Government Willing To Bend Security In Cloud Adoption
UK government and IT security experts are willing to relax governance in order to gain cloud benefits
Government departments have shown a willingness to be flexible on security governance and cloud adoption. The breakthrough disclosure was taken from a survey report by public sector supplier CSC.
Following the survey at the government’s Information Assurance conference (IA10) in September, CSC said, “While the vast majority strongly agreed that the use of a public cloud would substantially increase risk to confidentiality, a majority also agreed that a shared private cloud (or community cloud) among users with similar security cultures would likely be an acceptable risk.”
Startling Change In Governance Rules
Ron Knode, CSC’s director for Global Security Solutions and author of the report, described this as a “startling discovery”. Although government departments generally accept other forms of innovation, the cloud has been treated with a degree of wariness.
“Previously, nobody was willing to do this – departments had their rules and that was that,” Knode explained. “Now suddenly, people are indicating that ‘if you’re a lot like me’ maybe they can come together with an altered set of governance processes and decision-making criteria to gain the benefits of the cloud.”
The government has said that cloud computing will be a major route to its cost-saving agenda, but concerns have been raised about security
Though security is of utmost concern to these departments, the inhibitors to achieving full-cost savings and efficiencies from cloud computing are the different approaches to information security across potential users, and the confusion that still exists about what the cloud offers, the report showed.
Enthusiasm to find the middle ground on governance was demonstrated by the majority of respondents (65 percent) who stated that they would be willing to share Security Operations Centre (SOC) services, as an interim measure to build trust between users.
Respondents also said that a reduction in the number of audit events to be monitored, along with a revision to internal governance, risk and compliance policies and processes, were the two most important compromises when migrating to cloud services.
“For progress to be made in cloud computing, departments need to focus on the paths of least resistance, such as creating a like-minded community sharing lower-risk services,” Knode wrote. “By establishing a governance test-bed, users can examine and validate potential areas of flexibility of governance.”
“Transparency also has to be included in every proposed cloud standard and advocates should resist the urge to develop too many clouds but rather explore progressive or layered clouds, which accommodate different user standards,” Knode added.
The report, titled Shared Services: A perfect storm of opportunity, was developed by CSC with support from UK government body CESG, the information assurance arm of GCHQ. Respondents included 200 senior security and IT experts working across central and local government and their associated suppliers, who attended the flagship IA10 event.
On January 12, at 1pm, eWEEK Europe is chairing an interactive webinar on compliance in virtualised infrastructures. Please join us.