The security issues associated with cloud computing in the public sector

09 July 2010

The adoption of cloud computing is causing significant concerns around privacy and security in the public sector. The benefits for cloud computing are very compelling, especially as the Government looks to the private sector for proven techniques to drive down back office costs, make the most of new technology and use new management practices to encourage efficiency. With plans to cut public sector expenditure by up to £60 billion a year the benefits of cloud computing are ever more persuasive.

Cloud computing has many advantages for the public sector, such as the potential to reduce information and communications technology (ICT) costs, scalable data storage capacity and flexibility for users to access information wherever they are. Government departments can also focus on delivering high quality performance to taxpayers rather than worry about server and software updates.

Some international public sector departments have already made the move into cloud computing such as The Ministry of Internal Affairs and Communications in Japan. The department has announced plans to migrate all government agencies into a private cloud environment by 2015. This is in line with Gartner’s predictions that by 2012, 80% of Fortune 1000 enterprises will pay for some cloud-computing service, while 30% of them will pay for cloud-computing infrastructures.

The UK is following this trend with its plans for G-Cloud. In the government's Digital Britain report Carter stated that the G-Cloud should be created within the next three years, to allow local and central government departments to share centrally hosted applications.

The Communications & Electronic Security Group (CSG) is the information security arm of the Government Communications Head Quarters (GCHQ). GCHQ works in partnership with the Security Service (MI5) and the Secret Intelligence Service (MI6) to protect the UK's national security interests, however with so many different departments managing security for the Government it becomes very difficult for potential users to gain authorised access to Government networks. The G-Cloud will integrate and take the responsibility away from these isolated security departments allowing the government to handle all servers and infrastructures centrally, which will substantially reduce internal resource costs.

The global recession has reinforced the financial benefits of cloud computing as tighter budgets and cost cutting exercises force organisations to look closely at technologies that achieve cost cutting. Countries such as Iceland are now investing heavily in data centres for organisations like Google to run cloud computing systems, due to their unique ability to cool data centres far easier than the UK, and with access to cheaper electricity, it can offer facilities at drastically reduced prices.

Security has played a large part in the UK private sector’s delay in moving to the Cloud. Many organisations are waiting for the first significant company to take the initial step to spearhead the move to the cloud. Recent research has shown that 74% of UK CIOs stated security fears prevented them from adopting cloud computing services. As Richard Thomas, the Information Commissioner, stated, all organisations, especially those storing individuals’ data, must ensure it is effectively protected from compromise.

The public sector is still very nervous about allowing data to be managed outside its environment and this is difficult for most organisations; however Pentura believes the Government’s move to the cloud will pave the way for the private sector. It has very strict security measures and a Code of Connection (CoCo) that must be followed before anyone can gain access to Government networks, including requirements for Firewalls, IDS and other security technologies.

Security and integrity of data is taken very seriously by the Government and public sector. They also face difficulties in specifying a generic security model in order to secure cloud computing activities and services. Technology blurs the line between who is in control and who is responsible for protecting data and one of the main issues is the fact it allows access to many different users from multiple locations. With the Government utilising this cloud technology it proves that security issues can be addressed successfully and should instil confidence in both the public and private sectors.

There have been several high profile incidents of data loss in the public and private sectors, which has raised awareness of how lost or stolen data can be used for crimes such as identity theft. Getting data protection wrong can bring considerable reputational, regulatory and legal penalties. Getting it right can offer considerable rewards in terms of customer trust, loyalty and confidence.

There is no real evidence that placing sensitive public information into a cloud environment will risk breaches of privacy. Security and business continuity remain a concern for organisations considering cloud technology despite the fact that many cloud vendors are likely to use a more robust and better-maintained computing platform that is less likely to fail. Private clouds can also tackle some of the concerns around security by keeping the benefits of cloud computing under the control of the organisation.

Many Government departments are still recoiling from the public’s response to past data loss incidents. Recent research has shown that the UK public lacks confidence that organisations can keep their personal data secure.

The benefits of cloud computing are heavily regulated by requirements that stipulate certain information cannot go outside a country’s boundary and in many cases information stored by the public sector will be susceptible to these guidelines. The government has invested enormous effort into tackling the challenge of information sharing over the past decade by developing coordination mechanisms such as enterprise architectures and interoperability frameworks. Despite all this effort and cost the move to cloud computing has still been far slower than expected due to lack of appropriate incentives and difficulty in synchronising the ICT requirements of multiple organisations conducting disparate operations.

As the threat landscape changes security professionals must adapt. It is unrealistic to expect one security professional to manage all security in a public sector organisation and it is equally unrealistic to expect public sector departments to hire numerous teams of security professionals to achieve this.

In light of the government’s new IT strategy that will focus on cloud computing, open source technology, rationalisation of datacentres, the G-Cloud seems imminent and necessary for sharing important information between departments. There does however still seem to be a lot of concern about placing potentially sensitive information outside the traditional safe havens of an organisation’s physical boundaries. To tackle this issue G-Cloud will only offer limited access to particular users and they can draw on the experience from NHSnet to ensure the G-Cloud is a reliable and dependable source for government departments.

Data is recognised as a currency in the world, everyone is very aware of how valuable it is and despite an increase in data loss incidents in 2008, this has almost halved in 2009. Organisations need to take a step back and a holistic view of what they are trying to protect and identify where the high risk areas are, such as cloud services, server rooms and individual servers and then work outwards in order to protect their data.

Print version | email this to a friend Email to a friend | View other articles