The government’s new online security approach may boost sales through the G-Cloud Framework – but it also has the potential to confuse, says John Godwin
The Government Security Classification Policy (GSCP), which came into effect on 2 April, replaces the previous Government Protective Marking Scheme (GPMS).
Today witnesses one of the more significant changes associated with this new policy as the Government Digital Service (GDS) has advised that suppliers on G-Cloud will no longer need to obtain Pan Government Accreditation (PGA) and that G-Cloud will also stop accepting new accreditation submissions.
G-Cloud suppliers will now be required to self-assert their services, and buyers will become responsible for assessing and selecting the most appropriate cloud services which meet their individual security requirements.
GDS has advised that it will release guidance on this new G-Cloud security approach in the coming weeks, according to a recent blog post.
Despite these changes, submissions for cloud services that connect to the Public Services Network (PSN) will continue to require Pan Government Accreditation (PGA), and these will need to be submitted to the PSN Authority (PSNA).
Many are assessing this change as being good news for suppliers – particularly SMEs – as the previous process of achieving PGA accreditation required specialist knowledge, was time consuming and often very expensive to complete.
So in these respects, this new security approach may help to further expand the market and encourage more suppliers to actively participate within the G-Cloud Framework.
However, there is a real possibility that the new approach has the potential to confuse: public sector buyers now have to make their own decisions as to what controls will deliver the most appropriate protection for their data, and they are likely to find this process of assessing, comparing and selecting from multiple suppliers more difficult in the absence of a single trusted, credible and rigorous assessment system.
Equally, from the point of view of reputable and security conscious suppliers, these changes present a new challenge of demonstrating how their security credentials accurately protect their services and their customers’ data in a potentially confused marketplace”.
Perhaps most concerning of all is the risk that suppliers may be able to make unsubstantiated claims (whether inadvertently or intentionally) regarding the level of assurance they are able to deliver to their customers.
This has the potential to increase the risks of security breaches occurring, which could in turn undermine customer confidence in trusting their data to the cloud.
Whilst the Government has done a fantastic job in encouraging the widespread adoption of assured cloud services within the public sector, delivering efficiencies, cost savings and creating a more open and transparent marketplace, all suppliers will need to continue to play their part in ensuring that its security track record remains intact.
It is worth remembering that current PGA accreditations remain valid for a year following the date they were issued, so it will still be possible to find suppliers utilising these well into 2015. Furthermore, as cloud services which are to be connected to the PSN continue to require PGA accreditation, this well established programme will continue to provide credible assurance for those with the highest of security needs.
CESG’s Cloud Security Principles have provided a sensible starting point for guiding suppliers and buyers through this transition phase. However, we look forward to seeing further guidance from GDS regarding the changes that are currently taking place, particularly their relevance to the launch of the G-Cloud 6 Framework expected later this year.
John Godwin is head of compliance and information assurance at Skyscape Cloud Services
