Post 7 - Security in Public Sector CloudUnderstandably, the majority of Public Sector data owners have expressed concerns over security in the cloud. Given the increased scrutiny of the public sector’s performance in handling and protecting sensitive data, it is a big factor in an organisation’s credibility, and if data is compromised it could seriously disrupt its business. Moving to the cloud involves passing the day-to-day oversight and responsibility for the provision of security mechanisms to a third party, and this requires a certain leap of faith.

But in reality it often provides a higher level of security than can be developed in-house. Cloud providers bring expertise in the field as part of the service, and in catering for numerous customers they can do so more cost-efficiently and effectively. This can provide a safe environment for data up to a high security classification, and make an important contribution to an organisation’s information security strategy.

The crucial factor is to ensure that the necessary security accreditations are in place. For most public sector business this means that the cloud provider has to show it can handle information labelled OFFICIAL (equivalent to the previous IL2 and IL3 classifications), for which there could be damaging consequences if it is lost, stolen or published.

But most organisations also need to store and handle some information labelled OFFICIALSENSITIVE, for which the consequences of being compromised would be more far reaching, and which require procedural and personnel measures to reinforce access on a ‘need to know’ basis.

There are a number of steps to take, outlined in the Government’s Summary of Cloud Security Principles, in providing the appropriate levels of security. These include, among others:

  • providing network protection and encryption to protect personal data in transit across networks;
  • having a security governance framework in place;
  • making staff subject to security screening and education for their roles;
  • designing services to identify and mitigate threats against their security;
  • protecting interfaces from attacks;
  • providing users with audit records.

These can be supported by measures such as: ensuring that any changes to a system are tested and authorised, so that there are no unexpected alterations in security properties, protective monitoring of any potential attacks and unauthorised activity, and plans to respond to any incidents and recover a secure service.

It is also important to ensure that a cloud provider has the accreditations for specific services, such as Infrastructure as a Service (IaaS) and Software as a Service (SaaS).

This means that when using services such as storage, back-up, messaging or desktop hosting, all of the relevant measures are in place to provide the appropriate levels of security.

Providers with accreditation for groups of these services, rather than focusing on a speciality, can provide the scope to combine them within a package and make it easier to align different IT processes on a cloud platform while maintaining the necessary security. 

Solution

In August 2012 Sentinel by SCC become the first multi-tenant Pan Government Accredited Cloud for what was at the time IL0, IL2 & IL3. This accreditation has been successfully renewed every year since and the platform is now aligned to Government Security Classification Scheme and accredited to OFFICIAL (with SENSITIVE caveat) under PSNA. The Sentinel platform also has ISO27001:2013 certification and is IG-SOC compliant for the NHS.

Why build it when you can buy it ready to roll out?

Like most of the other cloud providers SCC originally concentrated on secure IaaS, but unlike others, has since then concentrated on developing the complementary secure SaaS offerings that you would associate with being able to function as an organisation or department. Sentinel SaaS offerings now comprise:

  • Hosted Exchange – with self-service control panel.
  • Hosted Desktop as a Service (VDI) – with self-service control panel.
  • Managed Desktops – with self-service provision.
  • iOS MDM for mobile device management.
  • File & Collaboration – secure file sharing.
  • Multi-Tenant Remote Access Service.
  • Sentinel Connect – secure compute HDMI based stick.
  • Database as a Service.

All SCC SaaS offerings are independently accredited and all have their own PSNA certificate for OFFICIAL. The company constantly strives for innovation in product development – for example development of a multi-tenant hosted Skype for Business offering for G-Cloud8 has just been completed.

As a UK company with UK-based data centres and skilled people, SCC aims to help you transform the way your organisation operates by planning, supplying, integrating and managing your technology.

We make technology work for the end user through partnership, knowledge and passion.

SCC Heritage

  • UK company with top tier data centres in the UK, guaranteeing up to 99.995% availability.
  • Over 500 vendor-trained professional services consultants and engineers.
  • Over 5,000 employees.
  • Dedicated service desk supporting more than five million users.
  • Leading strategic partner to all key vendors.
  • The technology division of Rigby Group PLC.
  • Profitable track record since 1975

For more information, click here to download the FREE whitepaper ‘Procuring and Delivering OFFICIAL in the Cloud’

Next week: Geographical Constraints to Consider When Adopting Public Sector Cloud

  Get in Touch