Just over a year ago I wondered whether the new government’s approach to transparency would mean that government security classifications would be revisited and some processes done away with. To truly allow a move to public cloud services (which, in theory, provide the lowest cost provision of commodity services), such a review is necessary – though, already, some local authorities and even a small slice of a central department are already adopting public cloud email, not quite by ignoring the relevant classifications but by taking a more pragmatic approach than has been taken in the past. The word classification can be loosely exchanged with Impact Level – where “restricted” is IL3 and “protect” is IL2.
The reason for needing a more pragmatic approach is two fold – firstly because received wisdom has historically dictated that nearly all that passes between and within government departments is classified as IL3 and, secondly, because, it seems to me, no one can describe on a single sheet of paper the difference between IL3 and any other classification level. Without clarity on what each of those means from an infrastructure and service perspective along with realism from government about what the true classification of its data is (in this open and transparent world), the move to the cloud gets much harder.
Government is, of course, big enough to adopt a private cloud and make substantial savings – if, that is, large swathes of government are convinced (whether that be commercially, financially, through central mandation, for service improvements or some other reason). That private cloud could be, if we were able to define it simply, either IL2 or IL3. It wouldn’t matter particularly – although estimates carried out by many suggest that the price difference between IL2 and IL3 is as much as 25% (how these figures are arrived at in the absence of a tight definition I’m not sure about).
Public cloud should, in theory, be cheaper. Of course, if all of UK government moved to gmail or Office 365 tomorrow, the needle would barely move on their servers – and I’m not even sure that government would qualify for a volume discount, which would make for some entertainment for the procurement and commercial teams (just wait until they want to negotiate terms and conditions of course).
What’s important here though is that a government wanting to make the move to the cloud needs to be clear with potential cloud providers what it is that they need to have in place. Security is a good place to start as, for too many, it is more dark art than science; but right after that would be commercial provisions, legal terms and conditions and then standards and operating procedures. At the same time, that government would need to think about what it, too, actually needed to avoid over-complicating the provision of service, increasing cost and reducing the number of players able to match their requirement.