www.eduserv.org.uk

Security Radar for 2014London G-Cloud Meet-up, January 2014Ivan Harris, Business Manager – Cloud Services

Agenda

• Government Security Classifications

• PSN Connectivity

• Hybrid Clouds

• Application Development

Government Security Classifications• Comes into force on 02/04/14• Classifications: OFFICIAL, SECRET and TOP SECRET• There is no direct mapping between Security Classifications and BILs • BIL should still be used as part of the information risk assessment when selecting G-Cloud services• New G-Cloud service categories:

• Unassured Clouds: Formerly IL0

• Assured Public Cloud: Formerly IL2

• Formally Accredited Public Cloud or Private Cloud: Formerly IL3

• As a rule of thumb:• Unassured Clouds: For non-sensitive OFFICIAL information suitable for the public domain

• Assured Public Cloud: Suitable for general OFFICIAL information that is not particularly sensitive

• Formally Accredited Public Cloud or Private Cloud: Most OFFICIAL information and aggregated information that’s not particularly sensitive in isolation

• Will Assured Public Clouds require PGA? Just ISO 27001 plus additional controls?

Sources:Government Security Classifications April 2014, Version 1.0, Cabinet Office, October 2013G-Cloud Information Assurance Requirements and Guidance, HMG, May 2012

PSN Connectivity• GCF connectivity is retired on 31/03/14• GCF users must have obtained PSN connectivity, achieved compliance and transitioned

by this date• IL3 accredited PSN bearer networks will start to appear rather than using CAPS

accredited devices over IL2 bearer networks• 3 new PSN frameworks due with

• More SMEs (dozens, not hundreds)

• Three ordering mechanisms (direct award, short competition, full-fat competitions)

• 4-5 year contract length

• ‘Public Sector Telecoms’ framework (which includes cloud services) due to go live in July

• 2014-16 growth in ‘Wider Public Sector’ including local government and health services:• PSN Spend to mid-2014: Central Government £2.2Bn, Wider Public Sector: £0.8Bn

• PSN Spend 2014-2016: Central Government £0.6Bn, Wider Public Sector: £1.6Bn

Sources:Next-generation PSN Frameworks, Cabinet Office, November 2013

Hybrid Cloud• Low hanging fruit of point cloud solutions will soon be harvested• More sophisticated solutions will be needed to support:

• On premise and off premise• Legacy systems and cloud services• Public and private cloud• Multi-impact level information estates• Integrating to multi-impact level systems

• Impact level hybrid clouds are needed• Supports the business benefit prioritized cloud journey and optimises

information estates

Application Development• The ‘Public Cloud First’ policy, drives for better citizen experience/engagement

and more sophisticated solutions require digital services, Enterprise Applications Integration, SaaS and custom web, enterprise mobile applications

• Demand from third-party application developers for IaaS, PaaS, EPaaS and PSN support on IL2 and IL3 PGA’d services

• Full software lifecycle support is needed: Spin-up/tear-down of development, test, staging and production environments

• Needs to align to HMG’s Agile objectives by supporting continuous integration and continuous release

• Application developers need help with accrediting their applications on already PGA’d services

In Summary

• Government Security Classifications

• PSN Connectivity

• Hybrid Clouds

• Application Development

“In the midst of chaos,there is also opportunity”

Sun Tzu

Ivan HarrisBusiness Manager – Cloud ServicesEmail: ivan.harris@eduserv.org.ukPhone: 01225 474311Twitter: @IvanDavidHarris