Seeding The Global Public Sector Cloud: Part II – The UK's Approach As Pathfinder For Other Countries

Abstract: This is the second of a two part paper that assesses current trends in the adoption of public sector cloud computing by governments around the world. Part I briefly overviewed the potential for and inhibitors to government cloud growth, focusing on security and risk management concerns and suggesting a role for ISO standards, especially ISO 27001 and ISE 27018, in effectively addressing these inhibitors. Part II focuses on the structured approaches to cloud adoption taken by a number of countries including the UK, and suggests that countries looking to develop their public sector clouds but without wishing to reinvent this particular wheel could validly start from the UK's approach as a pathfinder.

The progress of public sector cloud computing has faced headwinds around the world arising from concerns principally about security and how practically and effectively to manage risk. Addressing these concerns will enable the potential of the global public sector cloud to start to be fulfilled, a step-change that has been widely forecast to take place over the next few years: Part I of this paper referenced forecasts that the public sector cloud is set to account for more than half global software and storage spending growth by 2018 and that US federal cloud spending is predicted to grow from $3bn today to $6.5bn by 2019.1

Part I suggested that international standards, particularly ISO 270012 on information security management systems and ISO 270183 on the protection of personally identifiable information (PII) in the cloud, provide particularly useful tools to unlock growth in global public sector cloud uptake through demonstrable and demonstrated procedures designed to assess, certify, benchmark and audit achievement of cloud security standards.

Accreditation to these standards is a key output for demonstrating risk management outcomes, and this in turn depends and is built on substantive elements of a model public sector cloud computing security framework as inputs. This part of the paper proposes that an effective cloud security framework model encompasses the following substantive inputs:

an approach led from the centre and applied consistently across government; on a foundation of robust data classification; which is transposed effectively to the cloud; and which enables baseline cloud security requirements to be mapped to the classification. We suggest that combining substantive cloud security framework inputs constructed this way with effective use of security management international standards at the procedural level as outputs can provide government ICT (information and communications technology) functions with a route map to effective public sector cloud adoption. Following a brief review of government cloud adoption to date in a number of geographies, we suggest that the UK's approach to these issues can validly serve as a pathfinder for countries looking to develop their public sector clouds who do not necessarily want to reinvent this particular wheel.

A Sampling of Approaches: The US, ENISA and Germany

In the USA, the US Chief Information Officer in December 2010 published a 25-Point Implementation Plan to Reform Federal IT Management,4 one element of which was to adopt a Cloud First policy, articulated in the February 2011 Federal Cloud Computing Strategy (FCCS).5 The FCCS is supported and complemented by a number of other US government initiatives and programs,6 including the Federal Risk and Authorisation Management Program (FedRAMP).7 FedRAMP was established in December 2011 to provide a standardised, centralised approach to assessing and authorising cloud computing services and products. As at June 2015,8 there were reported to be around forty providers, products and services certified under FedRAMP.

Figure 1: ENISA Security Framework based on 'Plan → Do → Check → Act' Lifecycle

Phase Security Activity Security Step A. Plan a) Risk profiling 1. Identify services to cloudify 2. Select security dimensions9 3. Evaluate individual impact to these dimensions 4. Determine global risk profile b) Architectural model 5. Decide on deployment - service model10 c) Security & privacy requirements 6. Establish security requirements B. Do d) Security controls 7. Selection of security controls e) Implementation deployment and accreditation 8. Formalisation and implementation of selected security controls 9. Cloud service suitability ex ante verification to provide sufficient assurance 10. Start service execution C. Check f) Log/monitoring 11.Periodically check that security controls are in place and being followed g) Audit 12. Verification that the defined/contracted levels of security are fulfilled D. Act h) Change management 13. Implementation of remedies & improvement to security framework/approach i) Exit management 14. Contract termination, return of data to customer and data deletion At EU level, ENISA (the EU Agency for Network and Information Security) in February 2015 published its report Security Framework for Governmental Clouds11, which examined four selected public sector cloud use cases in:

Estonia: planned public/private cloud IaaS/PaaS/SaaS in public administration services; Greece: deployed public cloud IaaS in educational and academic community; Spain: deployed private cloud SaaS in general and regional administration services; and UK: deployed public cloud IaaS/PaaS/SaaS in services of the public sector. Based on these uses cases, the ENISA paper proposed a security framework modelled on four lifecycle phases, nine security activities and fourteen security steps, as set out in Figure 1 above.

Germany's Federal Ministry of Economics and Technology in November 2010 published its ICT Strategy of the German Federal Government: Digital Germany 201512 and has since launched a Trusted Cloud Technology Programme13 'to support the development of innovative, secure and legally compliant cloud solutions'. Germany's Cloud Computing Action Programme was aimed particularly at the public sector with a view to researching the cloud, developing an innovative security framework around security, legal and standards certification considerations and influencing international developments.

The UK Approach: Driving Public Sector Entities to the Cloud

As mentioned above, the UK Government (which, as with most states is the biggest buyer and user of ICT in the country14) has examined and assessed each element of its cloud security framework and published its work in a comprehensive and comprehensible articulation of the substantive organising input elements which an effective cloud security framework model is shown to encompass. The guidance and other related documentation published by the UK Government is summarised in...