There is little doubt that the use of cloud computing technologies is increasing significantly. The flexibility and utility nature of cloud resources versus using traditional dedicated infrastructure is a compelling consideration for the UK Public Sector, who are being challenged to deliver ever-more effective citizen facing applications and functionality against a backdrop of budget reductions and austerity initiatives. However, potential cloud customers need to undertake appropriate due diligence to ensure that their use of cloud service supports these objectives, rather than adding new challenges.
Following the introduction of the recent “Government Security Classification Policy”, about 90% of UKPS data is now classified as “OFFICIAL”. However, OFFICIAL covers a diverse range of data – from public facing websites and consumer literature through to personal, sensitive information that should not be accessible from the internet – so understanding the sensitivity of data is essential if a suitable cloud service is to be sourced to help manage, process, store or transmit it in some way.
For customers to make an informed decision, cloud service suppliers should willingly be sharing accurate information about the capabilities and characteristics of their services. The Government now uses “14 Cloud Security Principles” to identify and benchmark such features, and these are the basis of the 50+ questions in the Digital Marketplace, from where customers can match the risk appetite of their organisation to the services offered by different suppliers.
As the sensitivity of data increases, so should the maturity and complexity of the security controls which protect the cloud service. Proper consideration should be given, for example, to the security clearance of personnel, the physical security of the data centre housing the cloud infrastructure, how the data might be protected by encryption tools and the data deletion technology that erases sensitive data before resources are reallocated to the next cloud customer.
In many of these examples, the availability of credible, independent evidence will make a significant contribution to the customer’s assessment. The existence of recognised certifications such as PSN, ISO27001 and Cyber Essentials helps, as does satisfactory security test results such as those provided by the CREST, CHECK or Tiger schemes. Comfort can also be drawn from other available security evidence, for example if the supplier’s cloud services were previously accredited for G-Cloud by a CESG Pan Government Accreditor.
The flexible nature of cloud services may raise concerns as to the actual location of the customer’s data, and hence the data protection legislation that may be in place. This is a consideration that becomes increasingly important as the sensitivity of the data increases: a landscape of changing European data protection regulations (GDPR) and issues surrounding the invalid nature of the US-EU Safe Harbor Agreement further complicates this issue. Citizens will expect that their sensitive data will be located within their own nation under recognised legislation, and cloud service customers need to give this appropriate consideration when assessing their options.
Whilst this appears to be a complex framework of requirements which needs to be properly evaluated, a combination of using Government-published guidance and information willingly sourced from credible and trusted cloud service providers will make a significant contribution to realising the benefits of using cloud services. As citizens, that means we will benefit from having improved access to more efficient on-line services, delivered by more cost effective projects, and providing us with confidence that our data will be kept safe.