The Government yesterday (July 21) warned IT suppliers seeking to join G-Cloud that this is the last month they can apply for Pan Government Accreditation (PGA) as security classifications change.
PGA certifies IT suppliers to handle data of various grades of sensitivity under the impact level (IL) classification scheme, which was replaced in April by the Government Security Classification Policy.
The new grading system replaces the IL system, which measured data security on a scale of one to six, with just three categories – Official, Secret and Top Secret.
But G-Cloud 5, the latest version, still runs the IL system.
This is all set to change in the autumn, when G-Cloud 6 is released – and the biggest changes will affect both buyers and suppliers of cloud IT services.
Here are five ways how it will.
Buyers will be more responsible for picking the right supplier
Under the new policy, public sector IT procurers will have to judge for themselves whether or not a particular supplier is suited to the sensitivity of data the procurer needs it to store.
Cloud security firm Skyscape’s head of compliance, John Godwin, says: "There’s certainly potential for confusion but we’re embracing the new framework and trying to work out how to help the buyers make the best decisions.
"The changes make a lot of sense. Making the organisation that owns the data more responsible for how it selects its hosting provider seems a very sensible step."
The worry is, how IT savvy does a buyer need to be to accurately assess a supplier?
Luckily, there is some advice out there for buyers. Firstly, the Cloud Security Principles provide a list of 14 considerations to have in mind when evaluating a supplier.
Suppliers will undergo a questionnaire
The Cabinet Office will distribute questionnaires to G-Cloud suppliers asking them to self-evaluate to provide an accurate description of their own security measures.
These will demonstrate how they meet the Cloud Security Principles, making it easier for both them and the buyer to decide if they match up or not.
These "self-assertion statements", as the Cabinet Office describes them, will form part of the suppliers’ entries on the Digital Marketplace – where G-Cloud services are procured – and suppliers will be able to update these statements continuously, so buyers have the latest information.
This should be a bit easier for suppliers than the PGA process has been.
Officially an effort
One problem, though, is that IL had six ranks of data sensitivity. Now the new classifications move approximately what would have been IL 1-3 level data into one category, Official.
The Government defines this information as "The majority of information that is created or processed by the public sector. This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile."
It adds that while hackers might get access to the data, stronger controls wouldn’t be appropriate.
The Gov says this "anticipates the need to defend UK Government data or services against compromise by attackers with bounded capabilities and resources. This may include (but is not limited to) hactivists, single-issue pressure groups, investigative journalists, competent individual hackers and the majority of criminal individuals and groups."
This, then, is potentially embarrassing but ultimately fairly humdrum data. To have to undergo a rigmarole to follow best practice in procuring a supplier who will effectively just handle your underwear is surely an unwelcome additional layer of bureaucracy for Government departments.
Official Sensitive is just confusing
But wait – Official also includes ‘Official Sensitive’, an extra data definition many argue constitutes a fourth tier.
This sub-category states that the data itself remains official, but the impact of its loss is greater and so it needs greater care when being handled. However, seeing as it would need to be encrypted over the internet -which Official data doesn’t have to be – some say it should constitute a fourth tier.
BYOD is the work of the devil!
Another upshot of the new security classification requirements is that BYOD is all but banned.
For Official data – which as we’ve noted is pretty much all day-to-day Government information – the Cabinet Office guidance says: "A BYOD model is possible at OFFICIAL but not recommended for a number of technical and non-technical reasons.
"The risks, complexities and costs involved with introducing BYOD could potentially negate any perceived benefits."
Specifically, that’s because
-a personally-owned device would have to be under department control while it accessed Official info
– you can’t separate personal and business information on such devices to satisfy the Government
– it creates too much of a risk of the data being leaked
– untrusted devices connecting to a department’s network
– problems managing a security breach without control of the device
Or they can be summed up as the Government just not trusting tablets and being a bit behind the times.