Guidelines for public sector adopting the cloud…

1 minute read

This post has been archived

Two thing have changed affecting this area of late. Firstly, the cloud security guidelines are changing to a more customer focused risk assessment. Secondly, as you are no doubt aware, there is a move away from a strict ‘IL’ based security classification. This has led to some confusion but last month gov.uk published some guidelines…

e2e were one of the first companies to deliver an ‘Official’ cloud solution to government (handling ‘Official Sensitive’ in places). Since then we have seen lots of other organisations getting confused over how to do it, including assuming that it’s ok to put Official in Office 365 for example, but that is not actually the case; the answer is: it may be…and whether it is or isn’t comes back to the customer focused risk assessment.

How do you determine what solution will work for your public sector requirement?

Firstly you need to get familiar with the general guidelines and Cloud Security Principles, and the guidance for cloud security risk management. You will need the right people to lead the ‘customer focused risk assessment’ and subsequent Cloud design: they should be Senior CESG IA qualified Architects and Auditors.

But most importantly of all, read principles 1 to 14 of implementing the cloud security principles. We recommend refreshing your coffee supply before this step!

Then have a think about the end to end solution you are proposing: the Cloud service, other Cloud Services, the existing on-prem, the End User Devices, the connectivity, the service providers (and how they will all connect), and have another look at the cloud security principles, its important to keep them fresh in the mind.

So in short there is now very clear guidance on how to use Cloud services.

Incidentally, e2e can help in this area as we possess one of the only Senior CESG IA Architects in the country (vital for Implementing the cloud security principles) and also have the respective CESG IA Auditor and relations with the CREST and CHECK companies needed to perform the assessments.

Updated: