Cloud technology is rapidly becoming the new normal, replacing traditional IT solutions. The revenues of top cloud service providers are doubling each year, at the start of a predicted period of sustained growth in cloud services. The private sector is leading this growth in workloads migrating to the cloud. Governments, however, are bringing up the rear, with under 5 percent of a given country’s public sector IT budget being dedicated to cloud spending. Once the public sector tackle the blockers that are preventing uptake, spending looks likely to rapidly increase.
The classic NIST definition of the Cloud specifies Software (SaaS), Platform (PaaS) and Infrastructure (IaaS) as the main Cloud services (see figure 1 below), where each is supplied via network access on a self-service, on-demand, one-to-many, scalable and metered basis, from a private (dedicated), community (group), public (multi-tenant) or hybrid (load balancing) Cloud data centre.
Figure 1: Customer Managed to Cloud Service Provider Managed: The Continuum of Cloud Services
The benefits of the Cloud are real and evidenced, especially between the private and public cloud where public cloud economies of scale, demand diversification and multi-tenancy are estimated to drive down the costs of an equivalent private cloud by up to ninety percent.
Also equally real are the blockers to public sector cloud adoption, where studies consistently show that management of security risk is at the centre of practical, front-line worries about cloud take-up, and that removing them will be indispensable to unlocking the potential for growth. Demonstrating effective management of cloud security to and for all stakeholders is therefore central to cloud adoption by the public sector and a key driver of government cloud policy.
A number of governments have been at the forefront of developing an effective approach to cloud security management, especially the UK which has published a full suite of documentation covering the essentials. (A list of the UK government documentation – which serves as an accessible ‘how to’ for countries who do not want to reinvent this particular wheel – is set out in the Annex to our white paper, Seeding the Public Cloud: Part II – the UK’s approach as a pathfinder for other countries). The key elements for effective cloud security management have emerged as:
- a transparent and published cloud security framework based on the data classification;
- a structured and transparent approach to data classification; and
- the use of international standards as an effective way to demonstrate compliance with the cloud security framework.
Data classification enables a cloud security framework to be developed and mapped to the different kinds of data. Here, the UK government has published a full set of cloud security principles, guidance and implementation dealing with the range of relevant issues from data in transit protection through to security of supply chain, personnel, service operations and consumer management. These cloud security principles have been taken up by the supplier community, and tier one providers like Amazon and Microsoft have published documentation based on them in order to assist UK public sector customers in making cloud service buying decisions consistently with the mandated requirements.
Data classification is the real key to unlocking the cloud. This allows organisations to categorise the data they possess by sensitivity and business impact in order to assess risk. The UK has recently moved to a three tier classification model (OFFICIAL → SECRET → TOP SECRET) and has indicated that the OFFICIAL category ‘covers up to ninety percent of public sector business’ like most policy development, service delivery, legal advice, personal data, contracts, statistics, case files, and administrative data. OFFICIAL data in the UK ‘must be secured against a threat model that is broadly similar to that faced by a large UK private company’ with levels of security controls that ‘are based on good, commercially available products in the same way that the best-run businesses manage their sensitive information’.
Compliance with the published security framework, in turn based on the data classification, can then be evidenced through procedures designed to assess and certify achievement of the cloud security standards. The UK’s cloud security guidance on standards references ISO 27001 as a standard to assess implementation of its cloud security principles. ISO 27001 sets out for managing information security certain control objectives and the controls themselves against which an organisation can be certified, audited and benchmarked. Organisations can request third party certification assurance and this certification can then be provided to the organisation’s customers. ISO 27001 certification is generally expected for approved providers of UK G-Cloud services.
Allowing the public sector cloud to achieve its potential will take a combination of comprehensive data classification, effective cloud security frameworks, and the pragmatic assurance provided by evidenced adherence to generally accepted international standards. These will remove the blockers on the public sector cloud, unlocking the clear benefits.
Written by Richard Kemp, Founder of Kemp IT Law