Saturday, 24 May 2014

GDS, G-Cloud, user needs and security


How would you make G-Cloud less attractive
and slow down take-up even more?

All change round at G-Cloud. Again.

They're full of surprises.

Especially since they came under the control of the Government Digital Service (GDS) on 1 June 2013.

So what is it this time?

Accreditation. It's on the way out.

What do the changes to CESG’s new Cloud Security Principles mean? Good question, asked by Robin Pape in Digital By Default News:
Until now, the CESG Pan Government Accreditor has been responsible for accrediting cloud services to IL2 and IL3 levels.  This was a time- and resource-consuming exercise for both suppliers and CESG, and led to long lead times for accreditation.  However, it did provide two standard levels of assurance for customers wanting services to handle sensitive data, removing the need for each customer to accredit the services themselves.
Until now there was no "need for each customer to accredit the services themselves". That's about to change, subject to consultation.

Let's just be clear what they're talking about. Take HMRC as an example, Her Majesty's Revenue and Customs. They wanted to store some data in the cloud. They needed a cloud service that was assured of adequate security. And, as Phil Pavitt told us back in October 2012, they chose Skyscape as their supplier:
... data security remains integral to HMRC and a pre-requisite of any of our data being migrated to Skyscape is for their solution, including all the constituent parts, to be formally accredited by CESG (the Communications-Electronics Security Group) to Impact Level 3 (IL3). For more information please see the link below:

http://gcloud.civilservice.gov.uk/2012/03/09/so-what-is-il3-a-short-guide-to-business-impact-levels/

This accreditation is expected imminently, at which point HMRC will be in a position to begin securely moving data over to Skyscape and decommissioning our old servers ...
That was then.

And now?

Back to Mr Pape's article:
The new approach will be based on the “Cloud Service Security Principles” published by Cabinet Office late last year and the recently-published guidance “Implementing the Cloud Security Principles” which is currently an Alpha (ie a first public draft for consultation).  The intention is that, for future GCloud framework contracts, the principles and guidance will be the basis on which suppliers describe how they address security in their service offerings.
The intention is that ... G-Cloud suppliers will accredit themselves. "This was a time- and resource-consuming exercise for both suppliers and CESG" and now all that time and cost can be saved by simply not bothering. Security? Who cares.

Understand, it's not Mr Pape recommending this change. He's just reporting what's proposed. The proposal comes from the Cabinet Office, presumably with the approval of Francis "JFDI" Maude.

Will it really save any money and time?

No. Instead of a one-pass CESG process, G-Cloud suppliers and their customers will now have to go through the security assurance process for each and every prospective procurement. And every year thereafter, when they want reassurance that the G-Cloud service still meets the required security level, they'll have to do it all over again, n times instead of once.

So much for user needs driving everything that GDS does.

All change.

We learnt back in February that a group of G-Cloud suppliers want longer maximum contracts, three years instead of two. That is the exact opposite of the principle on which G-Cloud was established. Long lock-in periods then were seen as the problem. Now they're the solution.

These suppliers also want to discontinue the facility for clients – central and local government departments – to negotiate individual contracts. They think that the clients are being too fussy about security. And they think that the clients should be forced to advertise their procurement plans and that they should be forced to explain themselves to the headmaster when they decide against a G-Cloud offering. They want to knock out any competition to G-Cloud:
We recommend that a system be put in place to enable suppliers to report variances from the G-Cloud buying guide to the G-Cloud team and CCS [the Crown Commercial Service, the Government procurement Service as was] to enable any common issues to be addressed ...
What's the point of negotiating a framework to get round the procurement problems posed by the oligopoly of big systems integrators (SIs) if you promptly reintroduce those problems into the small- and medium-sized enterprises (SME) framework?

The G-Cloud framework was in tatters then, as we said:
With apologies to George Orwell: "The customers outside looked from SME to SI, and from SI to SME, and from SME to SI again; but already it was impossible to say which was which".
Since then we have learnt that CloudStore, the G-Cloud shop-front, is for the chop.

And now the Cabinet Office want to get rid of expert security accreditation. Because it takes too long. Too long for what? And it costs too much. Too much for what? What is it in this case that is more important than security?

Putting your data and your applications in the cloud is already the fastest way known to lose control of them. The Cabinet Office/GDS seem to be intent on making the process even more efficient.

Let Mr Pape have the last word. He's a G-Cloud supplier and he knows what he's talking about:
How will customers and suppliers be able to transact business easily without the old standard levels of assurance?  G-Cloud must make it quick and easy to buy commodity services, but a long security-checking process for each purchase would make G-Cloud less attractive and slow down take-up even more.

No comments:

Post a comment