Wednesday, 30 January 2013

Skyscape loose ends – still loose

  • Skyscape are late submitting their first statutory accounts to Companies House
  • There are more reasons to believe that HMG will lose control of our data once it is hosted in the cloud on Skyscape's servers
  • It looks as if GOV.UK is still not being hosted by Skyscape
----------

Skyscape's non-existent track record
Source: Companies House, 30 January 2013
Skyscape Cloud Services Ltd were due to submit their first set of accounts to Companies House by 31 December 2012 and, so far, they're a month late.

How did the Government Procurement Service (GPS) and the G-Cloud team determine that it is safe to offer Skyscape's services on the Cloudstore?

What were the Government Digital Service (GDS) going on when they chose Skyscape to host GOV.UK, the soon-to-be-single face of government on the web?

How did HMRC decide to entrust its local office data to Skyscape?

No answers. It remains baffling that all this responsibility for public administration should be put on a one-man company.

And now it transpires that the MOD are relying on Skyscape, too.

Losing control of our data
Does the following snippet give you confidence in Skyscape?
ScienceLogic streamlines IT management for Skyscape Cloud Services
Date: 24 Jan 2013

Skyscape Cloud Services, “the easy to adopt, easy to use, and easy to leave” Assured Cloud Services Company, has selected and deployed the ScienceLogic™ Inc. IT infrastructure management platform to optimize IT operations and rapidly automate processes in their large-scale, Infrastructure as a Service (IaaS) offerings. Skyscape is a supplier to the UK government through the G-Cloud Framework initiative, helping deliver a highly-scalable, secure community cloud for the provision of public services. The innovative service provider is using the robust ScienceLogic platform to simplify the complexities of providing mission-critical cloud services to multiple government organizations including GOV.UK and the Ministry of Defence.

“We needed to take a more proactive, cost-effective approach to managing our government customer IT cloud resources,” said Peter Rossi, Head of Orchestration & Automation at Skyscape ...
It shouldn't.

ScienceLogic is a US company based in Reston, VA.

So what?

Once HMG put our data in the cloud, it passes beyond their jurisdiction. What happened to Megaupload.com could happen to us, too. The FBI impounded all the data on Megaupload's servers and no-one has been able to get their data back since.

According to Megaupload's lawyers, the prosecution's case amounts to saying that you lose your property rights if you store data in the cloud – if you'd wanted to retain those rights, so goes the argument, you wouldn't have used the cloud.

The FBI have the powers of the USA PATRIOT Act available to them and of the Foreign Intelligence and Surveillance Amendments Act (FISA).

The USA PATRIOT Act powers can be exercised wherever in the world the cloud data is stored and, as they say on the G-Cloud website, "public cloud is often non-geographically specific" – HMG often won't know where our data is. Location doesn't matter to the FBI. All that matters is that a US-registered company should be involved or any other company with a substantial business in the US.

Skyscape were already known to be involved with EMC, QinetiQ, VMware and Cisco. Then they emphasised the involvement of EMC with the release of a promotional film, Skyscape Cloud Services – Storage as a Service on EMC Atmos. EMC is a US company based in Hopkinton, MA. And now their Head of Orchestration has added ScienceLogic to the list.

FISA was recently "renewed", please see U.S. Spy Law Authorizes Mass Surveillance of European Citizens.

The reasons why the FBI might be interested to take a look at our data are manifold. It was suspected copyright infringement in the case of Megaupload. In our case, it might be that or anything else. Now that the Foreign Account Tax Compliance Act (FATCA) has come into force, they might for example just want to see if there are any US citizens or companies or trusts in the UK evading US tax.

And that's the US, the kindred country we know and trust. HMG will have even less control over our data in other jurisdictions.

Where is GOV.UK?
Back in October 2012, GDS announced that GOV.UK would be hosted on Skyscape.

30 January 2013
This came as news to its then current host, a cloud services company called Akamai. Has GOV.UK moved to Skyscape now? It doesn't look like it. It looks as though it's still hosted with Akamai.

