Seamless wifi across public services could transform everything from disaster response to health and social care. As 'eduroam for the public sector' is rolled out across the country, we explore how it is working.
On Boxing Day 2015, Leeds city centre lay under water. Unprecedented rainfall swelled the River Aire to record levels, before bursting its banks and wiping out roads, bridges, buildings and power networks. It was just one of a series of floods that devastated the north-west of England and Wales.
The city’s emergency response teams – fire and rescue, police and the Highways Agency – couldn’t use their normal buildings, which were waterlogged, to coordinate the response. One year later and the city would have had govroam, in place as part of the Yorkshire and Humberside Public Services Network (YHPSN), which would have meant they could all access their networks from elsewhere. With govroam, the city’s integrated response plan shouldn’t flounder.
Disaster recovery is an extreme example, but the potential of federated roaming technology in public services should not be underestimated.
“It’s massive,” confirms Jon Browne, YHPSN programme lead. “The free movement of people between organisations is going to be critical and govroam is one of those fundamental building blocks. By itself it doesn’t do anything, it attaches you to a network and authenticates you to use a connection back to your organisation. But it’s what that then enables you to do…”
“Seamless” is the word that comes up again and again when talking about user experience: and as Leeds’ flooding response proves, that one simple capability unleashes a tidal wave of possibility.
govroam is eduroam for public services: the same technology and philosophy, for a different community. It allows public services staff visiting another connected institution to log on to wifi using the same credentials they use at their home institution. Once the profile is installed, the connection happens automatically, without the need to register individually or reconfigure the device when you arrive at each new site.
There are many ways of doing this, but eduroam was the obvious model of choice: it has reliable, tested technology, open source radius server options and simple, non-proprietary architecture. It can scale to support any number of sites and isn’t limited to specific wifi technologies – and everything can be installed, supported and managed by a single point of contact.
Individual councils and public service networks (PSNs) have been working on regional roaming capabilities for years. Yorkshire and Humberside have well over 60 partners wanting to use theirs – “they’re queueing up!” says Browne – including all county and unitary councils, three-quarters of police forces, two transport organisations and most health trusts.
“And that’s just in the region,” Browne continues. “You’ve then got border areas such as Bradford, who want to go over into Lancashire, but can’t at the moment – as soon as you’ve got govroam, you can go anywhere.” It became clear that public services were facing a stark choice: fragment into multiple, incompatible islands, or standardise. The national infrastructure went live in September 2016.
The challenge of going national, says David Hayling, head of IT infrastructure at the University of Kent, was “establishing trust in terms of understanding each other’s requirements”. eduroam provides a simple internet access mechanism for students, staff and researchers.
Public services handle sensitive data on deliberately siloed corporate networks. Setting up shared PSNs – a link between organisations – is one thing, but authorities were struggling to cooperate further because of differing security requirements. “Each legal entity – county council, borough councils etc – had to individually sign to say they complied, and provide documentation to demonstrate that,” explains Hayling.
It meant multiple, duplicating, inefficient systems. To share wireless access, you need to provide public wifi or temporary guest permits. If people are working remotely, they need 3G/4G dongles.
“The higher education people were in these meetings,” recalls Hayling, “sitting there aghast: we cracked this years ago! We’ve got the answer and 20 years’ experience. eduroam works.”
There are certainly challenges applying it to public services, he concedes, but nothing govroam can’t accommodate: “it’s flexible enough to separate out layers of what people are trying to achieve.”
govroam uses end-to-end encryption (AES as part of 802.1X tunnelling) to ensure private user credentials are only available to a user’s home organisation for authentication; they are never exposed over the air or accessible by the visited site’s infrastructure, so spoof networks set up with the aim of harvesting credentials have very little opportunity to access them. It’s easy to use, but also removes the opportunity for user error. Fundamental to the trust model of govroam is the assurance that all users are bona fide government workers or their representatives.
However, while the authentication and access security checks are protected, the communication is still wifi, so the answer for Hayling was as simple as reminding people to separate out two ideas: the network they’re connecting to, and the level of security assurance they need. govroam allows participating organisations to still deploy their own encryption or VPN.
“That’s what the National Cyber Security Centre does with its stuff,” Hayling says, “VPN back after connecting through govroam”. What govroam offers is the assurance that “you are connecting to a genuine network you can trust, but to keep a higher level of assurance you take your own steps. If a school provides students with mobile devices, for example, the school configures the device to provide internet filtering necessary to the user of that device.”
So what’s the potential of this for public services? The first is simply efficiency. Imagine a child is going to be spending a long time in hospital and needs education on the ward. The schools network can deliver that, so teachers come in and use govroam to connect. But say the child also needs social care support; their care worker can also come in and complete their notes. The NHS has plans to introduce wifi into all hospitals, but only with a roaming network would doctors be able to access patient records quickly and securely during rounds. Simply being in a different location need no longer be a barrier to working in a familiar way.
But govroam could also be transformational. Take integrating health and social care. What if wifi providers support govroam on a backchannel, suggests Browne; when care workers do home visits, they could automatically connect and access client records. He tells of an elderly woman who fell down in her bathroom. She couldn’t move so an alarm system was useless, but sensors installed in her house noticed she’d gone in but hadn’t come out, and called an intervention.
