JUser: :_load: Unable to load user with ID: 124442

So where, exactly, is my data?

  • techUK techUK
    Wednesday09Jul 2014

    John Godwin from Skyscape Cloud Services writes a guest blog about the changing landscape of cloud, and the issues that need to be addressed.

John Godwin, Head of Compliance and Information Assurance at Skyscape Cloud Services, writes a guest blog for us on the changing policies around cloud and what it means for suppliers. Skyscape Cloud Services have been members of techUK since December 2012.

Many of the current approaches to protecting personal data pre-date the global adoption of the Internet and cloud computing. With each country having its own legal framework for data protection within its own national boundaries, this was a relatively straightforward concept to embrace.

"I think my data is on a server based in London, so the UK Data Protection Act applies, doesn't it?" With traditional fixed infrastructure hosting, this is reasonably sound. However, the growing demand for the flexibility and lower costs associated of cloud services challenges this: geographical boundaries fade as data in the cloud can be moved around in the background – often over great distances.

Microsoft was recently ordered by a US judge to disclose customer email data stored in a data centre in Dublin: this ruling challenges international laws, the data sovereignty of other countries, and places US domestic law well beyond its own national boundaries. Such decisions also heighten growing public concern over data privacy regulations.

In April 2014 the UK Government introduced a new Government Security Classifications Policy, with an estimated 90% of all public sector data now being labelled as Official. This "once in a generation" change has been introduced to simplify the previous classification scheme, and places responsibility on data owners to identify, assess and select suppliers who have implemented security controls in a manner which provides full and appropriate protection for their data.

CESG and the Cabinet Office have released the "14 Cloud Security Principles", which explains to customers the assurance evidence they need to seek from their suppliers. In a supplementary document "Implementing the 14 Cloud Security Principles", the cloud service providers are provided with a framework which illustrates the statements they need to make and the evidence that they need to provide to demonstrate their levels of competence in these fourteen areas. As an example, Principle 2.1 requires service providers to disclose the geographic locations where customer data is to be managed, processed or stored, and the legal jurisdictions which apply.

Public sector users of the G-Cloud Framework of cloud services need to be aware of what these changes mean. Previously they were able to draw comfort from the robust accreditation work undertaken by the Pan Government Accreditors (PGA) from CESG. Now the task of obtaining and verifying service provide assurance information becomes their sole responsibility, so they will need to draw on their own organisational capabilities whilst making important procurement decisions.

G-Cloud is now in a period of transition towards using the 14 Cloud Security Principles, with many existing PGA accreditations relating to the previous protective marking scheme still valid, and more recent PGA accreditations relating solely to services capable of processing official data. Despite the two schemes being separate for now, there has been some creativity in the language being used by some suppliers with "Official" being wrongly described as IL3, and so on. Whilst we all want G-Cloud to continue to flourish, because it's making a real difference to the public sector ICT market, it has the potential to do so much more as uptake increases. All G-Cloud suppliers need to play their part in helping public sector buyers through this transition, providing support and guidance when needed, but also by being clear and factual about how their services have been accredited.

Skyscape Cloud Services has authored a useful white paper which explains the new Government Security Classifications Policy, and has supplemented this with a framework of evidence of how we meet the highest standards of evidence for all of the 14 Cloud Security Principles. We hope that all G-Cloud suppliers will embrace this new approach and provide similar clear evidence to support their capabilities. Because, as we all know, not all clouds are created equal.

Share this


Hear from the ICO, Home Office and DCMS Committee at this year’s Chatham House Cyber conference on 20-21 June:… https://t.co/AVU76jQgSo
Our @SannaBaker presenting at #edielive2019 on how digital tech can deliver a flexible grid, saves money for custom… https://t.co/N5hWTcqvvO
Great #edielive2019 presentations from @HPE & @HPUK on tech & modern slavery and how tech manufacturers can close t… https://t.co/HUM0ElXIOl
"as data becomes important perhaps Ofgem, Ofcom & Ofwat may change their focus" - Sarah Hayes from @natinfracom set… https://t.co/Xq1jSYYztM
Digital Learning, Knowledge and Analytics for Policing. Register to attend this workshop with both the National Pol… https://t.co/DZgfCOr5dz
We're at #UWL19 & #Edielive2019 today - great sessions so for on SDG action, future consumer regulation of energy m… https://t.co/0FvUHyarKc
As Tech companies see a shift towards non-technical buyers, storytelling is increasingly a core skill for engaging… https://t.co/uMOyq5qAjW
On 11 June at #STYT London @PayPal President & CEO Dan Schulman opens the program with Formula E Holdings Alejandro… https://t.co/aOIMpyX2BM
Become a Member

Become a techUK Member

By becoming a techUK member we will help you grow through:

Click here to learn more...