JUser: :_load: Unable to load user with ID: 124442

So where, exactly, is my data?

  • techUK techUK
    Wednesday09Jul 2014

    John Godwin from Skyscape Cloud Services writes a guest blog about the changing landscape of cloud, and the issues that need to be addressed.

John Godwin, Head of Compliance and Information Assurance at Skyscape Cloud Services, writes a guest blog for us on the changing policies around cloud and what it means for suppliers. Skyscape Cloud Services have been members of techUK since December 2012.

Many of the current approaches to protecting personal data pre-date the global adoption of the Internet and cloud computing. With each country having its own legal framework for data protection within its own national boundaries, this was a relatively straightforward concept to embrace.

"I think my data is on a server based in London, so the UK Data Protection Act applies, doesn't it?" With traditional fixed infrastructure hosting, this is reasonably sound. However, the growing demand for the flexibility and lower costs associated of cloud services challenges this: geographical boundaries fade as data in the cloud can be moved around in the background – often over great distances.

Microsoft was recently ordered by a US judge to disclose customer email data stored in a data centre in Dublin: this ruling challenges international laws, the data sovereignty of other countries, and places US domestic law well beyond its own national boundaries. Such decisions also heighten growing public concern over data privacy regulations.

In April 2014 the UK Government introduced a new Government Security Classifications Policy, with an estimated 90% of all public sector data now being labelled as Official. This "once in a generation" change has been introduced to simplify the previous classification scheme, and places responsibility on data owners to identify, assess and select suppliers who have implemented security controls in a manner which provides full and appropriate protection for their data.

CESG and the Cabinet Office have released the "14 Cloud Security Principles", which explains to customers the assurance evidence they need to seek from their suppliers. In a supplementary document "Implementing the 14 Cloud Security Principles", the cloud service providers are provided with a framework which illustrates the statements they need to make and the evidence that they need to provide to demonstrate their levels of competence in these fourteen areas. As an example, Principle 2.1 requires service providers to disclose the geographic locations where customer data is to be managed, processed or stored, and the legal jurisdictions which apply.

Public sector users of the G-Cloud Framework of cloud services need to be aware of what these changes mean. Previously they were able to draw comfort from the robust accreditation work undertaken by the Pan Government Accreditors (PGA) from CESG. Now the task of obtaining and verifying service provide assurance information becomes their sole responsibility, so they will need to draw on their own organisational capabilities whilst making important procurement decisions.

G-Cloud is now in a period of transition towards using the 14 Cloud Security Principles, with many existing PGA accreditations relating to the previous protective marking scheme still valid, and more recent PGA accreditations relating solely to services capable of processing official data. Despite the two schemes being separate for now, there has been some creativity in the language being used by some suppliers with "Official" being wrongly described as IL3, and so on. Whilst we all want G-Cloud to continue to flourish, because it's making a real difference to the public sector ICT market, it has the potential to do so much more as uptake increases. All G-Cloud suppliers need to play their part in helping public sector buyers through this transition, providing support and guidance when needed, but also by being clear and factual about how their services have been accredited.

Skyscape Cloud Services has authored a useful white paper which explains the new Government Security Classifications Policy, and has supplemented this with a framework of evidence of how we meet the highest standards of evidence for all of the 14 Cloud Security Principles. We hope that all G-Cloud suppliers will embrace this new approach and provide similar clear evidence to support their capabilities. Because, as we all know, not all clouds are created equal.

Share this


"Technology is a key enabling tool for collaboration within organisations and across the public services ecosystem"… https://t.co/h6SDuy2nQH
Emily Jenkins, Girlguiding Advocate and A-Level student, spoke at #CogX19 during #LTW about why we need to get more… https://t.co/bTSk6v46eE
First tranche of speakers confirmed for our 'going plastic free' conference on 10 July - @OakdeneHollinshttps://t.co/ZtWSnqGyn1
3 Months to go until our fantastic #techUKSmarterState 2019 focusing on how emerging tech will transform public ser… https://t.co/D7ZzGY1XFr
Join us at @Public_SectorUK (25 – 26 June, ExCeL London) & learn how to implement the latest digital solutions and… https://t.co/dhVcra3OWP
ICYMI: During #LondonTechWeek, @PwC_UK published its report into AI in Healthcare, assessing the practicalities of… https://t.co/wDuZyZWlvB
Nominations for the World Class Policing awards close in 2 weeks. You can nominate here - https://t.co/6LpU1bfz5J @WCPAwards
Become a Member

Become a techUK Member

By becoming a techUK member we will help you grow through:

Click here to learn more...