There’s been a deafening, almost messianic, chorus of “cloud, cloud, cloud” at recent events exploring the future direction of public sector IT. Yet one question remains unanswered: what will happen when the elephant snoring loudly in the wings awakes? You know the one – it’s sporting an ill-fitting straitjacket marked Security.
Nearly half the private enterprises already using cloud providers have admitted they could struggle to pass a security compliance audit. While initiatives such as the Cloud Security Alliance are busy trying to formulate cross-industry best practices, the public sector faces a far larger obstacle if it is to adopt cloud computing: its idiosyncratic approach to information assurance.
The existing security rules established by CESG (the government’s technical authority for information assurance) are being pinpointed as a show-stopper for departments keen to adopt utility IT services.
The UK government’s highest levels of protective marking remain appropriate for sensitive government data. But such data represent a tiny fraction of the government’s overall information assets. Most public-sector requirements are the same as those of any large firm, and most of its data is no different in sensitivity to that of any other firm.
Public sector IT procurement practice is already beginning to focus on how to separate low-cost utility services from high-cost niche requirements. Likewise, an improved security framework is required that distinguishes between niche and mainstream security needs. A framework that recognises good security is not about technology alone, but people and processes too.
Hard-headed decisions have already been taken about reforming Whitehall IT programmes and contracts. A similar real-world approach is now needed to update the information assurance regime, dragging it out of its obsolescent 1980s mindset and into the digital age, and the Cabinet Office should be leading this transition. For the lower levels of classification of information this will mean adopting mainstream utility services and products that comply with commercial best practice.
Unless these changes are made soon, it’s hard to see how the public sector will be able to establish the open, competitive and effective IT marketplace it needs to help improve our public services.
Jerry Fishenden is a director of the Centre for Technology Policy Research