Category Archives: Government

Bulgarian gov writes open source into law

Yellow road sign with a blue sky and white clouds: open sourceThe Bulgarian government has launched a number of amendments to the Electronic Governance Act which requires all code written for the government to be open source.

The announcement was made public through Bozhidar Bozhanov’s blog, who is currently acting as an advisor to the Deputy Prime Minister who is responsible for e-governance systems and policies. The new policy doesn’t mean the entire country will be moving towards Linux, though it is one of the first examples of a government putting the concept of open source into legislation. Article 58.a of the act states:

“When the subject of the contract includes the development of computer programs: (a) computer programs must meet the criteria for open source software. (b) All copyright and related rights on the relevant computer programs, their source code, the design of interfaces and databases which are subject to the order should arise for the principal in full, without limitations in the use, modification and distribution. (c) Development should be done in the repository maintained by the Agency in accordance with Art.7cpt.18.”

The amendment will not impact current contracts, or insist on the major vendors give away the source of their products, but only focuses on custom written code. When the government procures IT services or software which means custom code will be written specifically for the project, the act ensures this code will be outsourced for the rest of the country to use.

“After all, it’s paid by tax-payers money and they should both be able to see it and benefit from it,” said Bozhanov on the blog. “A new government agency is tasked with enforcing the law and with setting up the public repository (which will likely be mirrored to GitHub).

“The fact that something is in the law doesn’t mean it’s a fact, though. The programming community should insist on it being enforced. At the same time some companies will surely try to circumvent it.”

Government report highlights only 29% of UK has cyber security policies

Overview#

Click to enlarge

The Department for Culture, Media and Sport has released findings from its annual Cyber Security Breaches Survey, where 69% of organizations believe security to be a top priority for the business, though only 29% have a formal written policy.

Within the large organizations category, those with 250 or more employees, 90% considered security as a ‘very high’ or ‘fairly high’ priority, though this percentage dropped to 69% when taking an average of the UK as a whole.

“The UK is a world-leading digital economy and this Government has made cyber security a top priority,” said Minister for the Digital Economy Ed Vaizey. “Too many firms are losing money, data and consumer confidence with the vast number of cyber-attacks. It’s absolutely crucial businesses are secure and can protect data. As a minimum, companies should take action by adopting the Cyber Essentials scheme which will help them protect themselves.”

Of the companies who participated in the survey, 24% said they had experienced a breach within the last twelve months, though this is higher for medium and large businesses, 51% and 65% respectively. Large organizations would appear to be the more attractive target for cyber criminals, with 25% of the larger organizations experiencing at least one attack per month over the last year. In terms of financials, the average breach costs organizations £3,480, though this increases to £36,500 for organizations in the large category.

Although a healthy proportion of organizations claim security is a top priority only 29% have written cyber security policies, and only 10% have formal incident management processes. The survey also highlighted only 17% have had their staff undergo some form of cyber security training in the last 12 months.

“One of the most shocking revelations in the Government’s research is the fact that just 10 per cent of UK businesses have an incident management plan in place,” said Jens Puhle, UK Managing Director of 8MAN. “Given that two thirds of large businesses were breached this year alone, organisations need to think in terms of “when”, not an “if” they are attacked, and it is vital they have a solid response plan in place.

How much of a priority is cloud security

Security priority – click to enlarge

“Businesses that are equipped with the ability to identify how the breach occurred and which systems were affected will be able to mitigate the damage the impact and resume normal operations much sooner. They will also be able to take control of the aftermath, disclosing the incident on their terms and working with the authorities to catch the perpetrator. Being unable to perform these basic tasks will make it much more likely that a business is seen as inviting disaster on itself and its customers through negligence, rather than as a blameless victim of crime.”

From an employee perspective, only 34% of organizations currently employ staff whose job role specifically includes information security or governance, which could be perceived as relatively low considering 67% believe security is a top priority. These jobs were most common within finance (60%) and education, health or social care (52%), sectors which could be viewed as having more stringent regulation surrounding data protection.

While hiring people with the right skills is an important step in becoming more secure Lee Meyrick, Director of Information Management at Nuix, believes these individuals also need to have a firm grasp how and where a company’s data resides, a task which might not be as simple as first imagined.

