How to ensure robust DNS services for the public sector
Reliable IT services are at the heart of modern society. Sweden ranks as one of the most digitalized and digitally competitive countries in the world [1], which makes it even more important for the public sector to have a clear strategy for IT services especially when it comes to ensuring security against cyberattack. The European Union Agency for Cybersecurity (ENISA) noted in their Threat Landscape Report 2022 that the public administration sector experienced the most high impact security incidents, incurred the worst economic losses and suffered the most reputational damage as a result of cyberattacks [2]. The report also noted that Distributed Denial of Service (DDoS) attacks with a geopolitical cause were on the rise and that DDoS was now a clear part of cyberwarfare strategies [3].
So, what do public sector organisations need to know to ensure they are protected and that their DNS services as secure and robust as possible? Netnod and Excedo have put together a checklist of 10 questions that every public sector organisation should ask their providers here.
To take a closer look at the challenges facing the public sector, we spoke with Joel Söderman from Excedo, who has extensive experience working with public sector networks in Sweden with a focus on ensuring robust and reliable DNS services.
1. Why is it so important for the public sector to have reliable IT services?
Given that the services provided by public sector organisations are essential for society, these organisations need to ensure their IT strategies are up to date and focused on security, resilience, and redundancy. In addition, these organisations need to make sure that they follow all relevant regulations (such as the NIS2 Directive) for providers of critical infrastructure.
It is vital for the public sector to have a clear strategy for IT services especially when it comes to ensuring uptime and mitigation against attacks. We’ve seen some recent examples of key public services suffering major outage. More troubling is the dramatic increase in recent months of high-profile cyberattacks aimed at Swedish public sector organisations.
2. What are the main issues affecting how public sector organisations select IT service providers?
You often find a certain amount of inertia and uncertainty in the public sector. This is evident when these organisations make public tenders, and you see that they are not sure of the overall requirements they should fulfil or the level of compliance they should ensure. This often comes from an outdated view of both technology and the regulatory structure for providing critical services.
3. How do these issues affect the DNS services used by the Swedish public sector?
A lot of public sector organisations haven’t changed their DNS services for many years which means they are a long way from fulfilling today’s requirements and meeting the challenges posed, for example, by a rise in attacks targeting the public sector.
Most often, we see organisations using third-party providers who are not supporting them with the correct level of service, support, and regulatory compliance. These providers tend to be used more for legacy reasons than anything else. They are not usually focused on serving public sector needs and are more suited for private individuals or small enterprises. But because this is the established provider and no one internally wants to change the status quo, the situation continues.
This also connects to the second common theme: a lot of in-house DNS knowledge is usually concentrated in one individual within an organisation. What happens when that person leaves?
4. What should public sector organisations expect from their IT providers?
You need experts who are proactive in ensuring you are up to date with all relevant regulations. For example: do you know your local regulations when it comes to DNSSEC? If not, why hasn’t your provider ensured you are running services compliant with these regulations? I think the best providers are the ones you build a continued relationship with over time and who you can trust to give you the right advice.
Your provider should be able to guarantee redundancy. One red flag is if all the name servers for your DNS services are in the same Autonomous System (AS). It just takes one BGP misconfiguration for you to fall off the Internet!
You also want a provider that ensures redundancy not just in terms of your IT services but also your in-house personnel. If a key person leaves the organisation, you need to ensure that their successor can continue to work effectively, and that no essential knowledge is lost.
5. How does Excedo support public sector organisations?
In our work, which has a focus on municipalities in Sweden, we know how specific their needs are and the depth of technical knowledge and hands-on support required to meet these needs. DNSSEC is a good example again here as it can be complex to implement, and we often see problems when this hasn’t been done properly.
We have a legal department who keep track of requirements and proactively see if municipalities are following these requirements. We do everything we can to make sure customers are 100% compliant.
Our other focus is to guarantee 100% uptime backed up by an SLA. If we think you won’t benefit from our services, we are honest about this. But for organisations providing critical infrastructure, we are focused on offering the most secure, redundant, and compliant service available.
Download our checklist of 10 questions that every public sector organisation should ask their DNS providers here.
About Excedo Networks AB
Excedo Networks AB is a leading Swedish digital security and intellectual property management company. With over 20 years of experience, Excedo Networks AB provides premium products and services to governmental and large enterprise clients with a global presence. For more information, visit www.excedo.se
Endnotes
[1] https://www.imd.org/centers/world-competitiveness-center/rankings/world-digital-competitiveness/
[2] https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022,pp.15-17.
[3] https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022, p.73.