The government is moving fast to make better use of cloud computing – but concerns remain over security, particularly when Whitehall shares a virtual space with other organisations. Mark Rowe examines the issues.
Few topics are more likely to make civil servants wince with trepidation than data security. But while newspaper headline-writers roll up their sleeves with dark relish whenever a government CD or laptop is misplaced, the onerous demands of data – how to store it and, just as important, how to keep hold of it – are inescapable. Now an emerging technology offers opportunities and challenges for civil servants, presenting the prospect of both cheaper data storage and more efficient, joined-up public services – plus, on the negative side, new potential avenues for data theft.
From dust-covered files in padlocked storage cupboards to encrypted CDs, data storage has been on quite a journey through the decades. Now, it’s going upwards to the ‘cloud’: vast reserves of storage space and computing power, held on distant servers and accessed online. Just as Google, Dropbox and the like allow us to keep documents and photographs, and to share them as we choose, the government’s ‘G-Cloud’ is designed to offer secure, flexible storage space and access to software. It is also the portal to the Government ‘App’ Store (see box, p18), an online catalogue through which public bodies can buy information and communications products and services.
While moving to cloud computing has many potential benefits, human errors or criminality could still lead to security breaches. Some civil servants are also concerned about the prospect of sharing cloud space with other organisations, the security defences surrounding each cloud, and the risk of breaching laws about where government data can be stored.
The key security benefits of cloud computing, according to the Foreign Office’s trading fund FCO Services, lie in its economies of scale. By combining the data storage budgets of a large number of buyers, cloud managers can put much more investment into security systems than is possible on the smaller, bespoke systems currently used by many departments.
David Williams, FCO Services’ operations director, argues that this aspect of cloud computing enables relatively small buyers to enjoy security systems that would otherwise be out of their reach. “Even the smallest service benefits from the highest level of protection,” he says. Cloud systems often offer greater ‘situational awareness’ than traditional data centres, with live threats being monitored in real time by dedicated teams of IT security specialists.
But we’re not quite there yet. On Monday, the Institute for Government (IfG) published its review of the government’s ICT strategy: System Upgrade? (See news.) This found evidence that some IT programmes are racing ahead when, in the words of IfG programme director Tom Gash, “there should probably have been more consideration of security issues upfront.”
The IfG also concluded that the government’s ICT strategy has not been sufficiently co-ordinated when it comes to implementing essential elements such as security. “There’s a growing awareness that certain things have gone ahead of others,” says Gash. “People within government have told us that different strands need to be fitted together, and they are now starting to make sure this happens. If security issues aren’t thought through in a timely way, this can slow down progress – whether government is implementing G-Cloud or promoting remote working.”
Who might storm a cloud?
Like a flame attracts moths, government data has long drawn in hackers – so it’s hard for anyone to pledge universally watertight security. But the consensus is that the cloud should enhance the protection of data.
Ian Osborne, project director at IT trade association Intellect, believes that the major data centres operated by the likes of Amazon and Google are robust, and that putting data on an equally robust public sector cloud will satisfy many security needs. “Central government had 40,000 or so servers the last time we looked,” he says – guarding it is a relatively small job for big private sector players. And Williams argues that, compared to holding data in a network of servers, the cloud structure increases security because “you are reducing the amount of traffic moving through different routes; reducing the paths by which information can move around.” In addition, the physical barriers can be formidable: the FCO’s cloud centre near Milton Keynes comes complete with high walls and air locks.
Of course, any data storage operation is only as secure as the people who can access it. But the government already has a well-established system of security clearances for its staff, contractors and suppliers: staff are security vetted, and data’s sensitivity graded by impact level (IL) on a scale of one to six (where six is the highest clearance). The government’s secure intranet (GSI) network can only be accessed by those cleared to access data graded at IL3, providing an initial hurdle; and within the GSI system, data storage areas can be created that have no direct connection to the public internet or access from it. This enables FCO Services, for example, to operate what is in effect a private cloud, accessible to most Whitehall civil servants but well guarded from attack or unauthorised access.
Departments can also go a step further in vetting staff. For example, all FCO staff who use or develop cloud computing or access data are checked to either Security Check (SC) level – which involves criminal record, credit reference and security service checks – or the higher Developed Vetting (DV) level, which requires additional reviews of personal finances, an interview, and further enquiries including interviews with character referees and current and previous supervisors. FCO Services says that its secure cloud system offers the public sector the security benefits that the private sector has enjoyed for some years.
Cock-ups, not conspiracies
Even if these systems guard against criminality or espionage, however, there’s still the danger of accidental data breaches. Will Harvey, HMRC’s information risk manager, notes that the tradition of lost log-ins and long-unchanged passwords will not be automatically solved by cloud storage. “You can’t fall into the trap of thinking everything is on a cloud so you don’t need to do anything any more,” he warns.
Given the “issue of human frailty”, says Intellect’s Osborne, one potentially vulnerable area is the practice of accessing the cloud from home PCs. “It’s secure if everyone follows procedures, but people need to be aware,” he says. “For example, if their computer goes to sleep, have they logged out?”
Nonetheless Osborne, who has advised the government on the G-cloud’s development for the past two years, argues that the cloud is less open to human error than other systems. “Information on a laptop or a memory stick is not secure, so if the data is stored in a cloud, you would have to conclude that the security is at least the same if not better,” he says. “The thing is to train staff. Senior people in IT do not leave their laptops anywhere. They are surgically attached to them!”
