Secure government IT
Government shared communication solution VY network provides users with secure access to services Lasse Melkko The Treasury, Government IT Shared Service Centre VY network • Background • Services • Service points • How to join the network? • VY network as a VIP communication service • Pricing principles Lasse Melkko / VIP 23.3.2012 2 VY network Background • What is the VY network? • Government complete network solution • Benefits for the agency • Security and reliability Lasse Melkko / VIP 23.3.2012 3 VY network Government shared secure communication solution • The VY network provides government agencies with quick, reliable and secure access to government shared services, other agencies, and external services, such as the Internet. The VY network forms an intranet service between the government agencies that have joined it. Lasse Melkko / VIP • Offices are connected to each other and the shared services via a common, secure and verified Connection Hub. • Centralised data security services include firewalls, antivirus programmes, the prevention of denial-of-service (DoS) attacks, and intrusion detection and prevention systems (IDS/IPS). • VIP Expert Service Point combines the problem solving of government shared services and data communications in one location. • Office-specific access networks are acquired through a Hansel framework agreement. 23/03/2012 4 VY network Government complete network solution VY network General architecture VY network Benefits for the agencies • • Reduction of total costs of communication services • Removal of overlapping solutions, specifically those related to Internet and server farm connections and data security services, generates cost savings at government level. • Centralisation of management and control functions frees up person-years for other tasks, especially among administrativesystem and problem-solving staff. Flexibility for network changes • Lasse Melkko / VIP Introduction of shared services is simplified and greater flexibility is introduced to network changes arising from organisational restructuring. 23/03/2012 7 VY network Benefits for the agencies • • Data security management becomes easier • The network utilises a Connection Hub, along with office interfaces designated according to its architecture, and provides an internal communication environment for government agencies that is compliant with security level III for mail transfers. • A complete network solution with proper data security management facilitates achievement of the required level of data security set for government agencies. Improved level of service for most users • Lasse Melkko / VIP By exploiting the economies of scale concept, the service level of data communications can be improved for most users. 23/03/2012 8 VY network Security and reliability • Always available without disruptions • • The connections of the Connection Hub and the related services have been geographically dispersed and secured. Strong account has been taken of contingency planning factors Lasse Melkko / VIP • VY network operations are carried out at an increased level of data security and contingency planning. • Access to the network is also secured during disruptions to normal conditions. • Data communications are contained inside Finland's borders and the related services are provided by Finnish staff. • Consideration has been taken of fluency in the changeover of service providers • Annual data security audits are performed on the VY network. 