How government security upheaval could spread confusion

Top secret sign

An upheaval in data security classification is set to sow seeds of confusion within public sector IT departments, as a planed process of simplification has ended up confusing matters.

To go back to basics, the UK government has, for the longest time, stuck with a system of data classification known as the Government Protective Marking Scheme which applied six levels of protective marking to identify data sensitivity ranging from 'not-protectively marked' up to 'top secret'. From 2 April, this will be replaced by the Government Security Classifications (GSC) policy document which has just three levels: official, secret and top secret. Each of these attracts a baseline set of security controls providing appropriate protection against a spread of typical threats. The broader scope of these categories place most data into the official section where compromise would be of limited potential damage; whereas both secret and top secret are national security classifications where compromise could lead to anything from an international relations embarrassment through to loss of life.

From the cloud perspective, it's important to know how the change will alter the handling of data when compared to the old IL classifications every public sector handler has been used to and whether ultimately this move will help or hinder public sector cloud adoption.

One important question to start with is: were the old IL classifications a barrier to public cloud adoption?

There's certainly an argument to be made that the IL 'language' was a familiar one for customers that enabled three tiers of cloud service to be established so that if data labelled 'protect' was to be handled then an IL2 service was required and IL3 for 'restricted' data etc.

Some would argue that this crude three-tier system wasn't broad enough in scope, yet replacing a well-understood system with a three-tier classification that is far from clear-cut seems at odds with the system being pushed forward on the grounds of introducing better clarity.

It is, many would say, far from obvious what level of cloud service is required when each data classification covers such a wide range of sensitivity. David Slater, an executive consultant with a technology services company with plenty of public sector experience, Atos, reckons that while the old classification scheme wasn't in itself a barrier to cloud adoption, over-classification did raise the cost of cloud, while, at the same time, reducing choice. "The market place produced cloud services at IL2 and IL3" Slater explains "the cultural change associated with the new classification scheme will potentially increase the number of players entering the market due the security regime being more outcome based rather than prescriptive security."

The prescriptive security point is also made by Marty Legg, head of cloud services at SecureData, who thinks the old regime "limited the adoption of some services as they didn’t provide the assumed level of accreditation required" which in turn often required cloud providers to invest considerably to gain pan Government accreditation or other assurances. "The focus on risk management based decisions will enable a more commercial, commodity consumption approach" Legg insists.

The changing shape of the public sector cloudscape So will the public sector cloud security landscape be altered, in the light of this new policy document? That's another interesting question, because there appears to be no clarity at the moment as to whether the new system will assimilate the old impact levels for CSPs. Some observers think that Cabinet Office advice suggests it will, with IL3 becoming 'Accredited Public Cloud Services', IL2 'Assured Public Cloud Services' and IL0 'Unassured Cloud Services' which would, effectively, change nothing but the name.

Yet without some implementation of service assurance levels within that ridiculously broad 'official' classification it's hard to see how the public sector cloud market could be anything but more labour-intensive, and thus costly, than it is today.

Driving up costs, as anyone with experience of G-Cloud will tell you, is not the way to get a fast migration. Then there's the security challenge for many parts of the public sector that comes in the form of whether they adopt a separate cloud solution for publicly available content (educational materials, for example) to those that share and manage sensitive content. "Given that classification is down the author of a document or email" Jes Breslaw warns "if a hybrid system or dual solution is selected and the file is incorrectly categorised, there will always be a risk of leaking sensitive content into the public cloud."

Where the cloudscape dynamics will likely change as a result of the new GSC policy, is the new players that will be encouraged to come play in the market. Players, according to David Slater, that were traditionally providing government ICT services. "This is also being driven by the government being SME friendly" Slater says, adding "this will introduce new innovative solutions that can help government radically change the way that they deliver public services and engage with citizens."

So let's cut straight to the chase: will the new Government Security Classifications help or hinder cloud adoption in the public sector? Robin Pape, public sector advisor at Memset, is pretty sure that in the short-to-medium term at least they will hinder take-up as customers try to understand the new system which encourages them to look for solutions specific to their situation.

"This does not preclude the use of standardised cloud services as part of their solution" Pape explains "but is sending a different message from G-Cloud, which has been promoting standardisation."

And there lies the rub. For the 'official' classification, customers will be expected to consider how each cloud service measures up against 14 cloud service security principles which are not quantified, which will require more time, effort and expertise than the old three-level IL system.

This confusion will be compounded by the fact that only central government is adopting the new classifications this April, with police forces following later in the year and no timeframe for any other part of the public sector yet announced. With old and new systems, by necessity, therefore running in parallel on G-Cloud for some time to come yet it's hard to see how this is going to pan out well...

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.