Bournemouth Borough Council: Securing confidential information in email

Summary

Bournemouth Borough Council is the town’s elected local government service provider and sets policies for the town of Bournemouth in Dorset, England. Much of the information held by the Council is private, including personal information, data about schools and students, and Council tax records. U.K. legislation requires that the Council ensure the security of communications, and the Council’s own security policy states that confidential information in electronic communications must be encrypted. The Council needed an encryption solution that could meet a variety of regulatory, merchant, and citizen requirements; simplify IT management; and be transparent to end users.

PGP Solution

• PGP Universal™ Gateway Email

Customer Profile

• Largest provider of services for the 164,000 residents of Bournemouth
• Responsible for delivering a wide range of social services & ensuring ongoing economic development
• Maintains local roads/highways, protects the environment, & supports the town’s schools as well as sports, leisure, & entertainment facilities

Key Issues

• To help comply with relevant legislation regarding the electronic transmission of confidential information
• To meet citizen & local business requirements for protecting personal & private information
• To respond to government agency mandates for secure email communications

PGP Advantages

• An email encryption solution that could be deployed at the network gateway & that featured centralized deployment & management, including two-way policy control
• An easy-to-use product that required no user interaction, desktop software, or training
• Industry-accepted encryption based on standard algorithms from a recognized encryption leader

Background

When Fred Baert first joined the Bournemouth Borough Council 2 years ago as its Information Communication Technology (ICT) Security Officer, one priority was selecting an encryption solution to protect personal and confidential information. U.K. regulations such as the Data Protection and Freedom of Information Acts both required the Council to ensure the security of its communications. “Local government has to abide by those directives; however, it’s up to individual departments or bodies such as the Borough Council to implement them by choosing the right security solution,” Baert explains.

Another driver was the National Health Service (NHS), the organization that deals with social services and health care within the U.K. According to Baert, “The NHS was also a driving force for the use of secure email to exchange personal and health information with other agencies.”

In the past, Councillors and staff had several secure-messaging options from which to choose: virtual private networks (VPNs) for site-to-site communications, password-protected files, and traditional postal mail for exchanging sensitive information. “Although they were better than nothing, none of these solutions provided the level of protection I felt we needed,” says Baert.

Solutions Considered

The ICT Security Officer was familiar with encryption because he’d previously worked at Network Associates Inc. (now McAfee Inc.) and had used PGP® Desktop Email products. “Although desktop encryption has some benefits, the main problem for us is that most people typically don’t know how to use it,” he says. “End users often will forget to encrypt or lose their passphrases, which creates a lot of issues IT must address.”

Baert wanted a gateway solution that would streamline IT management and improve effectiveness by being user-transparent. “We don’t ask our users to scan emails for viruses or suspicious content because our AV and spam solutions are handled by IT at the network level. It just made sense to have a network-based encryption solution as well.”

He considered and tested other gateway solutions, but decided they didn’t offer the flexibility, centralized management, and two-way policy control options the IT group needed. “I was lucky PGP Universal was introduced right when I was looking for a network-based encryption solution,” he says. “The timing couldn’t have been better.”

Why PGP Universal?

The Council’s Information Communication Technology (ICT) Security Officer’s key secure-messaging requirements were automatic encryption, decryption, and digital signatures plus two-way policy control. “To my knowledge, none of the Council’s partners are using an encryption product, so I want to make the transition as easy for them as possible,” Baert says.

Although the Council’s email environment is predominantly Windows NT/Microsoft Exchange, some users are on Lotus Notes. PGP Universal Satellite’s support for Lotus Notes email clients means Baert can deploy the solution across the organization without worrying about compatibility issues.

According to Baert, the PGP Universal Web Messenger service was another definite advantage. “One section within the Council, called the Youth Offending Team, has special privacy requirements and was already using a separate secure webmail solution to transmit records via email across the Internet,” he explains. Selecting a product such as PGP Universal that includes a webmail-like option will allow Baert to offer the same flexibility to other end users as well.

PGP Competitive Advantages

The Council’s IT strategy is built around ease of use, scalability, and cost-effectiveness. “Installing software on individual computers, ensuring interoperability with existing applications, and training and supporting users are all time-consuming tasks that require considerable IT resources,” says Baert. “By moving functionality such as encryption from the desktop to the network, we can eliminate most of those costs and the end result probably will be less expensive on a per-user basis in the long run.”

As a former PGP Desktop Email user, Baert knew PGP encryption set the standard for good crypto techniques. “PGP is the market leader in encryption, so choosing a PGP solution seemed like the right thing to do,” he says.

Deployment Plans

The Borough Council’s ICT Security Officer will begin by running PGP Universal in Learn Mode so he can monitor the message logs and understand the organization’s communications patterns. Baert will then work with the IT heads of all departments to identify the domains to which they wish to send encrypted email and set policy accordingly.

Baert will also focus on providing education for end users and has begun exploring what questions they may have about email encryption. He says that other Borough Councils have already expressed interest in PGP Universal and is happy to serve as a technical reference for them. As he points out, “If other Councils end up adopting PGP Universal, communication will be much easier because a lot of email is exchanged between those domains.”