As governmenlooks to the cloud, how do those on the ground mitigate the risks? A recent round table explored the issue, as Samera Owusu Tutu reports.
Many government organisations have begun using cloud, but few have moved the bulk of their ICT operations into it —partly because of the major challenges and risk involved in making the move. With a more significant exodus to cloud storage and software usage on the cards, a varied group of civil servants gathered to discuss the de-risking of a wholesale shift to cloud ICT, in partnership with managed cloud service provider Eduserv.
Understanding cloud computing
The discussion started with participants sharing their views on the benefits of a wholesale shift: the main benefits was the ability to scale up or down cloud usage, meaning whether they used a little or a lot, they only took what they needed and paid for what they used. While paying for what you use is an efficient way work working, there were further cost savings in using more of the cloud, hence the need for a wholesale shift. The ability to target the segment of the public that is 30-and-under were among the suggestions was also mooted.
Though cloud was seen to have many benefits, there was a clear call for better understanding of what cloud was and what it could do, and this call for clarity was articulated by Sarah Hurrell, commercial director of technology at Crown Commercial Services. “Cloud is the great enabler,” Hurrell said, “but it is not necessarily the answer to every problem or every question. Also there are different clouds – public cloud and private cloud.”
“It needs a bit of understanding of what it can do and then it needs very good understanding of how to implement it.” Yvonne Gallagher
She also highlighted the differences in the services available and the impact the data being handled could have on the level of risk associated with the service, saying: “There are cloud services and there is cloud storage, and they are different. If you’re buying a service to, say, move to Microsoft 365, or to Google Calendars, that’s a very different service from putting HMRC data out into the cloud, which has got personal data and needs to adhere to the data protection act.”
Yvonne Gallagher, director for digital and information at The National Audit Office (NAO), supported this view, adding: “It needs a bit of understanding of what it can do and then it needs very good understanding of how to implement it. And I think those skills in government and that knowledge has to be built up.”
Appetite for risk
The group expressed that the appetite for risk across the civil service had shown a marked increase; according to Gallagher, data protection, cyber security, and privacy, now make up the new landscape for the civil service.
The newness of the landscape, however added its own challenges to the debate on risk, explained David Walker, operational security manager for the Home Office: “It’s all new, so it’s difficult to quantify the risk. It’s [currently] a concern based on the way we used to do things, and the knowledge and experience [people] bring to something that’s similar but not quite the same.”
Walker asserted that the issue of risk no longer falls solely with IT teams, but instead should be a wider concern for departments: “Departments are now understanding very well this whole thing about risk appetite and risk assessment. As the cloud moves forward, it’s important that these things are not [just] ‘an IT thing’.” If knowledge is kept within a small group, he argued, then if “there’s a problem everybody’s shocked”.
A shift in responsibility
Risk is definitely top of the agenda, given the change in accreditation highlighted by Andrew Hawkins from Eduserv.
Previously, under the Pan Government Accreditation (PGA) system, a cloud solution would be accredited and cleared for its particular level of security within the official data spectrum, meaning that anything built on top of this underlying accredited infrastructure would also carry the accreditation and clearance. Now, without PGA, suppliers can only say they have a specific level of security controls, and it is up to the department to obtain the evidence to support their claims
“It’s all going back to the way it was when you had to accredit per solution.” Andrew Hawkins
Hawkins believes: “It’s pushing the onus back on to the purchasers to do a risk assessment on the data and choose a provider that has the right level of controls in place.”
Hawkins highlights the work suppliers will have to do to prove their level of security, and points out that this will now have to occur with each department and project: “When you speak to a number of providers and create a shortlist you will need to present you requirements and check the supplier has suitable controls in place. . The emphasis will be on the supplier to demonstrate and provide evidence that they’ve got the appropriate controls in place for any particular project.”
Rather than this being a new system, Hawkins said, it’s a return to processes of old: “It’s all going back to the way it was when you had to accredit per solution. It’s accelerated the understanding and the thinking of security for suppliers along that journey.”
Hawkins explained that IT health checks, ISO 27001 and cyber essentials might appear in the evidence pack from a supplier, adding that the pack might contain “anything that demonstrates that an independent third party has done a security assessment on your infrastructure and can say that you have controls in place that comply with the security classifications”.
The Cloud skills gap
During the discussion, it became apparent that the shift in responsibility for risk management has produced a skills gap within departments – a deficit that needs to be tackled in order to have realistic expectations around the wholesale shift to cloud IT.
The general feeling among the delegates was that they do not; Hurrell explained that the shortage may be due to the outsourcing of IT projects, which then meant that some departments may not have felt the need to develop in-house skills around risk management; “Some of the skills were outsourced from government 20 years ago and we didn’t build them back up, so I think it’s [about] spotting the IT skills [shortages] in the departments,” she said.
However the civil service decides to de-risk the wholesale shift to cloud IT, the group believed it will fall to the departments to implement any strategies that are developed around risk. Put plainly, Hurrell said: “There’s a requirement of an intelligent customer.”
Departmental staff will not only need training on risk management, but also on the best way to manage their changing relationship with IT suppliers. Hurrell believes that “the Government Digital Service is likely to drive that conversation,” and adds: “There’s real opportunity here.”