What do the changes to CESG’s new Cloud Security Principles mean? (Guest Post)

Our latest guest post is by Robin Pape who supports Memset’s public sector business by advising on public sector IT and procurement strategy, policy and security. Memset provides UK based managed hosting and dedicated servers. 

With the change in security classification to the new term OFFICIAL, replacing RESTRICTED, PROTECT and UNCLASSIFIED and the IL3, IL2 and IL0 terminology, it looks like there will be a major change in how the security of G-Cloud services is handled. 

Until now, the CESG Pan Government Accreditor has been responsible for accrediting cloud services to IL2 and IL3 levels.  This was a time- and resource-consuming exercise for both suppliers and CESG, and led to long lead times for accreditation.  However, it did provide two standard levels of assurance for customers wanting services to handle sensitive data, removing the need for each customer to accredit the services themselves.

The new approach will be based on the “Cloud Service Security Principles” published by Cabinet Office late last year and the recently-published guidance “Implementing the Cloud Security Principles” which is currently an Alpha (ie a first public draft for consultation).  The intention is that, for future GCloud framework contracts, the principles and guidance will be the basis on which suppliers describe how they address security in their service offerings.

Customers will use this information to decide which services are suitable to handle their data, depending on their assessment of its sensitivity.  This should avoid the log-jam of formal accreditation and puts the responsibility onto the customer to buy suitable services.

The concept sounds fine but a number of practical issues need to be resolved before this goes live, which may well be G-Cloud 6 in a few month’s time so there is not much time to flesh out the detail and make sure customers and suppliers understand the changes.

Key questions include:

·        Will all public sector customers have the capability to be able to choose the right services for their data based just on the supplier statements?  If not, they could either waste money on unnecessarily-secure services or risk security breaches through insecure services.

·        How much effort and skill will suppliers need to demonstrate the security of their services?  In the old system, suppliers did not need to prove anything for IL0 services but IL2 and especially IL3 accreditations were very costly.  The guidance is extensive and any supplier wanting to demonstrate a level of security will require resources and capabilities.

·        How will customers and suppliers be able to transact business easily without the old standard levels of assurance?  G-Cloud must make it quick and easy to buy commodity services, but a long security-checking process for each purchase would make G-Cloud less attractive and slow down take-up even more.

Whether you are a G-Cloud customer or a supplier, you should make sure you understand these changes which will alter the way the G-Cloud market works in future, and engage by providing feedback to the Cabinet Office on the Alpha version of the guidance.

Related reading