When it comes to IT, the public sector is so often accused of trailing in the wake of commercial enterprise that it’s refreshing to discover instances where it’s truly leading the way.
But as the Government’s G-Cloud team prepares to launch a new version of its CloudStore and release the third iteration of its G-Cloud framework agreement (Giii) in early May, it’s clear that it can teach the private sector a thing or two about sourcing Cloud software.
I’ll return to the new CloudStore shortly, but first it’s worth casting an eye on how businesses are sourcing and implementing software, and the risks that many of them are running with confidential and sensitive data.
According to the recent Gartner report, Enterprise App Stores Can Increase the ROI of the App Portfolio, 25% of enterprises will have their own app store by 2017. Businesses are going down this route not only to get greater control over software expenditure and improve their negotiating position with app vendors, but crucially to also get full control over the software downloaded and used by their employees.
Employees drive enterprise to the cloud
It’s an essential step. A study by CDW of 1,242 IT professionals found that 73% of organisations that had made an official move to cloud computing had done so because they were ‘significantly influenced’ by employees’ personal use of cloud apps and mobile devices.
When employees use Cloud solutions like Dropbox, Google Drive and Microsoft SkyDrive, it raises major security concerns. Dropbox has a long history of security breaches that have seen users’ accounts hacked and private files being made publically accessible. Microsoft has been accused of accessing users’ files, and similar security-related questions hover over many of the most popular Cloud applications.
In an attempt to reconcile convenience and productivity with security, increasing numbers of businesses are implementing a Cloud First Policy, and even going down the route of creating their own app stores, populated by software sourced from approved suppliers.
In this way, employees can adopt software that meets their needs, but which has also been vetted.
But there’s a flaw. It can be very difficult for businesses to get independent verification of suppliers’ security claims. And in the absence of a recognised private sector accreditation scheme that validates suppliers and the security of their software, businesses have to ask themselves whether marketing claims or even contractual terms are enough to guarantee their corporate data is stored securely and kept safe from attack.
CloudStore sets the gold standard
Returning to the CloudStore, it’s clear that when it comes to the procurement of pre-accredited Cloud services the public sector is leading the way.
The CloudStore is a catalogue of services, many of which are going through pan-government security accreditation for public sector use. This not only makes procurement quick and simple, but also reduces the risk of ICT deployment since many of the services available offer try-before-you-buy options and
Before any software gains security accreditation it has to undergo some of the most rigorous security checks available. In order to gain IL2 accreditation for our Kahootz collaboration solution, we first had to confirm that the organisation had been awarded ISO 27001 certification. This international standard ensures that Kahootz has a management-led commitment to information security and a robust system to manage and protect information. It also confirmed that Kahootz conducted regular internal audits on security risks, threats, vulnerabilities and impacts - and these are all verified by an independent third-party audit every year.easy-in, easy-out contract terms.
Next we had to commission an independent I.T Health Check - which is similar to a penetration test but far more in-depth - based on an agreed scoping with our pan-government accreditor at CESG (GCHQ). This test is repeated annually includes:
- Defence against a wide range of attacks
- Separation of data
- Escalation of user privileges
- Session management and log-on security
Finally, we needed to provide a Risk Management and Accreditation Documents Set (RMADS) using independent CLAS consultants. Only when all this work was done were we able to gain security accreditation for Kahootz within the CloudStore.
In this way, the G-Cloud ensures that every single item of accredited software offered to the public sector via its Cloudstore meets and exceeds a gold standard of security, confidentiality, integrity and availability.
Can the private sector learn from the G-Cloud?
As increasing numbers of enterprises create their own app stores, they could do much worse than taking a leaf out of the UK Government’s CloudStore’s book. There’s certainly room for an accreditation that could harmonise security testing and standards across the private sector, or perhaps public sector standards will become the default?
Buying accredited software could help businesses cut costs by reducing the need to conduct their own supplier checks, and as the accreditation scheme gained trust it could help high-quality independent suppliers pick up market share.
In fact, why not simply adopt the UK Government’s IL accreditation standard? If it meets Government security requirements and standards, it should surely meet the requirements of SMEs and large enterprises.