Cloud First: the public sector secure software revolution

Posted by John Glover

12-Apr-2013 11:12:00

It’s a no-brainer for any government wanting to save money to move services and public sector software to the Cloud. 

The cost-efficiencies can be quite simply startling. In this video, US Chief Information Officer Vivek Kundracites cites the examples of two agencies that moved their email systems to the Cloud, saving $45 million, and explains how his department has identified 800 data centres that will become surplus to requirements and shut down by 2015, saving billions of dollars.

Here in the UK, Government use of the Cloud is also gathering serious momentum. Denise McDonagh, Programme Director of the Government’s G-Cloud procurement initiative has recently introduced a ‘Cloud First’ policy that mandates all central government departments to consider a Public Cloud solution before embarking on any other approach.

The only fly in the ointment, however, is the issue of security. Many government departments may resist moving sensitive data to the Cloud because their IT decision makers feel it’s not secure enough. It’s certainly an issue that Kundra faced in the US:

“The challenges come down to how the old guard perceives technology. The always tended to bring up the issue of security so we took that head on and opened up an intellectually honest debate about security.”

In fact, Kundra asserts that Cloud software is more secure, not less, than traditional solutions.

“My view is that the Cloud is far more secure than a traditional environment because what you don’t have is a fragmentation of digital assets…[or] talent.”

But attitudes are hard to change, as McDonagh is the first to admit. That’s why she’s taking the Cloud message direct to departments.

“The G-Cloud team needs to embed the concept of champions and the understanding of the G-Cloud ethos in other departments. We are working with other departments on that to develop a network of champions.”

It’s an important step in the current climate. Whether officially sanctioned or not, the fact remains that public sector employees are reaching for the Cloud. 47% use the Cloud to share critical documents, and their use of solutions like Dropbox, Google Drive, Microsoft Sky Drive and others is raising major security concerns.

Furthermore, with 73% of employees in local government, healthcare and education are allowed to use their personal devices at work, it’s imperative that public sector organisations are able to offer alternative Cloud software solutions that are not only functional and easy to use, but have near-bulletproof security.

McDonagh’s solution is for public sector organisations to source top-quality software via the G-Cloud’s approved online catalogue of solutions and then offer them to employees, for use on official and personal devices. Luckily her team certainly have a head start in tackling security concerns, thanks to the G-Cloud security vetting process.

Before any software gains security accreditation for sale to the public sector via the G-Cloud CloudStore, it has to undergo some of the most rigorous security checks available.

To give just one example, in order to gain IL2 accreditation for our Kahootz secure collaboration solution, we first had to confirm that the organisation had been awarded ISO 27001 certification. This international standard ensures that Kahootz has a management-led commitment to information security and a robust system to manage and protect information.  It also confirmed that Kahootz conducted regular internal audits on security risks, threats, vulnerabilities and impacts — and these are all verified by an independent third-party audit every year.

Next we had to commission an independent IT Health Check - which is similar to a penetration test, but far more in-depth - based on an agreed scoping with our pan-government accreditor at CESG (GCHQ). This test is repeated annually and includes:

  • Defence against a wide range of attacks 
  • Separation of data
  • Escalation of user privileges 
  • Session management and log-on security

Finally, we needed to provide a Risk Management and Accreditation Documents Set (RMADS) using independent CLAS consultants.  Only when all this work was done were we able to offer Kahootz via the CloudStore.

In this way, the G-Cloud ensures that every single item of software offered to the public sector via its CloudStore meets and exceeds a gold standard of security, confidentiality, integrity and availability.

Is this a model that appeals to you? With 58% of organisations wanting more support and advice from IT vendors on how to handle employees who bring their own devices into the workplace, does the G-Cloud initiative offer you a viable solution? And do the G-Cloud security checks compare favourably with the way you currently assess applications to make sure they meet security requirements?

Or perhaps you think the ‘Cloud First’ policy is a heavy-handed attempt to force the public sector into using the Cloud? We’d be interested to hear your thoughts – please contribute to the discussion by commenting below.

Tweetables:

  • 73% of local government, healthcare and education organisations allow their employees to BYOD  
    Tweet me »
  • 58% of organisations wanting more support and advice from their IT vendors, as they are struggling to cope with managing BYOD
    Tweet me »
  • 47% of employees in the #publicsector are using the #cloud to share critical #documents - #security concerns
    Tweet me »
  • #CloudStorage - a #security time bomb for the #publicsector ?
    Tweet me » 
  • Use of Google Drive, Microsoft Sky Drive, Box and DropBox raises #security #concerns in the #publicsector
    Tweet me »

Public Sector - Free G-Cloud Starter App - Get it Now

Topics: public sector, business file sharing, g-cloud