“Now if the care person going in had govroam,” Browne posits, “they could straight away look up the integrated care record and know ‘don’t give this person paracetamol, she’s allergic’, even if it’s not her regular care worker”. Together, it means you can enable people to continue to live in their own homes for longer and save money on care visits. “You’re saving lives through new technology backed off into govroam. Now we have a national solution, we can start thinking about these things. Suddenly we’re building a picture very different to the current situation.”
govroam will also be critical in helping local authorities cope with budget cuts. Site sharing with govroam would enable multiple organisations to share a physical location and connect over a single network connection. “So many public sector buildings are inherited from the Victorians,” says Browne. “It’s expensive, inefficient and in the wrong place. We’re shutting police stations, so police now have to drive to their beat, which adds expense and delay because that becomes part of their shift”.
Why not repurpose parts of local libraries, he asks. “govroam can give police access to their resources. Now you’ve got a reason for keeping the library open and a bobby starts his beat in the right place. These sorts of technologies free you up from being restricted to certain buildings and certain places. It can have a massive impact on the way we deliver services.”
Leeds is developing multi-tenanted sites, explains Browne, “in which you have people in one building working with police, health and parole services”. Using a single connection with multiple corporate LANs delivered over it, each organisation specifies the data layers it wishes to use, and these are delivered over one connection and then broken out for use by each organisation.
“That used to require segregation within offices: police desks here, social care there. With govroam, any worker can use any desk: your govroam authentication is captured by the building itself. Once it’s authenticated you, it works out the appropriate conditional access and reconfigures the network to extend, say, the police corporate network to your device. For that session, while you’re there, that desk becomes a police desk. If the next person to use it is in health, it then extends the health network”. This doesn’t just save money on desks and floor space: “it’s a way of encouraging interaction, freeing people up, promoting collaborative working. Anyone can operate anywhere. That’s massive.”
This kind of thinking is just the beginning, for Browne. Once it’s fully integrated into the public sector’s ways of working, he believes “they will use it in ways I can’t even imagine. govroam’s potential is limited only by our imagination.”
For now, there is a formal agreement that govroam and eduroam don’t connect, but it’s fundamental in many spaces that both are in place. NHS hospitals, providing care and training simultaneously, are a case in point. All they need to do, says Hayling, “is deploy a two-broadcast service – govroam, eduroam – with appropriate configuration behind the scenes, and they could deliver all the services they need to all their students and staff.”
People using it would only need to configure one device to use these two services: it would connect you automatically to the appropriate network. And, he says, “if organisations do it at the same time, the extra cost and configuration effort is small.”
“In Kent,” says Jeff Wallbank, former head of Kent Public Service Network, “every local authority has rolled out govroam: all public sector organisations work in any buildings, and are setting it up in parallel with eduroam. The question now is, can universities and colleges roll out govroam in their buildings?”
Kent PSN has more than 370,000 users across nearly 1,200 sites including health, schools, universities, fire and rescue, FE colleges and business parks, district and county councils, libraries, hospices and leisure centres. govroam itself is currently available at 250 sites and growing.
“Kent helped really drive this forward,” says Matt Ashman, founder and director of Khipu Networks, the company which helped delivered the pilot and now offers a govroam “one-stop-shop service” for organisations who don’t have the skills or time to configure their own in-house systems (Jisc runs govroam; Khipu offers the option of a fully managed commercial service which enables public sector organisations to offer eduroam and govroam fully support and maintained). Kent, continues Ashman, “is the flagship project which has delivered govroam across the entire county”.
“The challenge," he reflects, ‘is we have to get a community together – there is no point deploying govroam into one hospital as a standalone, we need lots of hospitals where staff are working together”.
Wallbank also wants to see a common standard rolled out across the country. govroam was recently deployed for the first time in London, and the next step is convincing central government, whose sites are more widely dispersed: job centres, HMRC centres, prisons, courts and more. All these services tend to share buildings with other public sector organisations, but operate on separate networks. Wallbank wants “a set of standards; govroam or some form of national roaming needs to be standard. Then theoretically anybody delivering services can occupy anywhere with ease, temporary or permanent.”
Wales already has an aggregated public sector broadband service. “A simple SSID change, link to Jisc’s central national server and it’s rolled out in Wales… We’re having the same conversation in East Sussex,” Wallbank continues. “Connect their regional radius server to Jisc’s radius server, we’ve got govroam.” Then, who knows.
It won’t be long before a trickle becomes a deluge. “Senior officers in local authorities come up to me,” says Wallbank, “and say, ‘govroam isn’t half good, why haven’t we done this before?’”
Find out more at Networkshop
Mobility is one of the topics we'll be covering at this year's Networkshop, which taking place in Nottingham from the 11-13 April 2017.
Join us on the first day of the event for the parallel session on this topic, including a talk on govroam. Full details for all this year's sessions can be found in the Networkshop45 programme.
You can join the conversation on Twitter using #nws45.