet is repositioned to
> recognise the impact that the Internet has had on wide area
> networking. A review of the security model is an important part of
> this.
>
Agreed.
Mike Wells
***************************************************
* M. Wells *
* 9 Hall Close *
* Bramhope *
* Leeds LS16 9JQ *
***************************************************
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|