IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
Opinion

Improving public sector cloud’s security framework

Seeding the public sector cloud: data classification, security frameworks and international standards

Cloud has become a standard tool for the private sector over the past few years. Some of the top cloud service provides are finding revenues doubling each year, and this is predicted to be the start of a sustained period of growth for cloud services.

Government and the public sector are lagging behind the private sector as only five percent of a countries IT budget is spent on cloud technology. There have been numerous blockers that have prevented the take up of cloud in the public sector and uptake is likely to increase quickly once these issues are addressed.

The benefits of the Cloud are clear, especially between the private and public cloud where public cloud economies of scale, demand diversification and multi-tenancy are estimated to drive down the costs of an equivalent private cloud by up to ninety percent. 

The classic NIST definition of the Cloud specifies Software (SaaS), Platform (PaaS) and Infrastructure (IaaS) as the main Cloud services (see figure 1 below), where each is supplied via network access on a self-service, on-demand, one-to-many, scalable and metered basis, from a private (dedicated), community (group), public (multi-tenant) or hybrid (load balancing) Cloud data centre.

Figure 1: Software as a Licence to Software as a Service: the Cloud Service Model Continuum

Studies consistently show that management of security risk is at the centre of practical, front-line worries about cloud take-up, and that removing them will be indispensable to unlocking growth.  Demonstrating effective cloud security management is central to cloud adoption by the public sector and a key driver of government cloud policy. 

A number of governments have been at the forefront of developing an effective approach to cloud security management, especially the UK which has published a full suite of documentation covering the essentials. 

The key elements for effective cloud security management have emerged as:

  • a transparent and published cloud security framework based on the data classification;
  • a structured and transparent approach to data classification; and
  • the use of international standards as an effective way to demonstrate compliance with the cloud security framework.

Data classification enables a cloud security framework to be developed and mapped to the different kinds of data. Here, the UK government has published a full set of cloud security principles, guidance and implementation dealing with the range of relevant issues from data in transit protection through to security of supply chain, personnel, service operations and consumer management. These cloud security principles have been taken up by the supplier community, and tier one providers like Amazon and Microsoft have published documentation based on them in order to assist UK public sector customers in making cloud service buying decisions consistently with the mandated requirements.

Data classification is the real key to unlocking the cloud. This allows organisations to categorise the data they possess by sensitivity and business impact in order to assess risk. The UK has recently moved to a three tier classification model (OFFICIAL → SECRET → TOP SECRET) and has indicated that the OFFICIAL category ‘covers up to ninety percent of public sector business’ like most policy development, service delivery, legal advice, personal data, contracts, statistics, case files, and administrative data. OFFICIAL data in the UK ‘must be secured against a threat model that is broadly similar to that faced by a large UK private company’ with levels of security controls that ‘are based on good, commercially available products in the same way that the best-run businesses manage their sensitive information’.

Compliance with the published security framework, in turn based on the data classification, can then be evidenced through procedures designed to assess and certify achievement of the cloud security standards. The UK’s cloud security guidance on standards references ISO 27001 as a standard to assess implementation of its cloud security principles.  ISO 27001 sets out for managing information security certain control objectives and the controls themselves against which an organisation can be certified, audited and benchmarked.  Organisations can request third party certification assurance and this certification can then be provided to the organisation’s customers.  ISO 27001 certification is generally expected for approved providers of UK G-Cloud services. 

Only a combination of effective cloud security, data classification and recognition of international standards can remove the blockers of public cloud and enable the benefits to be seen.

Such a combination of effective cloud security, data classification and adoption of international standards can remove the blockers of public cloud and enable the benefits to be obtained.

Richard Kemp is founder of Kemp IT Law. He is author of the white papers ‘Seeding the Global Public Sector Cloud, Part I - A Role for International Standards’ and ‘Part II – The UK’s Approach as Pathfinder for Other Countries’.

Footnotes

[1] Microsoft Corporation, The Economics of the Cloud (November 2010), page 16 available at https://www.microsoft.com/en-gb/search/result.aspx?q=economics+of+the+cloud&form=apps

[2] See for example, KPMG International, Exploring the Cloud: A Global Study of Governments’ Adoption of Cloud (March 2012) available at http://www.forbes.com/forbesinsights/government_cloud_2012/index.html; J. Mechling in Governing, Government’s Slow Takeoff into the Cloud (5 March 2015) at http://www.governing.com/columns/smart-mgmt/col-government-slow-adoption-cloud-computing-collaboration.html; C. Burt in Web Hosting Industry Review (WHIR) Despite UK’s Cloud First Policy, 36% of Government Workers Haven’t Used Cloud Services (7 July 2015) at http://www.thewhir.com/web-hosting-news/despite-uks-cloud-first-policy-36-of-government-workers-havent-used-cloud-services

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Google unveils new Assured Open Source Software service
open source

Google unveils new Assured Open Source Software service

18 May 2022
Malwarebytes hires new channel chief to lead MSP and partner network
Managed service provider (MSP)

Malwarebytes hires new channel chief to lead MSP and partner network

18 May 2022
Palo Alto and Deloitte to deliver managed security services in the US
Managed service provider (MSP)

Palo Alto and Deloitte to deliver managed security services in the US

17 May 2022
US and EU thrash out plans to avert chip production “subsidy race”
Hardware

US and EU thrash out plans to avert chip production “subsidy race”

17 May 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Researchers demonstrate how to install malware on iPhone after it's switched off
Security

Researchers demonstrate how to install malware on iPhone after it's switched off

18 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022