“The first step towards responding efficiently to breaches and closing information security gaps quickly, is understanding where important data is stored. This is easier said than done, as about 80% of organisational data is unstructured, meaning it’s in complex formats – such as emails, databases, photos, and presentations– that are difficult to search and understand.

Spend on security

Security spend – click to enlarge

“The key principle is making sure the only people who can access high-risk data are those who need to for day-to-day work. In order to achieve this, information security, information governance and records management specialists need to become “good shepherds” of their data.

“They should know where all their sheep are, segregate them into separate fields, make sure the fences between fields are sound and regularly check to ensure the sheep are healthy. In this way, even if a wolf manages to get into one of the fields, most of the flock will be safe.”

While the survey does demonstrate good intentions from organizations throughout the UK in respect to attitudes towards security, it would appear the practical implications from these intentions have largely remained unfulfilled to date. Large organizations would appear to have a more solid grip on security within their own environments, though this does not seem to extent to their own supply chain where only 13% of UK businesses set minimum cyber security standards for their suppliers.

The report states the attitudes within medium and large organizations towards security is positive, though more could be done to implement data encryption rules, offer staff training and having formal incident management processes. It also states more could be done to raise standards within their own supply chains, which could have a ripple effect on smaller organizations throughout the UK.

Parallels RAS Wins Prestigious Govies Security Award

2016 Govies Government Security Awards honor Parallels Remote Application Server as winner of its Platinum Network Security Award The 2016 Government Security Awards (Govies) honored Parallels Remote Application Server as the winner of its Platinum Award for Network Security at the ISC West Expo, the largest security tradeshow in the United States, which is held […]

The post Parallels RAS Wins Prestigious Govies Security Award appeared first on Parallels Blog.

US FedRAMP has turned into a slow lane for government cloud says protest group

Fedramp logoA cloud industry protest group has called on the US government to fix its FedRAMP process for certifying government cloud service providers. The inefficiencies of the system are neutralising any benefits the cloud can bring to the US taxpayer, it claims.

A collective of disgruntled agents, that ranges from top tier cloud operators such as AWS, IBM and HPE to support agencies and corporate lawyers, has appealed for a review of the Federal Risk and Authorization Management Program, a certification process that has been dubbed FedRAMP.

Though FedRAMP was designed to simplify the use of cloud services by government agencies, the system has been described by a cloud industry advocate group as ‘fundamentally broken’. An aggrieved group of cloud players calling itself FedRAMP Fast Forward claims that a simple system, for helping US civil servants to select between FedRAMP-certified providers, has become too complicated and unwieldy. The pressure group has proposed a six point plan to address the system’s lack of clarity, high costs and lack of accountability.

The promised ‘certify once, use many times’ framework has not been delivered, claims the pressure group. Instead, the system has become expensive and time-consuming to use. As a result, the planned government savings from using cloud services are unlikely to materialise, says the group.

One of the reported problems is that the system does not provide the level of monitoring and management that cloud service providers would expect from any service. Potential suppliers to a government tender cannot gauge their status in the approval process or get feedback on the how to improve things or move the process to its next stage, according to a group statement. Agencies have also complained that they can’t see where the listed authorised cloud services might operate.

The Cloud Computing Caucus, a cross party group of US Congress Members, claims that the certification process is now nearly three times as lengthy as it first was. Worse, it can be 20 times more expensive. The group’s latest annual report says certification time has gone from nine months to two years, on average, while the typical cost expanded from $250,000 to up to $5 million.

The pressure group has now posted a six point reform plan calling for a single route to authorisation, more transparency over the approval process, harmonised security standards, cheaper monitoring, the option to upgrade without dropping out and a simpler road map for compliance.

FedRAMP Fast Forward members include AWS, HPE, IBM, CGI, General Dynamics and CenturyLink.

New players ally to G-Cloud 7 amid accusations of anti-cloud behaviour

Cloud computingA number of new service providers have announced their participation in the latest iteration of the UK’s government computing services framework, G-Cloud 7. Among the new suppliers pledging to meet the conditions of the latest framework were Fordway, Acuity, Company 85, RedCentric and Komodo Digital.

