How parliament's IT secures MPs' data access

G-Cloud is part of the accreditation process for selecting public cloud providers. But parliamentary ICT director Joan Miller had deep discussions with Microsoft on Office 365

G-Cloud is part of the accreditation process for selecting public cloud providers, which means software and services have been cleared for government use.

But parliamentary ICT director Joan Miller took extra precautions and had deep discussions with Microsoft for providing MPs with email via Office 365.

Microsoft Office 365 has attained Impact Level 2 accreditation on the Government G-Cloud CloudStore, which means the cost of an Office 365 security incident to the public sector is under £1 million.

As Computer Weekly has previously reported, the online email and office collaboration suite is on G-Cloud and has been selected as the cloud-email provider for Parliament, to provide secure, cloud-based email for MPs.

Speaking at the Cloud Expo 2014 conference in London, Miller admitted the parliamentary ICT team had deep discussions with Microsoft on the level of security the supplier could offer.

Securing Parliament

As Computer Weekly has previously reported, parliamentary ICT provides MPs with secure iPads. Miller has issued tablet devices to the 23 committees who have gone paperless. They receive papers for committee meetings electronically and use the tablet device to read the papers.

A guide to keeping MPs' IT secure

  • Don't link personal and work life
  • Don't use personal email for work contact
  • Don't email between work and personal email
  • Don't use personal accounts at work
  • Don't phish
  • Don't use free wifi
  • Use antivirus
  • Consider running a safe operating system

Source: Joan Miller, Parliamentary ICT director

Her talk at Cloud Expo focused on the security of data, and where that data could be hosted safely. She said: "We engage with the public and they engage with us. Sometimes we have information in the public zone, but some data needs to be secured."

From a security perspective she said parliament has needed to accept that it no longer controls data. "As the internet grows, we are not in control and the way people use it is not IT's choice."

Data is increasingly being accessed from mobile devices but she accepts locking down devices is not always possible and such a policy can impact usability. She said: "We have to advise users on the safe way to use equipment. We have to be secure and we have to balance cost. The real fight is balancing usability with security."

She said: "We don't lock down the environment in parliament because we only provide a subset of the data members use." The UK Data Protection Act identifies data that is most secure and the rules to govern the use of personal data.

In her presentation, Miller showed a table from the Information Commissioner, illustrating that user error was the most common reason for data breaches. She said: "Our emphasis has to be on users’ safe practices."

Only 2-3% of parliamentary data is protected by the DPA. Miller said most datasets have time-based security, and can be disclosed via a FOI (freedom of information) request.

Read more on Cloud computing services