An upheaval in data security classification is set to sow seeds of confusion within public sector IT departments, as a planed process of simplification has ended up confusing matters.
To go back to basics, the UK government has, for the longest time, stuck with a system of data classification known as the Government Protective Marking Scheme which applied six levels of protective marking to identify data sensitivity ranging from 'not-protectively marked' up to 'top secret'. From 2 April, this will be replaced by the Government Security Classifications (GSC) policy document which has just three levels: official, secret and top secret. Each of these attracts a baseline set of security controls providing appropriate protection against a spread of typical threats. The broader scope of these categories place most data into the official section where compromise would be of limited potential damage; whereas both secret and top secret are national security classifications where compromise could lead to anything from an international relations embarrassment through to loss of life.
From the cloud perspective, it's important to know how the change will alter the handling of data when compared to the old IL classifications every public sector handler has been used to and whether ultimately this move will help or hinder public sector cloud adoption.
One important question to start with is: were the old IL classifications a barrier to public cloud adoption?
There's certainly an argument to be made that the IL 'language' was a familiar one for customers that enabled three tiers of cloud service to be established so that if data labelled 'protect' was to be handled then an IL2 service was required and IL3 for 'restricted' data etc.
Some would argue that this crude three-tier system wasn't broad enough in scope, yet replacing a well-understood system with a three-tier classification that is far from clear-cut seems at odds with the system being pushed forward on the grounds of introducing better clarity.
It is, many would say, far from obvious what level of cloud service is required when each data classification covers such a wide range of sensitivity. David Slater, an executive consultant with a technology services company with plenty of public sector experience, Atos, reckons that while the old classification scheme wasn't in itself a barrier to cloud adoption, over-classification did raise the cost of cloud, while, at the same time, reducing choice. "The market place produced cloud services at IL2 and IL3" Slater explains "the cultural change associated with the new classification scheme will potentially increase the number of players entering the market due the security regime being more outcome based rather than prescriptive security."
The prescriptive security point is also made by Marty Legg, head of cloud services at SecureData, who thinks the old regime "limited the adoption of some services as they didn’t provide the assumed level of accreditation required" which in turn often required cloud providers to invest considerably to gain pan Government accreditation or other assurances. "The focus on risk management based decisions will enable a more commercial, commodity consumption approach" Legg insists.
The changing shape of the public sector cloudscape So will the public sector cloud security landscape be altered, in the light of this new policy document? That's another interesting question, because there appears to be no clarity at the moment as to whether the new system will assimilate the old impact levels for CSPs. Some observers think that Cabinet Office advice suggests it will, with IL3 becoming 'Accredited Public Cloud Services', IL2 'Assured Public Cloud Services' and IL0 'Unassured Cloud Services' which would, effectively, change nothing but the name.
Yet without some implementation of service assurance levels within that ridiculously broad 'official' classification it's hard to see how the public sector cloud market could be anything but more labour-intensive, and thus costly, than it is today.
Driving up costs, as anyone with experience of G-Cloud will tell you, is not the way to get a fast migration. Then there's the security challenge for many parts of the public sector that comes in the form of whether they adopt a separate cloud solution for publicly available content (educational materials, for example) to those that share and manage sensitive content. "Given that classification is down the author of a document or email" Jes Breslaw warns "if a hybrid system or dual solution is selected and the file is incorrectly categorised, there will always be a risk of leaking sensitive content into the public cloud."
Where the cloudscape dynamics will likely change as a result of the new GSC policy, is the new players that will be encouraged to come play in the market. Players, according to David Slater, that were traditionally providing government ICT services. "This is also being driven by the government being SME friendly" Slater says, adding "this will introduce new innovative solutions that can help government radically change the way that they deliver public services and engage with citizens."
So let's cut straight to the chase: will the new Government Security Classifications help or hinder cloud adoption in the public sector? Robin Pape, public sector advisor at Memset, is pretty sure that in the short-to-medium term at least they will hinder take-up as customers try to understand the new system which encourages them to look for solutions specific to their situation.
"This does not preclude the use of standardised cloud services as part of their solution" Pape explains "but is sending a different message from G-Cloud, which has been promoting standardisation."
And there lies the rub. For the 'official' classification, customers will be expected to consider how each cloud service measures up against 14 cloud service security principles which are not quantified, which will require more time, effort and expertise than the old three-level IL system.
This confusion will be compounded by the fact that only central government is adopting the new classifications this April, with police forces following later in the year and no timeframe for any other part of the public sector yet announced. With old and new systems, by necessity, therefore running in parallel on G-Cloud for some time to come yet it's hard to see how this is going to pan out well...
