New Government Security Classifications Criticised

G-Cloud has received more stinging criticism with one accredited supplier attacking new security rules and warning that the update guidelines could result in data breaches as well as a drop off in G-Cloud’s popularity.

Skyscape, a major G-Cloud supplier, warned that changes to data classification rules will make it harder for deals to be as safe as before and a serious data breach won’t be far off as a result.

The government’s new system for data classification was introduced on 2 April and sees information labelled as either “Official”, “Secret”, or “Top Secret”, with the description dependent on how sensitive the information is deemed to be.

It replaces a system that used a sliding impact level [IL] scale that gave a score from 0-6 depending on how dangerous an organisation’s data would be if it fell into the wrong hands.

“In the old world, we have an IL-3 government accredited certificate, [and] if a customer has IL-3 data, it’s a pretty good match. They’ve got confidence that we’re doing the right things [to protect their information],” explained John Godwin, head of compliance and information assurance at Skyscape, at a roundtable event, according to CloudPro.

“In the new world, the customer is now expected to go out in this Official space and make informed decisions, ask the right questions and make sure all the risks are understood.  That’s a big ask for an organisation that has never done that type of work before,” Godwin added.

G-Cloud 5, which was only sent live last month, still uses the old system and it’s only when G-Cloud 6 is implemented that the change will take place and Godwin thinks the changes will mean a shift in G-Cloud’s flawless security record.

“As far as I’m aware there have been no significant or serious security breaches through the G-Cloud framework. The new system is potentially going to change that,” Godwin added.

Godwin’s major worry is with the data that is classed as Official and its his belief that this will be handled in a way that means it is “inadequately controlled” and “put at risk” as a result.

To prevent this stalling the adoption of G-Cloud service the other members of the same roundtable agreed that end users must be educated in plain English about the changes.

“All suppliers when supplying bids for G Cloud 6... will need to answer a questionnaire on what security they have in place, what accreditations they have done, and supply documentation on that,” confirmed Tony Singleton, director of the digital commercial programme within the Cabinet Office.