#DSCloud16: How the UK government approaches cloud security
17 June 2016 |
A member of the government's technical team has offered insight into how it handles information security.
Speaking at Data Security in the Cloud 2016, James Stewart, director of technical architecture at the UK Government Digital Service (GDS), said: "We have been together for about five years and in that time we have seen quite a lot of changes in the UK government."
This has seen the redesign and consolidation of many of the government's offerings, he explained, while at the same time ensuring that "nobody feels disenfranchised, nobody feels cut off from government services as we move towards digital".
As part of this, the government went cloud-first in 2013, which also meant new security considerations and other factors.
“Certainly in government, as we outsource so much technology, we lost control of how those services work, but we did not lose the obligation to deliver,” Stewart said. “Technology is changing faster, our users’ expectations of us are changing faster and preparations around security have got to keep pace with those changes.”
He explained that as in other organisations, different parties have different aims when it comes to functionality and security, leading to issues further down the line.
“I hope that today we’ve learned how to integrate those teams a lot better so we can talk about the trade-offs in that,” he said. The GDS is also working on allowing teams to work more autonomously.
To achieve this, it has begun working with cross-disciplinary teams, bringing together programmers, architects, content specialists and others to consider the risks and the desired functionality and address both.
Stewart also spoke of the government’s new, more flexible classification system, which was needed because under the previous scheme it took a lot of effort to get information to a stage where it could be published.
“As we do that, it helps us understand what the really sensitive stuff is,” he said.
As the government diversifies its suppliers, it becomes important to be able to trial and assess them more quickly – so it works with CESG guidance based on what the concerns are with any particular services.
“That lets us start to think about how to apply those principles progressively,” Stewart said. Then they can go back after assessing the tools and consider how they could be used at a deeper level, he explained.
He said that providers generally seem to be getting better at providing access to their technical teams, rather than their salespeople, to discuss the technologies behind their cloud security.
Stewart added that training like “red team exercises”, where teams practice attacking and defending their own systems, can help to prepare organisations for what could go wrong and establish clear communication channels.