23/03/2012 9 VY network Security and reliability • Technical data security Lasse Melkko / VIP • Client's data communications activity within own virtual networks • Firewalls and prevention of malicious traffic for all interfaces • Intrusion detection and prevention system (IDPS) protects against problems arising from malware • Internet connections are dispersed amongst various service providers • Prevention of DoS attacks is carried out in the ISP's network • Connection Hub's internal domain name system, time server and email transfers are not dependent on an Internet connection • Malware and spam filtering included in SMTP (email) and HTTP (browser) communications 23/03/2012 10 VY network Services • Basic services • Network access services • Internet services • Service points Lasse Melkko / VIP • VIP Expert Service Point VIPPA • Data Communication Management and Service Point HAPPI • SMTP and HTTP Communication Service Point SÄPPI 23.3.2012 11 VY network Basic services • • Connection Hub – georgaphically dispersed, quick and secure nodal point for communication services • Multiple access via fast VPN/VLAN interfaces at L2 or L3 levels • Network partitioning or reconfiguration into virtual networks is conducted in the Connection Hub perimeter • Firewalls, filtering and intrusion prevention systems between all interfaces • Transfers go unmodified via the Connection Hub • Service Level Agreement (SLA) meets, for example, the requirements of VoIP services • Available for use: quality classification, address modification, IPv6, multicast Infrastructure services • Lasse Melkko / VIP Internal and public domain name system, time server, email transfer service 23.3.2012 12 VY network Network access services • • Client networks • Client agencies usually access via client networks using MPLS/VPN interfaces of a specified ISP's main network • Connection Hub houses the nodal points of major ISPs • Physical access is also possible • Communication transfers are filtered and restricted at the perimeter of the Connection Hub Server farms Lasse Melkko / VIP • Similarly, server farms gain access via ISP connections, but physical access is also possible • The Connection Hub interface always includes a firewall and IDPS 23.3.2012 13 VY network Internet services • • Verified and secure Internet connection • Two operators provide back-up services for each other • Filtering, IDPS, prevention of DoS attacks Transfer of SMTP and HTTP communication (IRHS) Lasse Melkko / VIP • SMTP communication is also possible when the VY network's external connections have failed • Secure; complies with the government data security and contingency planning requirements • Can be tailored to meet client-specific needs • Government internal data communications are centralised within the VY network; TLS encryption method can be adopted for external connections • Envelope encryption can be adopted per mail 23.3.2012 14 VY network Internet services • • SMTP/HTTP malware filtering and SMTP spam filtering (IRHS) • Can be tailored to meet a wide range of needs or client-specific needs • Reputation-based filtering evolves and adapts according to new types of threats Government shared communication solution 'VYVI' uses IRHS to transfer and filter Internet mail Lasse Melkko / VIP 23/03/2012 15 VY network Connection Hub: architecture Lasse Melkko / VIP 23.3.2012 16 VY network Service points • Centralised communication-related problem solving, provided according to a standardised level of service • The VIP Service Point is a contact point for the client's main users • Troubleshooting and requests for changes are forwarded to the ITIL-based service processes of service providers • Government IT Shared Service Centre is responsible for the inspection of requests for changes and data security authorisations • Troubleshooting tasks are delegated to third parties, if necessary • HAPPI = Data Communication Management and Service Point (TeliaSonera), SÄPPI = SMTP and HTTP Communication Service Point (Elisa) Lasse Melkko / VIP 23/03/2012 17 VY network How to join the network? • Whole government to join the VY network by 2014 • Deployment • Present stage of deployment Lasse Melkko / VIP 23.3.2012 18 VY network Deployment schedule Lasse Melkko / VIP 23.3.2012 19 VY network Deployment • • Requirements for launching the deployment • At a minimum, the basic level data security audits have commenced • Service Agreement • Client card filled with basic information Deployment project schedule Lasse Melkko / VIP • Launched in an initial meeting that clarifies the action plan for the project and sets the