momius - Fotolia

Government cloud security classification confusion dogs Digital Marketplace listings

Misinterpretation of the Government Security Classifications could result in the overprovisioning of public sector IT systems

Public sector IT buyers could be duped into paying more than they need for cloud systems because of confusion over the levels of protection required for data they create and process.

The Government Security Classifications (GSC), published in April 2014, state public sector data can be marked up as official, secret or top secret based on how important it is to matters of national security.

Data considered to be of upmost importance to safe-guarding national security interests is termed secret or top secret, while the majority of the routine information the public sector generates is classified as official.

“About 90% of government information is in the official tier because – to be quite honest – no-one really cares about that in the wider world,” Tony Richards, CTO at cybersecurity consultancy SecureStorm and former head of security for G-Cloud, told Computer Weekly.

In instances where the sharing and distribution of official data may need to be restricted to a certain group of individuals on a need-to-know basis, it is described as being “official-sensitive” to acknowledge the need to keep access to tightly controlled.

“If you print something off that is only for the eyes of a select few people, there would be the words ‘official-sensitive’ at the top and the bottom of the page to remind you not to leave it on your desk or put it in a waste paper basket in the middle of Parliament Square,” he said.

“It is just to remind people not to leave this type of material lying about, because it is only supposed to be shown to the select few people.”

The label is not recognised, under the GSC policy, as a standalone data classification in the same way as official, secret and top secret are, but that has not stopped some G-Cloud providers from acting as if it is.

Read more about government cloud stores and marketplaces

Around 4% of G-Cloud service providers are understood to use the “official-sensitive” term in either their product titles or service descriptions, and there are 564 listings featuring the descriptor included in the Digital Marketplace.

Some have even gone so far as to create separate product entries within the Marketplace for official-sensitive versions of their products, suggesting they are accredited for use with official-sensitive data.

After embarking on a trawl of these services, Computer Weekly uncovered a number of instances whereby suppliers were quoting higher prices for official-sensitive products, despite the fact it is not recognised by the government as a data classification.

Overpaid and overprovisioned?

In the opinion of Richards – and others Computer Weekly has spoken to – public sector IT buyers could be spending more than they need to on protecting their data because of the confusion surrounding how official-sensitive information needs to be stored and protected.

For example, the ability to circulate and share data described as official-sensitive can be restricted with access controls, but buying a standalone system to manage it is unlikely to be necessary.

“Electronically, [official-sensitive] means access should only be granted to a small group of known people that have a need to know. That is it. It is not a separate marking that requires vast reams of encryption or separate systems to protect it,” said Richards.

Speaking to Computer Weekly, John Glover, sales and marketing director at G-Cloud listed collaboration software provider Kahootz, echoed these sentiments, saying suppliers should work to ensure their products natively support the data protection requirements of all public sector organisations.

“We regularly talk to the Ministry of Defence and our other clients about what extra security controls they would like, so we can build that in,” he said. “I don’t want them thinking they need another system for official-sensitive.”

Government guidance

The Government Digital Service (GDS), in partnership with the Cabinet Office, published a piece of online guidance along these lines on 3 February, targeted at public sector IT buyers.

As such, it warns public sector IT buyers not to seek out systems described as “good for official-sensitive” because it could result in them becoming unnecessarily over-provisioned.

“Don’t look for assurance that a system is ‘good for official-sensitive’. A system that can handle official data may be appropriate to handle sensitive information,” said the guidance.

“Most digital systems will also support technical controls, such as access control and audit logging. If your system doesn’t have technical controls, you need to make a risk-based decision on where to store their information.”

The Cabinet Office’s guidance has been welcomed by former G-Cloud lead, Mark Craddock, who told Computer Weekly the confusion over what official-sensitive means may have led to the creation of overly complex IT systems in the public sector.

“Now the Cabinet Office has clarified the situation, government departments and suppliers can now start to remove the complexity in their infrastructure services,” he said.

Suppliers can describe their services how they like

In a follow-up statement to Computer Weekly, a Cabinet Office spokesperson said that, while it does not recognise official-sensitive as a data classification, suppliers can describe their services how they like.

“Suppliers can choose how to describe their services to reflect what they offer to buyers. We review any inaccurate service descriptions which are brought to our attention and if necessary, we work with the supplier to update the description.”

Even so, Kahootz’s Glover said suppliers should exercise caution when describing the security credentials of their products, and avoid getting too carried away.

“It would be unwise to label yourself as official-sensitive. You might say a department has approved a service’s use up to official-sensitive, which is fair enough because they have to give that guidance [to the users],” he said.

“The Ministry of Defence told their staff it can be used up to and including official-sensitive information if they need to give some level of guidance to people.”

Read more on Infrastructure-as-a-Service (IaaS)