Cloud has become a standard tool for the private sector over the past few years. Some of the top cloud service provides are finding revenues doubling each year, and this is predicted to be the start of a sustained period of growth for cloud services.
Government and the public sector are lagging behind the private sector as only five percent of a countries IT budget is spent on cloud technology. There have been numerous blockers that have prevented the take up of cloud in the public sector and uptake is likely to increase quickly once these issues are addressed.
The benefits of the Cloud are clear, especially between the private and public cloud where public cloud economies of scale, demand diversification and multi-tenancy are estimated to drive down the costs of an equivalent private cloud by up to ninety percent.
The classic NIST definition of the Cloud specifies Software (SaaS), Platform (PaaS) and Infrastructure (IaaS) as the main Cloud services (see figure 1 below), where each is supplied via network access on a self-service, on-demand, one-to-many, scalable and metered basis, from a private (dedicated), community (group), public (multi-tenant) or hybrid (load balancing) Cloud data centre.
Figure 1: Software as a Licence to Software as a Service: the Cloud Service Model Continuum
Studies consistently show that management of security risk is at the centre of practical, front-line worries about cloud take-up, and that removing them will be indispensable to unlocking growth. Demonstrating effective cloud security management is central to cloud adoption by the public sector and a key driver of government cloud policy.
A number of governments have been at the forefront of developing an effective approach to cloud security management, especially the UK which has published a full suite of documentation covering the essentials.
The key elements for effective cloud security management have emerged as:
- a transparent and published cloud security framework based on the data classification;
- a structured and transparent approach to data classification; and
- the use of international standards as an effective way to demonstrate compliance with the cloud security framework.
Data classification enables a cloud security framework to be developed and mapped to the different kinds of data. Here, the UK government has published a full set of cloud security principles, guidance and implementation dealing with the range of relevant issues from data in transit protection through to security of supply chain, personnel, service operations and consumer management. These cloud security principles have been taken up by the supplier community, and tier one providers like Amazon and Microsoft have published documentation based on them in order to assist UK public sector customers in making cloud service buying decisions consistently with the mandated requirements.
Data classification is the real key to unlocking the cloud. This allows organisations to categorise the data they possess by sensitivity and business impact in order to assess risk. The UK has recently moved to a three tier classification model (OFFICIAL → SECRET → TOP SECRET) and has indicated that the OFFICIAL category ‘covers up to ninety percent of public sector business’ like most policy development, service delivery, legal advice, personal data, contracts, statistics, case files, and administrative data. OFFICIAL data in the UK ‘must be secured against a threat model that is broadly similar to that faced by a large UK private company’ with levels of security controls that ‘are based on good, commercially available products in the same way that the best-run businesses manage their sensitive information’.
Compliance with the published security framework, in turn based on the data classification, can then be evidenced through procedures designed to assess and certify achievement of the cloud security standards. The UK’s cloud security guidance on standards references ISO 27001 as a standard to assess implementation of its cloud security principles. ISO 27001 sets out for managing information security certain control objectives and the controls themselves against which an organisation can be certified, audited and benchmarked. Organisations can request third party certification assurance and this certification can then be provided to the organisation’s customers. ISO 27001 certification is generally expected for approved providers of UK G-Cloud services.
Only a combination of effective cloud security, data classification and recognition of international standards can remove the blockers of public cloud and enable the benefits to be seen.
Such a combination of effective cloud security, data classification and adoption of international standards can remove the blockers of public cloud and enable the benefits to be obtained.
Richard Kemp is founder of Kemp IT Law. He is author of the white papers ‘Seeding the Global Public Sector Cloud, Part I - A Role for International Standards’ and ‘Part II – The UK’s Approach as Pathfinder for Other Countries’.
Footnotes
[1] Microsoft Corporation, The Economics of the Cloud (November 2010), page 16 available at https://www.microsoft.com/en-gb/search/result.aspx?q=economics+of+the+cloud&form=apps
[2] See for example, KPMG International, Exploring the Cloud: A Global Study of Governments’ Adoption of Cloud (March 2012) available at http://www.forbes.com/forbesinsights/government_cloud_2012/index.html; J. Mechling in Governing, Government’s Slow Takeoff into the Cloud (5 March 2015) at http://www.governing.com/columns/smart-mgmt/col-government-slow-adoption-cloud-computing-collaboration.html; C. Burt in Web Hosting Industry Review (WHIR) Despite UK’s Cloud First Policy, 36% of Government Workers Haven’t Used Cloud Services (7 July 2015) at http://www.thewhir.com/web-hosting-news/despite-uks-cloud-first-policy-36-of-government-workers-havent-used-cloud-services;
