With the Cloud First strategy gathering pace, how secure is the government’s data when stored online? Tim Gibson reports on a round table that weighed the risks, and considered how to mitigate them
Rogue American intelligence contractor Edward Snowden’s recent revelations have caused consternation and concern: especially over the ability of foreign governments to hoover up vast amounts of personal information stored online. His leaks have called into question both the security of online data storage, and heightened the public’s concern about the amount of data that governments hold on them.
As the British government moves to store much of its data online in the cloud, this could – at worst – provide a target both for foreign governments and other malicious actors to hack. This is especially true because citizen data is increasingly stored off-site, often using third-party suppliers – many of which are SMEs – with information that can be highly sensitive. The reputational and financial cost of losing that data doesn’t bear thinking about.
To confront this reality, CSW and IT security firm Sophos brought a group of senior civil servants together to debate data security in the cloud. As well as helping to identify the risks, the round table was an opportunity to find ways of mitigating them.
Where’s the data – and is it safe?
The government’s Cloud First strategy means that civil servants are now mandated to use cloud computing wherever possible. The overarching concern prompted by this policy was given succinct expression by John Stubley, director of operations for the Public Services Network in the Cabinet Office. “We need to know where [our] data is stored, and who can have access to it”.
As Ken Green, security manager in the Department for Work and Pensions (DWP), revealed, his department has been provided with a list of 11 countries in which its cloud services provider says data will be either stored or handled. But Green argued this is not specific enough, concluding: “Our biggest problem with the cloud is knowing [precisely] where processes are taking place.”
This is of concern in part because of the varying legal frameworks that operate in different nations. For example, Anoja Fernando, library manager at DWP, pointed out that – thanks to the cloud – sensitive citizen data could be handled outside the UK in ways that don’t satisfy our domestic data protection laws. This, she said, would compromise the security of data about UK citizens.
As it happens, even when there are assurances from a supplier concerning the location of their data centres and facilities, the risks may not be entirely obviated. Andy Deacon, one of Sophos’s IT security specialists, explained the problem: “The other risk around cloud providers…is that they can suddenly switch your service to being provided somewhere else, and you find out after the fact. Equally, they could [open] a new office, and put everything through [that], not really realising…how that would impact you as a customer.”
While there is no doubting the positives to emerge from such a strategy, it does mean that a potential weakness has been built into the supply chain. Girija Ramgoolam, commercial manager in the Ministry of Justice, put her finger on it when she expressed reservations about the capacity of small enterprises having the wherewithal to secure government data, even when a crisis breaks out.
Enhanced risk always comes with the promise of enhanced reward, of course. In this situation, it’s the fleetness of foot and openness to innovation that characterises many small technology companies. As Sophos’s Deacon intimated, this brings greater vibrancy to the government’s IT supply chain, making it more able to flex in light of changing needs.
Making a mark
It’s crucial that government can have confidence in the security accreditation of suppliers who make it onto the G-Cloud framework, as well as openness from those suppliers about their level of assurance. However, while “the G-Cloud is quite transparent about costs,” DWP’s Green said the challenge is “understanding the service that’s provided on the G-Cloud: how do we know what security we’ve got? Who checks these people who are advertising on the G-Cloud?”
One easy way to bring peace of mind to departments procuring from the G-Cloud, Green said, would be to share insights about suppliers between departments. Green’s fellow DWP security manager Stuart Frost asked if there were any plans to do this, arguing that it would also help to keep suppliers on their toes. In fact, John Stubley informed the group, there are plans for such feedback sharing to happen more generally in the public sector, but not specifically for the G-Cloud framework.
The perceived lack of quality assurance on the G-Cloud, one participant suggested, partly explains the reluctance of some in the public sector to procure from it. To address this in more detail, Ollie Hart, UK and Ireland sales director for Sophos, asked whether these concerns stemmed principally from “fear of the unknown” or worries over security.
By way of a response, Frost gave voice to one of the security concerns hovering around the cloud. He opined that cloud solutions seem more open to security breaches than traditional public sector IT models where data is stored offline. For example, he said, “[the cloud] provides an opportunity for insider criminals to steal data more easily.”
If Frost’s comments illustrate the concerns that some in the public sector feel about the security of cloud-based IT, Sophos’s Deacon was quick to offer reassurance. “I don’t think the cloud, from a security point of view, has to be viewed as…outside the norm of anything else you do in your security policies,” he said. “It’s just another avenue of data flow, and therefore you treat it [in the same way].”
That means civil servants should adhere to strict IT security protocols in every area of their work, whether or not they are using cloud computing, it was suggested. So they should maintain the highest standards of data hygiene – for example, making passwords sufficiently complex, and using different passwords for different applications.
This can be a challenge in its own right, as Yasmin Robinson, assistant officer in the London Central Recovery Team at HM Revenue and Customs, highlighted. “I’ve had complaints about the number of different passwords and frequency [with which they should be changed],” she said. “It’s quite a thorny issue for some people.” Thorny or not, Ian Beecroft, from the DWP’s departmental secure delivery and design team, asserted that it must be addressed. “Whether our data is stored in the cloud or in our own data service … we are still responsible for that data.”
The responsibility for maintaining data security rests squarely with the government’s personnel, therefore, making it imperative to provide appropriate training and education in how to use the cloud safely. This theme was picked up by Christina Hamilton, a technology in business fast-streamer in the Home Office, who said: “I think the cloud would work much better and [people] would be more willing to use it if they were trained and understood [it].”
Part of the educational process would involve demystifying the cloud, so that users are not put off by its technical nomenclature. After all, as Deacon from Sophos said, “The cloud is basically the internet”, and people have interacted with that for a number of years.
By making this clearer to both public sector workers and citizens, the cloud would come to be considered more normal, and less of a threat. In addition, Deacon said training would provide an opportunity to alert people to the security risks associated with cloud computing, and help them develop good practices that minimise the threat of a data breach.
Clever commissioning
Deepening knowledge of the cloud would have a further benefit, by enabling the government’s commercial teams to make sound judgments at the commissioning stage. This point was made by Frost from the DWP, who said: “It’s [about] asking the right questions. I would say there’s a cross-government piece of work there to share some of the questions that are asked.”
The DWP’s Ian Beecroft echoed this point, adding, “It’s very important to monitor [contracts]. We’ve made [the mistake in government] before of signing contracts and almost forgetting that we’ve got to carry on doing those checks and balances.”
A benefit of monitoring suppliers on an ongoing basis is that it enables departments to keep up with, and benefit from, technological progress. As Deacon from Sophos explained, technology moves at such a pace that a risk that was signed off as acceptable when a contract was awarded may become avoidable within its lifetime. In other words, the risk profile of an organisation can shift in light of the developing capabilities of its suppliers.
In such a rapidly changing context, it is perhaps unsurprising that many in the public sector struggle to keep up with the latest IT best practice. But the skills of the government workforce are crucial to the security of cloud-based computing, meaning they must learn how to work safely online, and how to follow procurement and governance processes that are right for the G-Cloud.
That’s no mean feat. But, as Frost from DWP reminded everybody, cloud-based IT represents much better value for the taxpayer than what has gone before, so the effort is almost certainly worthwhile.
To ensure the security of the cloud, close attention needs to be paid to the skills of the public sector workforce, and to the credentials of suppliers on the G-Cloud framework. In this way, the vision of a money-saving, efficiency-driving revolution in public sector IT really can come to life. The risks are high, but so are the potential gains.