Government shared communication
solution
VY network provides users with secure
access to services
Lasse Melkko
The Treasury,
VY network
•
Background
•
Services
•
Service points
•
How to join the network?
•
VY network as a VIP communication service
•
Pricing principles
23.3.2012
VY network
Background
•
What is the VY network?
•
Government complete network solution
•
Benefits for the agency
•
Security and reliability
23.3.2012
VY network
Government shared secure communication solution
•
The VY network provides government agencies with
quick, reliable and secure access to government shared
services, other agencies, and external services, such as
the Internet. The VY network forms an intranet service
between the government agencies that have joined it.
• Offices are connected to each other and the shared services via a common, secure and verified Connection Hub.
• Centralised data security services include firewalls, antivirus programmes, the prevention of denial-of-service (DoS) attacks, and intrusion detection and prevention systems (IDS/IPS).
• VIP Expert Service Point combines the problem solving of
government shared services and data communications in one location.
• Office-specific access networks are acquired through a Hansel framework agreement.
23/03/2012
VY network
VY network
VY network
Benefits for the agencies
•
Reduction of total costs of communication services
• Removal of overlapping solutions, specifically those related to Internet and server farm connections and data security
services, generates cost savings at government level.
• Centralisation of management and control functions frees up person-years for other tasks, especially among administrative-system and problem-solving staff.
•
Flexibility for network changes
• Introduction of shared services is simplified and greater flexibility is introduced to network changes arising from organisational restructuring.
23/03/2012
VY network
Benefits for the agencies
•
Data security management becomes easier
• The network utilises a Connection Hub, along with office interfaces designated according to its architecture, and provides an internal communication environment for
government agencies that is compliant with security level III for mail transfers.
• A complete network solution with proper data security management facilitates achievement of the required level of data security set for government agencies.
•
Improved level of service for most users
• By exploiting the economies of scale concept, the service level of data communications can be improved for most users.
23/03/2012
VY network
Security and reliability
•
Always available without disruptions
• The connections of the Connection Hub and the related services have been geographically dispersed and secured.
•
Strong account has been taken of contingency planning
factors
• VY network operations are carried out at an increased level of data security and contingency planning.
• Access to the network is also secured during disruptions to normal conditions.
• Data communications are contained inside Finland's borders and the related services are provided by Finnish staff.
• Consideration has been taken of fluency in the changeover of service providers
• Annual data security audits are performed on the VY network.
23/03/2012
VY network
Security and reliability
•
Technical data security
• Client's data communications activity within own virtual networks
• Firewalls and prevention of malicious traffic for all interfaces
• Intrusion detection and prevention system (IDPS) protects against problems arising from malware
• Internet connections are dispersed amongst various service providers
• Prevention of DoS attacks is carried out in the ISP's network
• Connection Hub's internal domain name system, time server and email transfers are not dependent on an Internet
connection
• Malware and spam filtering included in SMTP (email) and HTTP (browser) communications
23/03/2012
VY network
Services
•
Basic services
•
Network access services
•
Internet services
•
Service points
• VIP Expert Service Point VIPPA
• Data Communication Management and Service Point HAPPI
• SMTP and HTTP Communication Service Point SÄPPI
23.3.2012
VY network
Basic services
•
Connection Hub – georgaphically dispersed, quick and
secure nodal point for communication services
• Multiple access via fast VPN/VLAN interfaces at L2 or L3 levels
• Network partitioning or reconfiguration into virtual networks is conducted in the Connection Hub perimeter
• Firewalls, filtering and intrusion prevention systems between all interfaces
• Transfers go unmodified via the Connection Hub
• Service Level Agreement (SLA) meets, for example, the requirements of VoIP services
• Available for use: quality classification, address modification, IPv6, multicast
•
Infrastructure services
• Internal and public domain name system, time server, email transfer service
23.3.2012
VY network
Network access services
•
Client networks
• Client agencies usually access via client networks using MPLS/VPN interfaces of a specified ISP's main network
• Connection Hub houses the nodal points of major ISPs
• Physical access is also possible
• Communication transfers are filtered and restricted at the perimeter of the Connection Hub
•
Server farms
• Similarly, server farms gain access via ISP connections, but physical access is also possible
• The Connection Hub interface always includes a firewall and IDPS
23.3.2012
VY network
Internet services
•
Verified and secure Internet connection
• Two operators provide back-up services for each other
• Filtering, IDPS, prevention of DoS attacks
•
Transfer of SMTP and HTTP communication (IRHS)
• SMTP communication is also possible when the VY network's external connections have failed
• Secure; complies with the government data security and contingency planning requirements
• Can be tailored to meet client-specific needs
• Government internal data communications are centralised within the VY network; TLS encryption method can be adopted for external connections
• Envelope encryption can be adopted per mail
23.3.2012
VY network
Internet services
•
SMTP/HTTP malware filtering and SMTP spam filtering (IRHS)
• Can be tailored to meet a wide range of needs or client-specific needs
• Reputation-based filtering evolves and adapts according to new types of threats
•
Government shared communication solution 'VYVI' uses IRHS
to transfer and filter Internet mail
23/03/2012
VY network
Connection Hub: architecture
23.3.2012
VY network
Service points
23/03/2012
Lasse Melkko / VIP 17
•
Centralised communication-related problem
solving, provided according to a standardised
level of service
•
The VIP Service Point is a contact point for
the client's main users
•
Troubleshooting and requests for changes are
forwarded to the ITIL-based service processes of
service providers
•
Government IT Shared Service Centre is
responsible for the inspection of requests for
changes and data security authorisations
•
Troubleshooting tasks are delegated to third
parties, if necessary
•
HAPPI = Data Communication Management and
Service Point (TeliaSonera), SÄPPI = SMTP and
HTTP Communication Service Point (Elisa)
VY network
How to join the network?