What's going on? Was the GDS announcement about Skyscape nonsense? Who knows. GDS don't answer questions. Four months after Skyscape came into public view, we're none the wiser.

----------

Added 31.1.13:
US authorities can spy on the iCloud without a warrant

8 comments:

Anonymous said...

Akamai is a Content Delivery Network used by many large websites to handle heavy load- it's essentially a distributed cache, not the actual website host

David Moss said...

Thank you for that comment, Anonymous. Akamai's servers could be anywhere in the world. So our data could be anywhere in the world. Beyond the jurisdiction of HMG.

Akamai's Simon Newton says: "Last time I checked it was Akamai hosting www.gov.uk. I should know, I managed the integration", 17 October 2012.

David Moss said...

Just noticed last night that four days after the conversation between Simon Newton and me Theodore said: "From your last few comments, I take it that this is the first time you've been on the Internet by yourself".

Guilty as charged.

Theodore goes on to say: "I believe, but don't actually care, that Skyscape is using a CDN (perhaps Akamai) to prevent their having had to buy hardware, pay for software, pay for data center space, etc, etc, etc ... Whether that is what was intended when Skyscape's bit was accepted, I don't know, but I'm sure that Akamai are happy with the situation".

Theodore may not care but Mr Newton does: "While I cannot comment on what any particar customers IT strategy and press releases mean, I can say with 100% certainty www.gov.uk is delivered through Akamai. Do a nslookup or dig on www.gov.uk to confirm if you wish".

That's 100% certainty, note. 100%. Theodore notwithstanding, it would be useful if GDS answered the question, is GOV.UK hosted on Skyscape, yes or no.

Anonymous said...

CDN services typically *cache* already available static *public* content, to reduce the load on the web servers and to decrease the latency from various locations.

Since all of gov.uk is public at the moment (no registration, no sign-in, etc), and visible from everywhere, including the US, then it doesn't really matter where that data is delivered from.

If you're paranoid, once gov.uk starts asking for personal data, check to see where that content is transmitted from/to - I suspect that it won't be via Akamai.

Oh, and calling out ScienceLogic as a data security risk isn't really fair; it's a piece of software, not a cloud company. If you check their website, they specifically talk about on-site deployment (http://www.sciencelogic.com/product/services/deployment). Since the company doesn't host the data, then the PATRIOT Act doesn't come into play.

Ditto with EMC ATMOS, which is a disk storage system that (presumably) runs in one of Skyscape's datacentres. To say that this is a risk because EMC is a US company is to say that anybody running Windows (or Redhat, or Mac OSX) is in danger because the company that wrote it is US-based. This also means that pretty much all of government servers (which run Microsoft) are in trouble.

Assuming that Skyscape have taken the precaution of changing the default passwords, EMC cannot get back in to get the data, even if the US govt. told it to.

Of course, if Skyscape are using a US company to host data, then there is a theoretical risk that PATRIOT could be used... but that's taking paranoia to a whole new level.

By the way, Government Gateway IDs are currently delivered by a "black-box" (i.e. closed source) solution built on Microsoft technology (http://www.theregister.co.uk/2001/03/28/microsofts_uk_egovt_service_unveiled/), and hosted by Cable & Wireless (a US company) - which, by the way, also runs all of the government secure intranet (http://en.wikipedia.org/wiki/Government_Secure_Intranet). So presumably, the US government can already see all of our existing, non-cloud hosted services anyway... :)

David Moss said...

Thanks for all that, Anonymous.
It may not look like it
but I'm thinking.

David Moss said...

... and what I'm thinking is this – the appointment of Skyscape is just very odd.

Anonymous said...

Skyscape were paid £54k in December by the Cabinet Office.

http://gcloud.civilservice.gov.uk/about/sales-information/

David Moss said...

I am jealous, Anonymous. I spent ages poking around data.gov.uk trying to get information on Cabinet Office expenditure and couldn't find anything post-September, I think, possibly October.

Post a comment