It turns out that the new security classifications, introduced at the start of April 2014, have collapsed into a single new tier – Officially Uncertain. I worried that this might happen earlier in the year.
Last week, for instance, it was clearly explained to me that “OFFICIAL is not a protective marking, it does not convey any associated controls on how the information is to be handled.”
What that means, of course, is that because there are no particular controls that one might agree were the baseline necessary for protecting the information that is marked OFFICIAL that isn’t actually marked by a protective marking, each department or government entity is able to decide, alone, what it should do to protect that information. Adios commodity cloud.
In a different meeting with different people, it was explained to me, just as clearly, that because no one was going to go back and revisit their historical data and check what label should be applied to it (on an individual file by file basis). The only conclusion, therefore, was that all historical data should be marked OFFICIAL SENSITIVE (notwithstanding that, if OFFICIAL isn’t a protective marking, then neither is this one nor that the guidance suggests that use of “sensitive” is by exception only – this is one big exception). And given it’s all a bit sensitive, that historical data should be treated as if it were IL3 and kept in a secure facility in the UK. Adieu commodity cloud.
All is not yet lost I hope. Folks I speak to in CESG – sane, rational people that they are – recognise that this is a “generational change” and it will take some time before the implications are understood. The trouble is that whilst time is on the side of government, it’s not on the side of the smaller/newer players who want to provide services for government and for whom UNCERTAINTY is anathema.
In these early days, some guidance (not rules) would help people navigate through this uncertainty and support the development of products that met the needs of the bulk of government entities (be they local, central, arms length or otherwise). The existing loose words – I can’t stretch to guidance for these – known as the “Cloud Security Principles” get to the precipice of new controls, look over and leap sharply backwards, all a tremble.
Indeed, the summary of the approach recommended by those who best understand security is:
1. Think about the assets you have and what you’re trying to do with them
2. Think about the attackers who’ll be trying to interfere with those assets as you deliver your business function
3. Implement some mitigations (physical, procedural, personnel, technical) to address those identified risks
4. Get assurance as required in those mitigations
5. Thinking about the updated solution design, go back to step 1 to see if you’ve introduced any new risks.
6. Repeat until you’ve hit a level of confidence you are happy with
My guess is that 6, alone, could lead to an awful lot of iterations that culminate in “guards with machine guns, patrolling with dogs around a perimeter protected by an electric fence”. Of course, the number of guards, the type of guns, the eagerness of the dogs, the height of the fence and the shock provided by the fence will vary from entity to entity.
There is sunshine through some of the clouds though … some departments are rolling out PCs using native BitLocker rather than add-on encryption, others are trialling Windows 8.1 on tablets, whilst managed iPads have been around for some months.
But a move of central government departments to public cloud services (remember – 50% of new spend to be in the public cloud by 2015) looks to be a long way from here. I don’t think I can even soften it an say that a significant move to even a private, public sector only, cloud is that close.
Of course if the commodity cloud vendors stated the controls they offer by default…and those they can offer as priced optional extras…Then should present to the Accreditor community at large and introduce some trust in cloud services.There's a lot more that can be done in kick-starting that generational change amongst those at the cutting edge of it.
Commodity plus optional extras doesn't seem a viable way forward – Marks and Spencers, to use Chris Chant's analogy, sells you white shirts; they don't charge you extra for custom variations such as wide collar, double cuffed, leather trim, pockets etcBut I do agree that clarity over what controls are offered would be helpful – even though the presence of guidance and the absence of direction means that \”controls\” are highly variable. And there is still, only the vaguest of guidance about what OFFICIAL means – and, for instance, how it compares to IL3 (using the customary shorthand and with all the caveats about what is and isn't a protective marking). In theory it should be easier to achieve official than it was to achieve IL3 … and so be cheaper (and more commodity).Lots to do … and the onus on many, I agree, to kickstart the change.