Cloud suppliers call for clearer guidelines over revised security classifications

Cloud suppliers have raised concerns over the lack of guidance surrounding the government’s latest security classifications.

A group of cloud suppliers have raised concerns over the lack of guidance surrounding the government’s latest security classifications.

At a roundtable meeting organised by cloud SME Skyscape, various G-Cloud suppliers warned that the new categories could be confusing for the market.

The roundtable attendees called for education for both suppliers and buyers to help them understand the security classifications introduced by government in April, which are expected to be rolled out with the new iteration of G-Cloud 6 when it is released.

“Previously, life was very clear,” said Simon Hansford, CTO of Skyscape. “It wasn’t necessarily correct, but it was clear.”

Information used to be classified into six categories: Unclassified, Protected, Restricted, Confidential, Secret and Top Secret or Impact Level (IL) 1-6.

In its first overhaul since World War Two, the government replaced the former classifications with three new categories: Official, Secret and Top Secret.

But some suppliers at the roundtable said the previous categories were much clearer than the three new classifications.

The new classifications also encourage buyers of cloud services from G-Cloud to research and ask suppliers questions about their security offerings.

A blog post from March stated: “When the new classifications go live, buyers will be looking for services that can be used with 'official' data and not for IL 2 or 3. We will be advising Government buyers to really think about their security requirements and use the Classification Policy Controls Framework and Cloud Security Principles as the basis for their decision-making.”

But the suppliers attending the roundtable expressed concerns that customers may become confused and not know if a service is suitable.

Our customers are expected to go out into the official space and make informed decisions and ask the right questions,” said John Godwin, head of compliance, IA and operations at Skyscape. “How are they going to do that? It’s a big ask.”

Tim Hanley, partner at Rainmaker Solutions, noted that the changes were a “generational change” and would take time to implement.

But during this phase of change, customers who interpret the classifications and suppliers incorrectly could risk security data breaches.  

“A customer which doesn’t understand the question they’ve been asking or how to interpret the answers they’re getting is potentially going to be putting public sector data at risk,” said Godwin.

The cloud suppliers also said that without the correct education, buyers could push their data into the wrong categories, either making the data safer than it needs to be, or by trying to save costs not protect it enough.

But Nick Ewer, product manager at Thales, said it is important to promote good behaviours. “It’s too easy to tick the IL3 box,” he said. “They have to think about their information.”

Tony Singleton, G-Cloud and digital commercial programme director, was also in attendance to listen to the concerns of the suppliers. He said when suppliers enter bids for G-Cloud 6, they will need to answer a questionnaire to detail what security levels they have in place, as well as providing documentation.

During the roundtable, Singleton also confirmed that the new Government Digital Marketplace would begin alpha testing in the coming days, ahead of a live public testing release in September.

Read more on Cloud applications