Cloud computing given cautious thumbs up by UK public sector

Specifically, says CSC, the company that published the report, there is a distinct need for the parties storing data in the cloud to share similar characteristics and have the same cultural approach to security.

The report, entitled 'Shared Services: A perfect storm of opportunity,' was developed by CSC with support from UK government body CESG, the information assurance arm of GCHQ.

Respondents included 200 senior security and IT experts working across central and local government and their associated suppliers, who attended the government's information assurance flagship event, IA10, in September this year.

According to the report, the main barrier to the adoption of cloud services are the different approaches to information security across potential users, and that confusion still exists about cloud technology.

The study notes that an enthusiasm to find the middle ground on governance was demonstrated by the majority of respondents (655) being willing to share security operations centre (SOC) services, as an interim measure to build trust between users.

Respondents also declared that a reduction in cloud service subscribers' autonomy to select platforms and protective monitoring solutions was the most important compromise when migrating to cloud services, followed by a revision to internal governance, risk and compliance policies and processes.

"Reaping the cost benefit of shared services is of paramount importance to local and central government but security policies and compliance regulation have made this a real challenge", said Ron Knode, CSC's director for global security solutions.

"The most startling discovery in the survey is that the public sector is more flexible and willing to look at alternative approaches to certain aspects of security, and develop stepping stones towards using shared services", he added.

Knode went on to say that, previously, nobody was willing to do this – departments had their rules and that was that.

"Now suddenly, people are indicating that 'if you're a lot like me,' maybe they can come together with an altered set of governance processes and decision-making criteria to gain the benefits of the cloud", he explained.

When asked what the most important aspects are when establishing shared services, the "cultural approach to information assurance (IA) and information risk management" was respondents' top answer.

Desktop applications, meanwhile, are the first choice for respondents when questioned about which service functions they were most comfortable in sharing.

In addition, says CSC, whilst the vast majority strongly agreed that the use of a public cloud would substantially increase risk to confidentiality, a majority also agreed that a shared private cloud – or community cloud – among users with similar security cultures would likely be an acceptable risk.

Knode added that, for there to be progress to be made in cloud computing, departments need to focus on the paths of least resistance, such as creating a like-minded community sharing lower-risk services.

"By establishing a governance test-bed, users can examine and validate potential areas of flexibility of governance. Transparency also has to be included in every proposed cloud standard and advocates should resist the urge to develop too many clouds but rather explore progressive or layered clouds, which accommodate different user standards", he said.

What’s Hot on Infosecurity Magazine?