However, critics have argued that The Crown Commercial Service (CCS) has introduced uncloud-like behaviour, as newly introduced limits could hinder buyers from expanding their use of cloud services.

Under the new rules in G-Cloud 7, users will be forced to re-tender via G-Cloud if they intend to buy additional capacity or services that will cost more than 20% of their original contract’s value. This, according to industry body EuroCloud UK, goes against the defining principle of cloud computing, scalability.

“It deters buyers from using the G-Cloud framework, because it actively discourages the pay per use principle,” said Neil Bacon, MD of Global Introductions and a member of EuroCloud’s G-Cloud working group. Worse still, he said, it will prevent buyers from getting the economies of scale that are the original motivation for their buying decision.

Several G-Cloud providers, including EduServ and Skyscape, outlined their concerns about the move in writing to the Cabinet Office. However, Surrey-based service provider Fordway has committed to the new system, launching its Cloud Intermediation Service (CIS) on G-Cloud 7.

The new service helps clients assess, plan, transform and migrate their infrastructure partly or completely to public cloud. It promises agile project management, bundling together the resources that clients will need to support their in-house team at each stage of the transition.

Fordway claims its relationships with public cloud providers such as Amazon Web Services, Microsoft and Google allow it to create a pivotal single point of contact to manage a transition irrespective of the target platforms.

In Fordway’s case, clients may not be subject to unexpected fluctuations in capacity demand, according to MD Richard Blanford.

“Most IT teams will only migrate their systems to cloud once, and it’s a big step. For the sake of their organisation and their own careers it needs to be planned and delivered successfully, on time and within budget, without any surprises,” said Blanford.

Carrenza claims it’s now top cloud host for UK government digital service

gov.ukUK cloud service provider Carrenza has announced it is now providing the majority of hosting for the government digital service (GDS) as it made the production and staging environments for the Gov.UK site live on its cloud infrastructure.

Gov.uk has now rationalised hundreds of individual web sites for government departments and public bodies and concentrated the traffic for 24 ministerial departments and 28 other organisations according to Carrenza.

Infrastructure as a service (IaaS) provider Carrenza was initially asked to provide the infrastructure for Gov.UK’s preview operation in 2013 but, it claims, once it opened a second UK data centre its role was expanded. Carrenza rents capacity in Slough and London from data centre operators Equinix and Level 3.

Carrenza runs its IaaS and platform as a service (PaaS) offerings on a VMware-based cloud built on HP servers and HP 3PAR SAN storage which, it says, supports a range of operating systems, application and database technologies that includes “pretty much anything that runs on X86 architecture”. After Carrenza achieved official security accreditation the GDS moved the majority of Gov.Uk’s staging and production systems to the Carrenza Cloud, which has now received 2 billion visits, it says.

GDS originally found Carrenza through the G-Cloud III framework and a competitive tendering process. A major consideration for any cloud service provider, when pitching for contracts with the GDS, is a commitment to open source technology, according to Carrenza CEO Dan Sutherland.

Carrenza was chosen for Gov.UK because its custom software was developed in-house at GDS which needed to source cloud hosting and support for its flagship website.

“The launch of Gov.uk was a significant milestone,” said Sutherland. Open source has underpinned open dialogue and is helping to change and improve the way government communicates with its citizens, according to Sutherland.

Any cloud service provider wanting to win government contracts needs to concentrate on communicating with them, according to Andrew Mellish, Carrenza’s Head of Public Sector Services. “Our team understands what GDS is trying to achieve and how best to deliver the technologies they are using,” said Mellish, “when someone from GDS calls one of our engineers, they know they are speaking to someone who gets it and will work with them as efficiently as possible.”

PowerDMS Expanding in Orlando Aided by City Incentives

PowerDMS, Inc., a cloud-based document management software company, will expand its presence in downtown Orlando, Florida, adding 65 new jobs over the next three years and investing $400,000 into the region. In addition to being awarded a financial incentive from the City of Orlando, PowerDMS recently secured growth equity funding from Ballast Point Ventures and plans to use the investment to augment its sales and marketing team and enhance its technology platform by offering new features to its customer base, which includes law enforcement, public safety, healthcare and retail.

