Cloud computing security affecting G-Cloud adoption

The managing director of service provider Pentura discusses the security issues associated with cloud computing in the public sector and how they are affecting adoption of the Government Cloud.

Steve Smith, Contributor

The adoption of cloud computing is causing significant concerns around privacy and security in the public sector.

The benefits for cloud computing are very compelling, especially as the government looks to the private sector for proven techniques to drive down back office costs, make the most of new technology and use new management practices to encourage efficiency. With plans to cut public sector expenditure by up to £60 billion a year, the benefits of cloud computing are ever more persuasive.

The benefits of cloud computing
Cloud computing has many advantages for the public sector, such as the potential to reduce information and communications technology (ICT) costs, scalable data storage capacity and flexibility for users to access information wherever they are. Government departments can also focus on delivering high-quality performance to taxpayers rather than worry about server and software updates.

Some international public sector departments have already made the move into cloud computing, such as the Ministry of Internal Affairs and Communications in Japan. The department has announced plans to migrate all government agencies into a private cloud environment by 2015. This is in line with Gartner's predictions that by 2012, 80% of Fortune 1000 enterprises will pay for some cloud computing service, while 30% of them will pay for cloud-computing infrastructures.

With plans to cut public sector expenditure by up to £60 billion a year, the benefits of cloud computing are ever more persuasive.

Steve Smith, managing director, Pentura,

The UK is following this trend with its plans for G-Cloud, especially as Lord Carter, the communications minister, has said that "substantial savings" can be made in public spending by building a government-wide cloud computing platform. In the government's Digital Britain report, Carter stated that the G-Cloud should be created within the next three years to allow local and central government departments to share centrally hosted applications.

The Communications & Electronic Security Group (CSG) is the information security arm of the Government Communications Head Quarters (GCHQ), one of the three U.K. Intelligence Agencies and a part of the U.K.'s National Intelligence Machinery. GCHQ works in partnership with the Security Service (MI5) and the Secret Intelligence Service (MI6) to protect the U.K.'s national security interests; however, with so many different departments managing security for the government, it becomes very difficult for potential users to gain authorised access to government networks. The G-Cloud will integrate and take the responsibility away from these isolated security departments, allowing the government to handle all servers and infrastructures centrally, which will substantially reduce internal resource costs.

The global recession has reinforced the financial benefits of cloud computing, as tighter budgets and cost cutting exercises force organisations to look closely at technologies that achieve cost-cutting. Countries such as Iceland are now investing heavily in data centres for organisations like Google to run cloud computing systems, due to their unique ability to cool data centres far easier than the U.K., and with access to cheaper electricity, it can offer facilities at drastically reduced prices.

The problems of cloud computing
Security has played a large part in the U.K. private sector's delay in moving to the cloud. Many organisations are waiting for the first significant company to take the initial step to spearhead the move to the cloud. Research released in December 2009 by a leading business and government data voice and managed services provider has shown that 74% of U.K. CIOs stated security fears prevented them from adopting cloud computing services. As Richard Thomas, the Information Commissioner, stated, all organisations, especially those storing individuals' data, must ensure it is effectively protected from compromise.

The public sector is still very nervous about allowing data to be managed outside its environment, and this is difficult for most organisations; however, Pentura believes the government's move to the cloud will pave the way for the private sector. It has very strict security measures and a Code of Connection (CoCo) that must be followed before anyone can gain access to Government networks, including requirements for firewalls, IDS and other security technologies.

The security and integrity of data is taken very seriously by the government and public sector, neither of which is willing to underwrite its overall security model. They also face difficulties in specifying a generic security model in order to secure cloud computing activities and services. Technology blurs the line between who is in control and who is responsible for protecting data, and one of the main issues is the fact it allows access to many different users from multiple locations. With the government utilising this cloud technology, it proves that security issues can be addressed successfully and should instil confidence in both the public and private sectors.

Where are we now?
There have been several high-profile incidents of data loss in the public and private sectors, which has raised awareness of how lost or stolen data can be used for crimes such as identity theft. Getting data protection wrong can bring considerable reputational, regulatory and legal penalties. Getting it right can offer considerable rewards in terms of customer trust, loyalty and confidence.

As the threat landscape changes, security professionals must adapt.

Steve Smith, managing director, Pentura,

There is no real evidence that placing sensitive public information into a cloud environment will risk breaches of privacy. Security and business continuity remain a concern for organisations considering cloud technology, despite the fact that many cloud vendors are likely to use a more robust and better-maintained computing platform that is less likely to fail. Private clouds can also tackle some of the concerns around security by keeping the benefits of cloud computing under the control of the organisation.

Many government departments are still recoiling from the public's response to past data loss incidents, such as the loss of a USB memory stick containing 750 unencrypted entries on vehicles "of interest" to police along with other intelligence in Edinburgh last year. Although the police said its loss did not compromise anyone involved in any ongoing or previous police investigations, recent research has shown that the U.K. public lacks confidence that organisations can keep their personal data secure.

The benefits of cloud computing are heavily regulated by requirements that stipulate certain information cannot go outside a country's boundary and in many cases information stored by the public sector will be susceptible to these guidelines. The government has invested enormous effort into tackling the challenge of information sharing over the past decade by developing coordination mechanisms such as enterprise architectures and interoperability frameworks. Despite all this effort and cost the move to cloud computing has still been far slower than expected due to lack of appropriate incentives and difficulty in synchronising the ICT requirements of multiple organisations conducting disparate operations.

As the threat landscape changes, security professionals must adapt. It is unrealistic to expect one security professional to manage all security in a public sector organisation and it is equally unrealistic to expect public sector departments to hire numerous teams of security professionals to achieve this.

In light of the government's new IT strategy that will focus on cloud computing, open source technology, rationalisation of data centres and plans for a government t equivalent of Apple's App Store, the G-Cloud seems imminent and necessary for sharing important information between departments. There does, however, still seem to be a lot of concern about placing potentially sensitive information outside the traditional safe havens of an organisation's physical boundaries. To tackle this issue, G-Cloud will only offer limited access to particular users, and they can draw on the experience from NHSnet to ensure the G-Cloud is a reliable and dependable source for government departments.

Data is recognised as a currency in the world; everyone is very aware of how valuable it is, and despite an increase in data loss incidents in 2008, this has almost halved in 2009. Organisations need to take a step back and a holistic view of what they are trying to protect and identify where the high risk areas are, such as cloud services, server rooms and individual servers and then work outwards in order to protect their data.

Pentura has found that many organisations are still very early in the adoption of Data Leakage Protection (DLP). The problem is that many do not know where to start. Companies need to gain visibility of how big their data security problem may be and define a data security strategy that maps out what type of DLP solution is appropriate to their organisation and how to go about implementing this solution.

There have been enough breaches in the past few years to prove that organisations need to be more aware of data and how to secure it, and the government is no exception.

Steve Smith is the managing director of vendor independent service provider Pentura and a contributor to

Read more on Cloud computing services