Seeding the Global Public Sector Cloud: Data Classification, Security Frameworks and International Standards

November 25, 2015

All of a sudden, everywhere you look, the cloud is the new normal. Top service providers’ cloud revenues are doubling year on year at the start of what is predicted to be a sustained period of growth in cloud services.  As IT workloads have migrated to the cloud, the private sector has led the charge. Governments have been towards the rear, with cloud spend to date generally accounting for less than 5% of a given country’s public sector IT budget. This looks likely to increase quickly as the public sector starts to overcome the blockers to cloud uptake.

The classic NIST definition of the Cloud specifies Software (SaaS), Platform (PaaS) and Infrastructure (IaaS) as the main Cloud services (see Figure 1 below), where each is supplied via network access on a self-service, on-demand, one-to-many, scalable and metered basis, from a private (dedicated), community (group), public (multi-tenant) or hybrid (load balancing) Cloud data centre.

The benefits of the public Cloud are real and evidenced, especially as regards the relationship between the private and public cloud where public cloud economies of scale, demand diversification and multi-tenancy are estimated[i] to drive down the costs of an equivalent private cloud by up to 90%. 

Equally real also are the blockers to public sector cloud adoption, where studies[ii] consistently show that management of security risk is at the centre of practical, front-line worries about cloud take-up, and that removing them will be indispensable to unlocking the potential for growth.  Demonstrating effective management of cloud security to and for all stakeholders is therefore central to cloud adoption by the public sector and a key driver of government cloud policy. 

Figure 1: Software as a Licence to Software as a Service: the Cloud Service Model Continuum

 

 

A number of governments have been at the forefront of developing an effective approach to cloud security management, especially the UK which has published a full suite of documentation covering the essentials.  (A list of the UK government documentation – which serves as an accessible ‘how to’ for countries who do not want to reinvent this particular wheel – is set out in the Annex to our white paper, Seeding the Public Cloud: Part II – the UK’s approach as a pathfinder for other countries).  The key elements for effective cloud security management have emerged as:

·      a structured and transparent approach to data classification;

·      a transparent and published cloud security framework based on the data classification; and

·      the use of international standards as an effective way to demonstrate compliance with the cloud security framework.

Data classification is the real key to unlocking the cloud. This allows organisations to categorise the data they possess by sensitivity and business impact in order to assess risk. The UK has recently moved to a three tier classification model (OFFICIAL ? SECRET ? TOP SECRET) and has indicated that the OFFICIAL category ‘covers up to ninety percent of public sector business’[iii] like most policy development, service delivery, legal advice, personal data, contracts, statistics, case files, and administrative data. OFFICIAL data in the UK ‘must be secured against a threat model that is broadly similar to that faced by a large UK private company’[iv] with levels of security controls that ‘are based on good, commercially available products in the same way that the best-run businesses manage their sensitive information’.[v]

Data classification enables a cloud security framework to be developed and mapped to the different kinds of data. Here, the UK government has published a full set of cloud security principles, guidance and implementation[vi] dealing with the range of relevant issues from data in transit protection through to security of supply chain, personnel, service operations and consumer management. These cloud security principles have been taken up by the supplier community, and tier one providers like Amazon and Microsoft have published documentation[vii] based on them in order to assist UK public sector customers in making cloud service buying decisions consistently with the mandated requirements.

Compliance with the published security framework, in turn based on the data classification, can then be evidenced through procedures designed to assess and certify achievement of the cloud security standards. The UK’s cloud security guidance on standards references ISO 27001 as a standard to assess implementation of its cloud security principles.  ISO 27001 sets out certain control objectives for managing information security and the controls themselves against which an organisation can be certified, audited and benchmarked.  Organisations can request third-party certification assurance and this certification can then be provided to the organisation’s customers.  ISO 27001 certification is generally expected for approved providers of UK G-Cloud services. 

This pragmatic but comprehensive combination of data classification and cloud security framework comes with the assurance that is provided by the evidence of compliance with generally accepted international standards. This would go a long way towards unlocking the benefits, removing the blockers and enabling the public sector cloud around the world to achieve its potential. 

Richard Kemp is founder of Kemp IT Law: richard.kemp@kempitlaw.com. For further information on this topic, see the Kemp IT Law October 2015 white papers on Seeding the Global Public Sector Cloud, Part I – A Role for International Standards and Part II – The UK’s Approach as Pathfinder for Other Countries


Footnotes

[i] Microsoft Corporation, The Economics of the Cloud (November 2010), page 16 available at https://www.microsoft.com/en-gb/search/result.aspx?q=economics+of+the+cloud&form=apps

[ii] See for example, KPMG International, Exploring the Cloud: A Global Study of Governments’ Adoption of Cloud (March 2012) available at http://www.forbes.com/forbesinsights/government_cloud_2012/index.html; J. Mechling in Governing, Government’s Slow Takeoff into the Cloud (5 March 2015) at http://www.governing.com/columns/smart-mgmt/col-government-slow-adoption-cloud-computing-collaboration.html; C. Burt in Web Hosting Industry Review (WHIR) Despite UK’s Cloud First Policy, 36% of Government Workers Haven’t Used Cloud Services (7 July 2015) at http://www.thewhir.com/web-hosting-news/despite-uks-cloud-first-policy-36-of-government-workers-havent-used-cloud-services;

[iii] Government Security Classifications Supplier Briefing (October 2013) at Annex, point 3.2 – available at https://www.gov.uk/government/publications/government-security-classifications

[iv] Government Security Classifications (April 2014) at Annex, point 3.1, page 17 – available at https://www.gov.uk/government/publications/government-security-classifications

[v] Government Security Classifications Supplier Briefing

[vi] See the table at the Annex to our White Paper at http://www.kempitlaw.com/seeding-the-global-public-sector-cloud-part-ii-the-uks-approach-as-a-pathfinder-for-other-countries/

[vii] For Amazon see: https://blogs.aws.amazon.com/security/post/Tx31CWNXWOP2J09/Using-AWS-in-the-Context-of-CESG-UK-s-Cloud-Security-Principles.  For Microsoft see: http://www.microsoft.com/en-gb/enterprise/it-trends/cloud-computing/articles/14-points.aspx#fbid=MyGgwF29ZRe