The IT landscape of municipalities has expanded and become complex in a short period of time. Eindhoven, for example, has some 500 servers. But large, medium or small, no municipal organization does without IT. How do you keep such a complex IT environment manageable and secure for everything?
As part of the Samen Organeren (Organizing Together) movement, VNG Realisatie is working to increase collectivity in ICT facilities by developing the Municipal Common Infrastructure (GGI). Data networks are under constant threat from hackers and other security risks. It is therefore important to make the infrastructure more secure and increase the digital resilience of municipalities. Municipalities want to do this together with GGI-Safe. With GGI-Safe, a portfolio of products and services is put together and tendered for the design, implementation and assurance of the information security process. Meanwhile, the counter stands at more than 220 participating municipalities.
More clout
For Youri Lammerts van Bueren, CISO at the BUCH municipalities (Bergen, Uitgeest, Castricum and Heiloo) and member of the GGI-Veilig expert group, joining GGI-Veilig is no more than logical: "The Information Security Service (IBD, the sectoral CERT/CSIRT for all Dutch municipalities) has given information security a considerable boost. At the same time, cyber threats are increasing. And as our IT environment becomes more complex, so does our vulnerability. What is happening on your network, how do you detect malware? What do you need to monitor? What requirements do you place on suppliers? Many municipalities do not have this expertise in-house and, moreover, setting up a Security Operations Center (SOC), for example, is very expensive. Therefore, in my opinion, the obvious thing to do is to participate in GGI-Veilig. You can then hitch a ride as an individual municipality on one tender. Without being obliged to buy everything. It also provides benefits in terms of supplier management. We have experience with this ourselves: we wanted to tender for a SIEM/SOC, but some parties did not submit a bid. They thought we were not interesting, too small. As a collective, preferably of all municipalities, and together with VNG Realisatie, we have much more clout and are interesting to suppliers.'
Quality improvement
Lammerts van Bueren knows the hesitations of many municipalities. What about existing contracts, and our own functional requirements? 'Within GGI-Veilig these are framework agreements; customization remains possible and current contracts are respected. For example, we are developing a whole new IT environment here because of the official merger of the BUCH municipalities. These are long processes and some things we may not need for another three years. But by joining the framework agreement now, we can think along and succeed quickly later. I advise every municipality to think about that longer term. Perhaps you already have a firewall, but not all kinds of other preventive measures. You can then acquire these via tender from GGI-Safe when you need them. Incidentally, it's more than just buying the equipment; committing to GGI Secure also forces you to think about policy and process design. In fact, it's one big quality step.'
Base
Eindhoven is known as a community of techies. Expert group member and security manager Geert Bax and his team started logging the systems at the security level a few years ago. "But we have about 500 servers here and two security people; that's not doable. So we started looking into security information and event management ( SIEM). A SIEM logs and monitors and turns the information into relevant reports. That turned out to be far too expensive for an individual municipality so we ended up going to the market to purchase a kind of stripped-down custom SIEM. That worked out and we think the knowledge we gained from that can be very useful to other municipalities. Incidents that we encounter here naturally happen elsewhere. Exactly that, that sharing and solving together, is the basis of GGI-Safe. I dream of a kind of super-SIEM and super-SOC, from IBD, which can "see" all municipalities and make threat analyses for all municipalities.
Everyone benefits
Bax realizes that participating in GGI-Safe takes time; after all, it forces you to think carefully about the organization of security. That's a sour apple that we all have to bite through, but once you've done that it delivers so much. I can now use SIEM to look into those 500 servers at once and see if there have been any attacks or threats. And the apple becomes less sour for each subsequent municipality because the route has already been taken once. Once you in one municipality have figured out what a particular notification means, the other 379 just have to adopt that. That's going to make a huge difference in processing times. So if all municipalities use a collective offering of products and services for operational information security, we all benefit. The gain is not only in lower costs, it's also about the capacity you have available. By municipal standards, we have a decent IT team of sixteen people, but we really can't manage it all ourselves. With all these municipalities together, we have so much expertise, one municipality at the network level, the other at the application level. We have to take advantage of each other's strengths: for example, we are typical techies, in the BUCH municipalities they are stronger in the processes. Ultimately, all that technology has to be tuned into those processes. That is also a huge advantage of GGI-Safe: it gives municipalities the opportunity to exchange use cases. Working together makes it easier to incrementally increase one's own digital resilience and that of the entire common infrastructure.
Municipalities can still sign up for GGI-Safe by sending the signed application form to VNG.
