John Godwin, Head of Compliance and Information Assurance at Skyscape Cloud Services, writes a guest blog for us on the changing policies around cloud and what it means for suppliers. Skyscape Cloud Services have been members of techUK since December 2012.
Many of the current approaches to protecting personal data pre-date the global adoption of the Internet and cloud computing. With each country having its own legal framework for data protection within its own national boundaries, this was a relatively straightforward concept to embrace.
"I think my data is on a server based in London, so the UK Data Protection Act applies, doesn't it?" With traditional fixed infrastructure hosting, this is reasonably sound. However, the growing demand for the flexibility and lower costs associated of cloud services challenges this: geographical boundaries fade as data in the cloud can be moved around in the background – often over great distances.
Microsoft was recently ordered by a US judge to disclose customer email data stored in a data centre in Dublin: this ruling challenges international laws, the data sovereignty of other countries, and places US domestic law well beyond its own national boundaries. Such decisions also heighten growing public concern over data privacy regulations.
In April 2014 the UK Government introduced a new Government Security Classifications Policy, with an estimated 90% of all public sector data now being labelled as Official. This "once in a generation" change has been introduced to simplify the previous classification scheme, and places responsibility on data owners to identify, assess and select suppliers who have implemented security controls in a manner which provides full and appropriate protection for their data.
CESG and the Cabinet Office have released the "14 Cloud Security Principles", which explains to customers the assurance evidence they need to seek from their suppliers. In a supplementary document "Implementing the 14 Cloud Security Principles", the cloud service providers are provided with a framework which illustrates the statements they need to make and the evidence that they need to provide to demonstrate their levels of competence in these fourteen areas. As an example, Principle 2.1 requires service providers to disclose the geographic locations where customer data is to be managed, processed or stored, and the legal jurisdictions which apply.
Public sector users of the G-Cloud Framework of cloud services need to be aware of what these changes mean. Previously they were able to draw comfort from the robust accreditation work undertaken by the Pan Government Accreditors (PGA) from CESG. Now the task of obtaining and verifying service provide assurance information becomes their sole responsibility, so they will need to draw on their own organisational capabilities whilst making important procurement decisions.
G-Cloud is now in a period of transition towards using the 14 Cloud Security Principles, with many existing PGA accreditations relating to the previous protective marking scheme still valid, and more recent PGA accreditations relating solely to services capable of processing official data. Despite the two schemes being separate for now, there has been some creativity in the language being used by some suppliers with "Official" being wrongly described as IL3, and so on. Whilst we all want G-Cloud to continue to flourish, because it's making a real difference to the public sector ICT market, it has the potential to do so much more as uptake increases. All G-Cloud suppliers need to play their part in helping public sector buyers through this transition, providing support and guidance when needed, but also by being clear and factual about how their services have been accredited.
Skyscape Cloud Services has authored a useful white paper which explains the new Government Security Classifications Policy, and has supplemented this with a framework of evidence of how we meet the highest standards of evidence for all of the 14 Cloud Security Principles. We hope that all G-Cloud suppliers will embrace this new approach and provide similar clear evidence to support their capabilities. Because, as we all know, not all clouds are created equal.