Government moves to ease security restrictions stifling cloud and open source

The government's IT security arm, CESG, has begun relaxing security restrictions on the software it approves for public sector use to accommodate Cabinet Office plans for cloud computing and wider use of open source.

The government's IT security arm, CESG, has begun relaxing security restrictions on the software it approves for public sector use to accommodate Cabinet Office plans for cloud computing and wider use of open source.

The electronics and computing arm of GCHQ has begun reforming its accreditations of IT suppliers to prevent CESG becoming an obstacle to the G-Cloud, through which the Cabinet Office intends to introduce a more liberal procurement regime.

The organisation has also agreed to meet open source experts and industry representatives to discuss how to stop its security precautions preventing government pursuing its policy to use more open source software in government.

Bill McCluggage, Cabinet Office director of ICT policy, told Computer Weekly: "CESG is changing its processes. We are working with it. CESG recognises there needs to be a way for new companies to offer services in the G-Cloud. CESG has been working hard on a set of new accreditation policies for the cloud."

He said the reforms aimed to avoid putting SME suppliers through a "relentless", "long-winded" and "burdensome" process "where you need to jump through x-many hoops".

"We have to make sure things are proportionate and appropriate," he said.

Accredited open source software for government

Basil Cousins, secretary of the Cabinet Office Public Sector Group (PSG), said it had invited CESG to discuss ways to ease its restrictions on the use of open source software in government systems.

"We want to agree how to ease a path for open source software being accredited by CESG. That's what we need," he said.

Open source advocate Liam Maxwell met with the head of CESG shortly after he took up his post as an advisor on IT at the Cabinet Office on 5 September, according to the uncorrected minutes of the last meeting of the PSG, a joint government-industry committee charged with helping implement open source policy.

Maxwell raised CESG's failure to accredit open source software for use in government, he told the PSG.

"CESG had already stated its position that open source and proprietary solutions were equally vulnerable," said the minutes.

CESG said in a written statement: "The vast majority of software does not require any type of CESG 'approval' before it can be used in UK government applications."

It deferred to the Cabinet Office for any further comment, with which it said it was coordinating its response.

Overcoming obstacles to open source adoption

Councillor Mark Wright, architect of open source policy at Bristol City Council, said Maxwell and McCluggage had agreed to meet with him next week to discuss ways to remove the obstacle CESG's software certification process had put in the way of the local authority's attempts to build an open source computing infrastructure.

Wright said a potential solution had already been suggested: the Cabinet Office would authorise Bristol City Council to conduct a pilot of an open source e-mail system, after he said last week that current rules left Bristol no choice but to buy Microsoft Exchange.

The councillor presumed there would be a new GCHQ certification, through which Bristol's pilot would act as sponsor for the desired open source system. The pilot would prevent the estimated 18-month duration of CESG's gruelling certification, discouraging public bodies from acquiring open source systems as it had at Bristol.

The Cabinet Office and CESG were applying a similar workaround to the G-Cloud, which the department is close to unveiling formally. The Cabinet Office is also working on reforms of procurement rules that would forbid a public sector cloud operating as it has envisaged.

Simplifying the accreditation process

Kate Craig-Wood, managing director of Memset, an SME cloud provider, said the Cabinet Office had lined up her company to test a new form of CESG accreditation after appointing Memset as a foundation delivery partner for the G-Cloud at short notice last week.

Suppliers currently have to go through due-diligence with CESG every time they want to supply to a different public body, said Craig-Wood, who co-led the technical work-stream in phase 2 of the G-Cloud. "They are trying to make it that we only have to get the accreditation once."

Suppliers can only be sponsored for a CESG accreditation if they already have a contract and could only get access to classified information they need to make the application if they were already certified to see classified information, she said.

The Cabinet Office might sponsor SMEs to get CESG certifications for the supply of IT services up to security impact level 2 on their own cloud infrastructure. The government was planning a private cloud to host suppliers of services up to impact level 3.

Read more on IT for small and medium-sized enterprises (SME)