•
Whole government to join the VY network by
2014
•
Deployment
•
Present stage of deployment
23.3.2012
VY network
Deployment schedule
23.3.2012
VY network
Deployment
•
Requirements for launching the deployment
• At a minimum, the basic level data security audits have commenced
• Service Agreement
• Client card filled with basic information
•
Deployment project schedule
• Launched in an initial meeting that clarifies the action plan for the project and sets the objectives and eligibility criteria
• Review of the client card information and agreement on future steps
• Project Manager, assigned by TeliaSonera, is responsible for the project's progress and management of resources
• Data communications service subscriptions are often ready for deployment after the initial meeting
23/03/2012
VY network
Deployment update
23.3.2012
Lasse Melkko / VIP 21
VY-verkko
Liittymisprojektien tilamatriisi 7.3.2012 / JTP
(T) (R) VIRASTOT
UM OM SM PLM VM OKM MMM LVM TEM STM YM EK VNK VTV TPK UPI
6081 1520 245 278 144 381 307 316 171 613 564 286 713 270 147 80 46
OTTK (RP)
9266 9266
100% 1 Käyttöönotto valmis
PH RVL (R) HÄKE (R) HALTIK (P) MIGRI (R) PEO (R) Käyttöönottoprojekti aloitettu
10901 2838 763 411 393 143 Sopimusneuvottelut käynnissä
(1/2012) (1/2012) 45% (1/2012) (1/2012) 6 Siirtyminen täyteen palveluun
PV (T) PHRAKL (T) Suunniteltu 2012
700 15035 700 Ei etene suunnitellusti
100% 2 T Täyden palvelun asiakas
VERO (R) TULLI (R) AVI (RT) TK (R) PALKEET (T) VK (T) VRK (T) VATT (T) ÅLAND R Rajoitetun palvelun asiakas
675 7978 5640 2370 2338 937 752 675 120 55 17 P Palveluntarjoaja
100% 85% 95% 100% 90% 5% 9
OPH NBA ARKISTO FNG SA (R) CIMO TKT SLHK KOTUS KAVA (R) CELIA (R) NRL (R) YTL (R) VIEI (R) VET OPTUM (R)
359 1378 340 258 232 165 137 111 98 90 68 55 22 23 15 12 11
(KIEKU) (LOMA) (LOMA) (LOMA) (LOMA) (LOMA) (LOMA)
MML (R) MTT (R) METLA (T) EVIRA (R) RKTL (T) MAVI (R+) TIKE (RP) GDL (T) MK (T) METSÄ (T)
1223 1873 768 874 725 270 240 215 79 0 0
100% 80% 0% 100% 100% 10
LIVI FMI TRAFI VIVI
686 681 492 248
4
ELY (RT) VTT GTK (T) PRH (T) TEKES (T) TUKES (T) MIKES (T) KUVI (T) KIVI (T) EMV (T) KTK (T) MEK (T) HVK (R) MOL (P)
149 7800 7800 2692 634 461 290 220 79 71 70 45 37 35 35 0
85% 95% 0% 95% 100% 100% 100% 100% 13
THL STUK FIMEA (R) VALVIRA (T)
2601 351 230 150 Suunnitellut käyttöönotot (toteutunut/suunnitelma)
10% 70% 4 Vuosi 2010-2011 2012 (to / su) 2013- Yhteensä SYKE (P) ARA Täysi Asiakkaat 19 1 / 12+
649 57 Käyttäjät 7535 70
20% 2 Rajoitettu Asiakkaat 15 1 / 19+ Käyttäjät 17360 9266
7605 26626 34231 Lopullinen käyttäjämääärä86108 Yhteensä Asiakkaat 34 2 / 37 12 48 83
9 % 31 % 40 % Käyttäjät 24895 9336 55543 5670 86108 YM HA VNV OM HA SM HA PLM HA VM HA OKM HA MMM HA LVM HA TEM HA STM HA
VY network
VIP as a communication service
•
Productised service
•
Pricing
23.3.2012
VY network
VIP as a communication service: pricing principles
•
Absorption principle
• Pricing remains the same regardless of the time of service deployment
• Simple and transparent
• Reviewed separately with each client
•
Operating costs of the VY network do not cover
• Linking the offices' networks to the operator's network (Hansel)
• Arranging the client's own network systems' deployment of operation via the service provider's VY network connection
• Service fees of other VIP services
23.3.2012
VY network
Contact persons
23.3.2012
Lasse Melkko / VIP 24
Area of responsibility Name Tel.
Client Representatives
Ministry of Finance, Prime Minister's Office,
Office of the Chancellor of Justice Pekka Nykänen +358 40 849 2154 Ministry for Foreign Affairs,
Ministry of Employment and the Economy, Ministry of Social Affairs and Health
Mika Sormunen +358 50 410 2281
Ministry of Education and Culture, Ministry of the Interior, Confederation of Finnish Industries, President of the Republic of Finland
Heli Parkkonen +358 50 375 2249
Ministry of Agriculture and Forestry,
Ministry of the Environment Laura Salmi +358 50 597 0776
Ministry of Transport and Communications,
Ministry of Justice, Ministry of Defence Risto-Matti Helminen +358 50 566 2952
VY network Kari Likovuori +358 50 396 0060
Data Security Services Kimmo Rousku +358 50 566 2986
Erja Kinnunen +358 50 437 2417 Email [email protected]
Questions...
Comments...
Thank you!
<http://www.valtiokonttori.fi/vip/vy-verkko> <[email protected]>?
?
?
Government IT Shared Services Centre
Expert in IT service integration.
Fluent high-quality service provision. We facilitate the client's everyday life.