objectives and eligibility criteria • Review of the client card information and agreement on future steps • Project Manager, assigned by TeliaSonera, is responsible for the project's progress and management of resources • Data communications service subscriptions are often ready for deployment after the initial meeting 23/03/2012 20 VY network Deployment update VY-verkko Liittymisprojektien tilamatriisi (R) VIRASTOT VNV UM 6081 1520 OM HA OTTK (RP) 9266 9266 100% 1 SM HA PH 10901 7.3.2012 / JTP (T) PLM HA 700 PV (T) 15035 VM HA VERO (R) 675 7978 5640 100% OKM HA OPH 359 1378 MMM HA 1223 LVM HA MML (R) 1873 LIVI 686 OM 245 SM 278 PLM 144 VM 381 RVL (R) HÄKE (R) 2838 763 (1/2012) (1/2012) PHRAKL (T) 700 100% 2 TULLI (R) AVI (RT) 2370 2338 85% NBA ARKISTO 340 258 HALTIK (P) 411 45% MIGRI (R) 393 (1/2012) MTT (R) METLA (T) 768 874 100% 80% FMI TRAFI 681 492 OKM 307 MMM 316 LVM 171 TEM 613 STM 564 YM 286 EK 713 VNK 270 VTV TPK 147 80 UPI 46 Käyttöönotto valmis Käyttöönottoprojekti aloitettu Sopimusneuvottelut käynnissä Siirtyminen täyteen palveluun Suunniteltu 2012 Ei etene suunnitellusti Täyden palvelun asiakas Rajoitetun palvelun asiakas Palveluntarjoaja PEO (R) 143 (1/2012) 6 T TK (R) PALKEET (T) VK (T) VRK (T) VATT (T) ÅLAND R 937 752 675 120 55 17 P 95% 100% 90% 5% 9 FNG SA (R) CIMO TKT SLHK KOTUS KAVA (R) CELIA (R) NRL (R) YTL (R) VIEI (R) VET OPTUM (R) 232 165 137 111 98 90 68 55 22 23 15 12 11 (KIEKU) (LOMA) (LOMA) (LOMA) (LOMA) (LOMA) (LOMA) EVIRA (R) RKTL (T) MAVI (R+) TIKE (RP) GDL (T) MK (T) METSÄ (T) 725 270 240 215 79 0 0 0% 100% 100% 10 VIVI 248 4 TEM HA 149 7800 STM HA YM HA 7605 26626 9 % 31 % ELY (RT) 7800 85% THL 2601 SYKE (P) 649 20% VTT 2692 GTK (T) PRH (T) TEKES (T) 634 461 290 95% 0% 95% STUK FIMEA (R) VALVIRA (T) 351 230 150 10% 70% 4 ARA 57 2 34231 Lopullinen käyttäjämääärä 86108 40 % Lasse Melkko / VIP 23.3.2012 TUKES (T) MIKES (T) KUVI (T) KIVI (T) 220 79 71 70 100% 100% 100% EMV (T) 45 Suunnitellut käyttöönotot (toteutunut/suunnitelma) Vuosi 2010-2011 2012 (to / su) Täysi Asiakkaat 19 1 / 12+ Käyttäjät 7535 70 Rajoitettu Asiakkaat 15 1 / 19+ Käyttäjät 17360 9266 Yhteensä Asiakkaat 34 2 / 37 Käyttäjät 24895 9336 55543 KTK (T) MEK (T) HVK (R) MOL (P) 37 35 35 0 100% 13 2013- Yhteensä 12 5670 48 83 86108 21 VY network VIP as a communication service • Productised service • Pricing Lasse Melkko / VIP 23.3.2012 22 VY network VIP as a communication service: pricing principles • • Absorption principle • Pricing remains the same regardless of the time of service deployment • Simple and transparent • Reviewed separately with each client Operating costs of the VY network do not cover Lasse Melkko / VIP • Linking the offices' networks to the operator's network (Hansel) • Arranging the client's own network systems' deployment of operation via the service provider's VY network connection • Service fees of other VIP services 23.3.2012 23 VY network Contact persons Area of responsibility Name Tel. Ministry of Finance, Prime Minister's Office, Office of the Chancellor of Justice Pekka Nykänen +358 40 849 2154 Ministry for Foreign Affairs, Ministry of Employment and the Economy, Ministry of Social Affairs and Health Mika Sormunen +358 50 410 2281 Ministry of Education and Culture, Ministry of the Interior, Confederation of Finnish Industries, President of the Republic of Finland Heli Parkkonen +358 50 375 2249 Ministry of Agriculture and Forestry, Ministry of the Environment Laura Salmi +358 50 597 0776 Ministry of Transport and Communications, Ministry of Justice, Ministry of Defence Risto-Matti Helminen +358 50 566 2952 VY network Kari Likovuori +358 50 396 0060 Data Security Services Kimmo Rousku +358 50 566 2986 Erja Kinnunen +358 50 437 2417 Client Representatives Email Lasse Melkko / VIP [email protected] 23.3.2012 24 Government IT Shared Services Centre Expert in IT service integration. Fluent high-quality service provision. We facilitate the client's everyday life. ? Questions... Comments... Thank you! <http://www.valtiokonttori.fi/vip/vy-verkko> <[email protected]> ? ?
© Copyright 2024