Lesley Sewell, head of IT for the Post Office, is more sanguine. “I’m of the mind that mistakes will happen,” she says. “It comes down to clear policies and governance. You can only go so far if someone loses their Blackberry and it’s got the password on the back. It’s more to do with processes and procedure, rather than how data is managed and stored.”
Given the right procedures, systems and training, it seems likely that private clouds – which are built for the sole use of a single buyer, and ensure that systems are never shared with other organisations – will be more secure than the existing situation, in which data is sometimes stored on laptops or in hard copies that can be stolen or lost. “Some of the security concerns around the technology are a little unfair,” says Tom Gash. “We’re not really comparing like with like. You need to compare the new risks to the risks associated with the old paperwork way. I don’t get a sense of people working remotely worrying excessively in terms of security, and I think that’s quite positive.”
While the IfG’s research suggests that some departmental chief information officers aren’t confident that their departments have the necessary skills to implement ITC strategies effectively, Gash seems confident that as long as such dangers are acknowledged and addressed, they can be solved.
Seclusion without exclusion
While private clouds offer their users greater control and confidence, public clouds can provide better prices, greater opportunities for data-sharing, and more potential to offer service users access to their data. As to whether public clouds are as secure – well, “the debate around the public cloud versus keeping everything in-house is quite alive within the security industry,” says Harvey. “And it’s not particularly been settled.”
Public clouds hold the data of a range of organisations, and such ‘multi-tenancy’ arrangements raise concerns in some civil service quarters. Osborne, however, believes that the dangers are small. “This is talked about as a theoretical risk: you could have a rogue programme searching through, finding out what’s there,” he says. “But you don’t hear of that happening. Multi-tenancy is a common way of doing things.”
Harvey agrees. “There are assurances about separation of access. Data centres have racks of servers handling multiple accounts, and they deploy ‘hypervisors’ [virtual managers that allow multiple operating systems to run concurrently on a host computer] to ensure they remain segregated. In practice, that means if I access the server for HMRC reasons, I can’t look at Defra data that may be sitting on the same server. We just have to keep up good practice around access.”
If data is to be stored abroad rather than in the UK, however, then the Data Protection Act must first be scrutinised. “Keeping data within the UK is probably the easiest [approach], says Harvey. “The main issue is going outside the EU – the act says you can only do this with good reason; it can’t be the default option.”
With that concern satisfied, government data can be held in public clouds – given the right guarantees. The Post Office’s Sewell, for example, says she’s done a lot of work to guard her organisation’s data within a public cloud. “There are a lot of challenges over ensuring the right level of compliance,” she says. “It’s largely down to governance and the auditing process. We ask our service provider that the data is secure within the boundaries we have set.” Depending on the need, this can be ISO or Payment Card Industry compliant – the standards used by credit card agencies to protect personal information and ensure security. The Post Office has systems in place to check and test the controls that it has stipulated.
However, when it comes to highly sensitive government data, Sewell acknowledges that she’d “feel uncomfortable [storing on public servers]. There’s always going to be a mix of solutions for organisations, from having locked-down, in-house data centres to putting it out on a cloud. At one end of this spectrum the data doesn’t need to be highly secured; but at the other, you absolutely need to understand the issues around security. It’s a question of being proportionate.”
Such concerns will have to be addressed before public clouds can be used to, for example, meet the Department of Health’s ambitions to hold medical records online – and to give patients access to them. An independent panel, chaired by Dame Fiona Caldicott, is conducting a review of information governance for the health secretary, and will report back towards the end of the year with recommendations on how to structure security around these goals.
The review, according to David Knight of the Department of Health’s Informatics Directorate, “will ensure an appropriate balance between the protection of confidential and identifiable information within our health and care records, and the use and sharing of information”. This will, he says, “improve the quality and safety of our own care and benefit wider society.”
What goes where?
The Communications-Electronics Security Group (CESG), based in Cheltenham, helps decide how data should be protected; and it has drawn a clear line between IL3 and IL4 data. IL3 material may be stored off-site on public clouds, as long as staff handling the data undergo the right training and vetting. Data classified at IL4 – what Osborne describes as “the crown jewels” – can’t be stored in external public clouds. “That will remain private, within government for at least the short and medium term,” says Osborne.
As such key decisions are made, the cloud is set to become ever more important in the development of government IT – and so will the attendant headaches and potential headlines. For government data is of perennial interest to both fraudsters – who can find endless ways to turn digital information into hard public cash – and politically-motivated hackers, who often simply wish to embarrass public bodies.
FCO Services, which for all its 21st century technical poise still has responsibility for the traditional transporting of diplomatic bags around the world, acknowledges this reality. “This is not a world in which you can stand still,” says Williams.
Osborne agrees. “We’re always going to be in an arms race with hackers,” he says. “We’ve got another billion people coming online in the next 10 years: if one per cent of them decide they can make money by hacking, you’ve got another 10 million people having a pop at you. You have to assume that everything is potentially insecure, and make secure the things you really need. Anyone who claims they can make everything secure all the time probably doesn’t understand the issue.”
The G-Cloud Apps Store
The Apps store was launched in February this year – a second version was launched in May – as an online platform through which public bodies can purchase software. The store had sold about £500,000 worth of services by April, but before its launch the government needed almost two months to approve the listed suppliers: 270 companies expressed an interest in offering services. This presented the challenge of how to check them all before giving them access to the store, and officials have since acknowledged that they had not anticipated the level of interest. With the checking system now streamlined, the store will in future save departments the work of carrying out their own checks on suppliers. “It will be useful having the assurance and security accreditation carried out for us,” says HMRC’s Will Harvey. “In the past you could have six or seven departments performing exactly the same checks. Now that doesn’t need to happen.”