The government and the IT community are now willing to show greater flexibility around security governance, in order to benefit from Cloud Computing and shared services.
Results of a survey by solutions and services provider CSC suggest that users are ‘open to sharing sensitive activities’ in the Cloud, as long as the parties involved ‘share similar characteristics and have the same cultural approach to security’.
‘Shared Services: A Perfect Storm of Opportunity’ was developed by CSC with support from UK government body CESG (Communications-Electronics Security Group), the information assurance arm of GCHQ (Government Communications Headquarters). Respondents included 200 senior security and IT experts working across central and local government and their associated suppliers, who attended the Government's Information Assurance flagship event, IA10 last September.
With security of utmost concern to UK government departments, the survey asked what the inhibitors are to achieving full cost savings and efficiencies from Cloud Computing. The research revealed that the main barrier to the adoption of cloud services are the ‘different approaches to information security across potential users’, and that ‘confusion still exists’ about the Cloud.
Enthusiasm to find the ‘middle ground on governance’ was demonstrated by the majority of respondents (65 per cent) being willing to share Security Operations Centre (SOC) services, as an interim measure to build trust between users. People also declared that a reduction in the number of audit events to be monitored – along with a revision to internal governance, risk and compliance policies and processes – were the two most important compromises when migrating to Cloud services.
“Reaping the cost benefit of shared services is of paramount importance to local and central government, but security policies and compliance regulation have made this a real challenge,” says CSC director for Global Security Solutions Ron Knode. “The public sector is more flexible and willing to look at alternative approaches to certain aspects of security, and develop stepping stones towards using shared services - previously, nobody was willing to do this. Departments had their rules, and that was that. Now suddenly, people are indicating that ‘if you’re a lot like me’, maybe they can come together with an altered set of governance processes and decision-making criteria to gain the benefits of the Cloud.”
When asked what the most important aspects are when establishing shared services, the ‘cultural approach to Information Assurance (IA) and Information Risk Management’ was respondents’ top answer. Desktop applications are the first choice for respondents when questioned about which service functions they were most comfortable in sharing. In addition, while the vast majority strongly agreed that the use of a public Cloud would ‘substantially increase risk to confidentiality’, a majority also agreed that a shared private Cloud (or community Cloud) among users with similar security cultures would likely be an acceptable risk.