Fresh Doubts Over New Government Security Classifications Arise

G-Cloud’s new classification system has been hit with another knock back as public sector companies expressed grievances about the new method of classification just days after G-Cloud providers complained about the same changes.

A survey carried out by Skyscape Cloud Services at IA14, a government event for cyber security, found worries about the security of cloud services that are classed under the three new security levels – “official”, “secret” and “top secret”.

When questioned about the new Government Security Classification Policy [GCSP] and what worried them about the new “official” category, 75 per cent stated they are concerned about sharing a cloud with tenants from other countries and sectors. The same percentage also stated that poor security controls implemented by providers, including unvetted staff gaining access to data, is concerning.

The GCSP will replace the current Government Protective Marking Scheme [GPMS] when G-Cloud 6 is rolled out and the current impact level [IL] scale, which ranks data across six tiers, is still widely used across the government’s G-Cloud procurement framework.

79 per cent of those surveyed also admitted that firms would continue to use cloud services classed as “official” if they remained accredited by the CESG and this accreditation would save them a lot of time and effort.

John Godwin, Skyscape’s head of compliance and information assurance, is one that has already expressed worries about the new classification system and again stressed the need for all sides to be taught about the new implementation.

"It's clear that education is needed for both suppliers and buyers to help them understand the new security classifications," Godwin said, in response to the survey results, according to CloudPro. "Not all clouds are created equally. Most cloud services are very exposed to the internet whilst other cloud services benefit from the assurance and convenience of being part of a Public Services Network. It's up to us all to help public sector organisations make informed decisions when choosing cloud services.”

Godwin’s main reservations with the new system marry up with those of public sector firms and concern that the “official” classification could end up with data falling into the wrong hands and generally being less secure than before.

Education is one way that most sides seem to think the fears can be allayed and the government has a little while yet to start teaching before G-Cloud 6 gets its roll out at some point in six to 12 months time.