Assertion: “a confident and forceful statement of fact or belief” OED
G-Cloud 6 Security Assertions
All suppliers wishing to include their cloud service offerings within the Governments Digital Marketplace as a G-Cloud 6 service are now mandated to complete a set of questions regarding security. The questions are based on CESG’s Cloud Security Principles and are aimed at getting consumers of services to assess whether supplier security assertions meet their own particular security needs.
A different set of questions is available depending on the type of cloud service being provided:
- Infrastructure as a Service
- Platforms as a Service
- Software as a Service
- Specialist Cloud Service
Questions are available in .csv format from github .
So, how do you gain accreditation now?
You don’t, and then again you do!
There is no longer a role for the Pan-Government Accreditor so a service will not be advertised as ‘accredited’. Instead, completion of the security assertions will allow each department that wants to make use of your cloud service to assess whether the assertions meet their own security requirements. This is accreditation in a different guise. However, there is a key difference.
The old accreditation process meant that statements about security were checked as being true and not just taken at face value. It is now up to individual departments to assess the security assertions and determine if they are good enough to meet their own requirements.
This sounds like lots of additional work for both the cloud service provider and the customer. It doesn’t have to be. The PSN adage of ‘do it once, do it right and reuse it’ still applies.
Different assurance levels
Within the security assertions, cloud service providers will be able to specify how the assertion can be assured rather than just being words on paper (or pixels on a screen). There are five different levels of assurance that can be selected:
- Service provider assertion . This is the lowest form of assurance but should still be better than marketing/sales material. Some organisations will be subject to audit by the G-Cloud Authority so they should be realistic.
- Independent validation of assertion . This is likely to be via a qualified individual or organisation. The onus will be on the supplier to authenticate the credentials of whoever is doing the validation. Examples include audits by respected audit companies and the use of a CESG Certified Professional (CCP) Accreditor.
- Independent testing of implementation . The most common form of testing is likely to be an IT Health Check or penetration test. However other forms of testing may be equally applicable.
- Assurance of service design . Gaining assurance from the design must be independent. Schemes such as CESG Tailored Assurance Service (CTAS) and CESG Assured Service (CAS) are set up for exactly this purpose.
- CESG-assured components . Gaining assurance that equipment is capable of doing what it is designed to do. CESG’s Commercial Product Assurance and TEMPEST schemes are two examples but using products that have been evaluated under the Common Criteria are also valid.
Building an evidence portfolio
Any assertion that is made needs to be backed up with evidence. The cloud service provider should maintain a portfolio of evidence to support their assertions. This evidence portfolio can then be provided to customers wanting to validate the assertions. Validation by a customer is itself evidence that can be used (with the customer’s permission).
An example :
A G-Cloud service provider has completed the Security Assertions Questionnaire and has provided supporting evidence to a customer. That customer employs a CCP qualified Senior Accreditor who reviews the security assertions and evidence and finds it appropriate for their needs. The CCP Senior Accreditor could then provide a statement to that effect which could be used by the G-Cloud service provider as additional evidence.
Over time, the evidence provided by individual customers will grow such that new customers will be assured that service is fit-for-purpose and no further action is needed on their part.
Getting it right first time
G-Cloud service providers need to think carefully about their security assertions and evidence portfolio and make sure that it reflects the service they offer. Any cloud service that is likely to hold sensitive personal information is more likely to need strong supporting evidence to provide customers with the right level of assurance that security requirements are being met. On the other hand, a G-Cloud service offering generic training material is likely to need a much lighter touch.
What we’ll be covering next – watch this spaceâ€¦
Ascentor will be delving into the Security Assertion Questionnaires to provide G-Cloud service providers with some top tips for building an evidence portfolio that will reduce customers’ demands, speed up the procurement process and make the service more attractive to new customers. Watch this space.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
If you’d like to discuss how ourconsultants could advise on any aspect of cyber security, please contact Dave Jamesat Ascentor.
Email: [email protected]
Office: 01452 881712
Other posts you might like: