What is changing?
UPDATE June 2015: Since the original publication of this article, the Government’s approach to G-Cloud security has significantly changed. Please refer to this article instead – it explains the new security assertions process introduced with G-Cloud 6. To keep in touch with future developments why not sign-up to receive our regular news .
For G-Cloud services up to and including G-Cloud 5, the security approach has been for suppliers to gain accreditation through the CESG Pan Government Accreditation (PGA) service. It basically involved a PGA Accreditor independently reviewing assertions by suppliers and checking with third parties that these assertions were actually true. For G-Cloud 6 suppliers there will no longer be a role for PGA. Instead, suppliers will provide assertions regarding how they comply with CESG’s Cloud Security Principles .It will then be up to consumers of their services to determine whether these assertions provide a sufficient level of confidence for them to use the service.
What will the process be?
The process will involve all G-Cloud 6 suppliers completing a questionnaire covering the14 Cloud Security Principles .for each service they provide on G-Cloud. Responses to questions are likely to be selected from pre-defined answers. The questionnaire has not been released as yet (July 2014) but a draft for comment is expected shortly. Ascentor will be posting a blog on the subject very soon after it is released.
Will there be different levels?
The new security approach has three different levels of confidence that a supplier can seek to provide to their customers about their service:
- Unassured . Supplier assertions but with no independent proof that the assertion is correct.
- Assured Public Cloud . The supplier assertions will have been independently validated by a third party. Examples include:
- Independent third party review (but not to a recognised standard).
- Certificate of compliance with a recognised standard.
- Scope of certification validated by qualified individuals.
- Independent testing of control implementation.
- Scope of testing validated by qualified individuals.
- Independent assurance in the design.
- Use of assured components.
- Accredited Public Cloud . The supplier assertions and validation by a third party will be subject to a government department’s accreditation process. This will provide confidence that all aspects of the supplier’s service have been considered and are working effectively together.
Will it make a difference?
The PGA process has proven costly in time and effort. Additionally, the level of assurance gained was not appropriate for some consumers who had greater or lesser risk appetite levels. The onus will now be on both the suppliers to provide assertions and the consumers to determine if those assertions, and the assurance that goes with them, are sufficient to meet the needs of their particular business requirements. What may be good for one organisation may not necessarily be good enough for another; after all good information security is all about context. The new security approach puts responsibility firmly in the hands of consumers to determine their risk appetite levels and decide whether or not the supplier assertions are good enough. This is bound to speed up the whole process – a good thing.
What’s the catch?
There is a danger that standards will decline over time. The PGA service ensured that a certain standard of assurance was maintained in order to meet the security requirements of organisations with similar levels of business impact. Now, organisations more tolerant of risk may not seek assurance and be satisfied with an ‘unassured’ service. Other organisations with less risk tolerance may be tempted to use the ‘unassured’ service because if it’s ok for them why not for us?
â€¦.. but on the plus side
Suppliers of cloud services have recognised consumer concerns regarding security and are adopting a far more robust approach. Every time they make an improvement and gain additional validation, they can upgrade their G-Cloud profile. Over time, those offering services with more assurance but within a similar price bracket as their competitors are likely to win consumer business. Assurance by default – sounds good!
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
If you’d like to discuss how ourconsultants could advise on any aspect of cyber security, please contact Dave Jamesat Ascentor.
Email: [email protected]
Office: 01452 881712