View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cloud
March 14, 2019updated 05 Jul 2022 9:31am

Are You Being Sold an “OFFICIAL-SENSITIVE” Load of Hot Air?

"Don’t look for assurance that a system is ‘good for OFFICIAL-SENSITIVE'"

By CBR Staff Writer

Computer Business Review sees more and more technology vendors announcing products suitable for “OFFICIAL-SENSITIVE” classified workloads.

Amid the government’s “cloud first” policy and with a wide range of public sector buyers looking to shift compute or storage workloads to the public cloud, it’s a seller’s market; dubious claims of security accreditation proliferate as a result.

Sometimes the providers say their services are “OFFICIAL-SENSITIVE-accredited”.

This, also, means nothing whatsoever.

As Cabinet Office guidance makes crystal clear: “‘OFFICIAL-SENSITIVE’ is not, strictly, a classification.” (And there is no accreditation scheme in place for this made up category, nor indeed for the real category of “OFFICIAL”).

It adds: “Don’t look for assurance that a system is ‘good for OFFICIAL-SENSITIVE’. A system that can handle OFFICIAL data may be appropriate to handle sensitive information.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

What is “SENSITIVE” information then? (It’s another popular term in marketing packs).

The term, again, is not a security classification.

Rather, it is a “handling caveat for a small subset of information marked OFFICIAL that require special handling by staff.”

So What Are the UK’s Security Classifications? (And What is a System that can Handle OFFICIAL Data)?

Happily, for simplicity’s sake, there are just three security classificiations: OFFICIAL, SECRET and TOP SECRET.

When it comes to “OFFICIAL”, there simply isn’t any official accreditation scheme to handle such data or workloads.

UK security classifications

The typical threat profile for the OFFICIAL classification is broadly similar to that faced
by a large UK private company with valuable information and services, government guidance notes.

“It anticipates the need to defend UK Government data or services against compromise by attackers with bounded capabilities and resources.”

See also: The Police Are Not in the Cloud: FoI Shows Officers Remain on Premises

Technical controls at this level will be based on “assured, commercially available products and services, without need for any bespoke development.”

In short, IT designed to be appropriate for OFFICIAL is expected to make use of good, well configured and managed commercial technologies… Like, well, the technologies everyone should be using.

Hold On, But… OFFICIAL-SENSITIVE!

The government’s own use of OFFICIAL-SENSITIVE as a descriptor is where the waters get a little muddy.

It notes: “There is no requirement to explicitly mark routine OFFICIAL information. Baseline security measures should be enforced through local business processes.”

“[But] In such cases where there is a clear and justifiable requirement to reinforce the ‘need to know’, assets should be conspicuously marked: ‘OFFICIAL–SENSITIVE’” (even though, as noted above, this is not security classification).

Regardless: if you are a public sector buyer and being told a solution is accredited for SENSITIVE, OFFICIAL-SENSITIVE or just plain and old fashioned OFFICIAL workloads, it is nonsense and to be disregarded. There is no such accreditation.

Buyers can refer istead to the NCSC’s Cloud Security Principles for security guidance. There are also minimum cybersecurity standards applied to public sector customers; these essentially define normal good security practices.

As one official told us: “HMG customers moving to the cloud need to make a judgement about what is right for them, manage any particular/specific risks they face and importantly maintain any technology they procure (or have confidence it will be done for them in a shared responsibility model typical of cloud).”

Meanwhile, be wary of made up accreditations…

See also: New “100% UK Sovereign” UKCloud Service Takes Pot Shot at US CLOUD Act

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU