What security level is appropriate in the cloud?
What the Cyber Essentials Scheme means for UK business
The adoption of cloud computing continues to grow across the board, and we are beginning to see more and more services moving over to digital. However, with data breach incidents continuing to be all too common, it's perhaps unsurprising that most organisations' primary concern when moving to a cloud environment is how secure their data will be.
In the case of the UK public sector, which has traditionally been more reliant on legacy IT, significant progress has been made in encouraging a wide variety of organisations to realise the many potential benefits of the cloud. Take, for instance, the Government's G-Cloud programme, which has undoubtedly changed the way that the 30,000 public sector organisations in the UK approach the use and procurement of their IT services. However, there is still much work to be done to tackle the understandable, but excessively risk-averse culture that is embedded in this sector.
The fact is that not all data is the same, and as a result, different data sets may require different levels of security assurance to be securely placed in the cloud. Cloud providers should therefore be offering different environments with appropriate controls, which align with actual risks rather than purely perceived ones. In the case of the public sector, there are several measures in place that assess the level of risk on behalf of public sector organisations, and which aim to make the process of selecting an appropriate solution simple and transparent for the buying community.
An example of this is CESG's (the UK Government's National Technical Authority for Information Assurance) Pan Government Accreditation (PGA) service, which effectively manages the combined risks associated with the cloud, with the grading system set out in an Impact Level (IL) table, which ranges from IL0 up to IL6. The established Government Protective Marking Scheme (GPMS) also sets out to ensure that transparency and consistency of the classification and protection of data can be achieved. Furthermore, the Public Services Network (PSN) also provides an assured network over which Government can safely share services and collaborate in new ways, more effectively and efficiently.
However, the situation is entirely different in the private sector. There is no one mandate to follow for the assessment and classification of data, and there is a diverse range of risk appetites that exist within similar organisations within the same sectors, resulting in little collaboration or consistency from business to business. I would argue that this leads to the assessment of risk becoming dangerously subjective and inevitably influenced by an organisation's financial budgets; the often limited knowledge of executives and different business cultures, which can lead to an inappropriate classification – and therefore protection – of a company's data. Worryingly, this often leads to valuable or confidential information being exposed to unacceptable levels of risk, which is something that should be urgently addressed within the private sector.
The first question any cloud buyer should be asking when considering a supplier is – what is its accreditation status and, crucially, is it appropriate to our needs? By way of example, a public sector organisation looking to place highly sensitive data in the cloud must be certain that its chosen provider has achieved a PGA status of at least IL3. On the other hand, relatively low-risk data can be adequately served by an IL0-2 level cloud service offering. Currently, there are relatively few providers that offer services at the higher impact levels – IL3 and above – however, Government initiatives such as G-Cloud are steadily succeeding in increasing competition and we hope to see this end of the market become more vibrant throughout the course of 2014.
With the right solutions in place, organisations can be sure they will realise the benefits of a move to the cloud, without compromising on performance or crucially, security.
Contributed by John Godwin, Head of Compliance, IA & Operations at Skyscape Cloud Services