Founded in 2001, the company’s software platform provides “practical tools necessary to organize and manage crucial documents and industry standards, thereby helping organizations maintain compliance with constantly evolving industry accreditation protocols.”

Structured as a software-as-a-service (SaaS) model, PowerDMS combines attributes of Governance and Risk Compliance (GRC) and Enterprise Content Management (ECM) into its software platform, allowing customers to manage risk through living compliance documentation and content.

The application provides tools to organize and manage crucial documents and industry standards, train and test employees, and uphold proof of compliance, thereby helping organizations reduce risk and liability.

“Downtown Orlando is a great location for dynamic tech companies like PowerDMS,” said Orlando Mayor Buddy Dyer, “with a talented labor force, business friendly environment and high quality of life, Orlando has become an ideal site for corporate headquarters looking to expand.”

 

AWS Files Complaint Over CIA $600 Million Procurement Bid Complaint by IBM

Amazon Web Services has filed a complaint in the U.S. Court of Federal Claims related to Central Intelligence Agency action in following recommendations made by the Government Accountability Office following an action filed in February by IBM after the CIA awarded AWS a contract worth up to $600 million over four years to build a private cloud for the entire intelligence community.

FCW has the details.

PRISM Scandal Generates Renewed Interest in Non-US Cloud Providers

Guest Post by Mateo Meier, founder of Swiss hosting provider Artmotion

Businesses vote with their feet, in light of the recent PRISM scandal. Up until recently, the US had been considered the leading destination for cloud services with its vast infrastructures and innovative service offerings, but recent leaks have sparked panic amongst many business owners and is driving demand for Non US cloud providers.

The most concerning aspect for many is the wide ranging implications of using US-controlled cloud services, such as AWS, Azure and Dropbox. As a result, businesses are now turning to Switzerland and other secure locations for their data hosting needs.

Swiss ‘private’ hosting companies are seeing huge growth because privacy in Switzerland is enshrined in law. As the country is outside of the EU, it is not bound by pan-European agreements to share data with other member states, or worse, the US. Artmotion, for example, has witnessed 45 per cent growth in revenue amid this new demand for heightened privacy.

Until now the PRISM scandal has focused on the privacy of the individual, but the surveillance undertaken by NSA and Britain’s own GCHQ has spurred corporate concern about the risks associated with using American based cloud providers to host data. It is especially troubling for businesses with data privacy issues, such as banks or large defence and healthcare organisations with ‘secret’ research and development needs.

Before PRISM, the US was at the forefront of the cloud computing industry and companies worldwide flocked to take advantage of the scalable benefits of cloud hosting, as well as the potential cost savings it offered.

However the scandal has unearthed significant risks to data for businesses, as well as for their customers. With US cloud service providers, the government can request business information under the Foreign Intelligence Surveillance Act (FISA) without the company in question ever knowing its data has been accessed.

For businesses large and small, data vulnerabilities and the threat of industrial espionage from US hosting sites can present real security risks or privacy implications, and it’s causing a real fear. Business owners are worried that by using US based systems, private information could potentially be seen by prying eyes.

The desire for data privacy has therefore seen a surge in large corporations turning to ‘Silicon’ Switzerland to take advantage of the country’s renowned privacy culture. Here they can host data without fear of it being accessed by foreign governments.

Mateo-Meier

Mateo Meier, founder of Artmotion, spent the early stages of his career in the US before returning home to Switzerland to start Artmotion. Artmotion was started in early 2000 and provides highly bespoke server solutions to an international set of clients.

Breaking: US Cloud Companies To Lose Billions In EU Due To PRISM

The European Commission’s vice president Neelie Kroes said in statement that reports of the US government spying on servers held by US cloud providers are creating an “atmosphere of distrust” around cloud services.

“Why would you pay someone else to hold your commercial or other secrets, if you suspect or know they are being shared against your wishes?” Kroes said. “Front or back door – it doesn’t matter – any smart person doesn’t want the information shared at all.”

“If European cloud customers cannot trust the United States government or their assurances, then maybe they won’t trust US cloud providers either. That is my guess. And if I am right then there are multi-billion euro consequences for American companies.”