dade72 - Fotolia

GDS declares public cloud secure enough for "vast majority" of public sector

Government Digital Service moves to allay public sector concerns about using off-premise services in a bid to speed up cloud adoption beyond Whitehall

A government-backed piece of guidance, outlining the security benefits of using public cloud, has been applauded for directly addressing one of the public sector’s biggest misconceptions about off-premise IT.

The Government Digital Service’s (GDS) newly released guidance offers public sector IT buyers some pointers on how to approach the adoption of public cloud services, before moving swiftly on to state that they are safe to use for the “vast majority of government information and services”.

The brief document starts by making the point that it is “possible for public sector organisations to safely put personal and sensitive data into the public cloud”, before talking up the ability of the major cloud providers to keep their data locked down.

“Cloud providers have a significant budget to maintain, patch and secure their cloud infrastructure,” the guidance reads. “This means public cloud services can mitigate many common risks that often pose challenges for government organisations.”

Jessica Figueras, chief analyst at public sector-focused market watcher Kable, welcomed the guidance, and applauded GDS for being so direct and clear on its opinion of public cloud.

This, in turn, should help dispel one of the public sector’s biggest misconceptions around the use of the technology – that data stored in the public cloud is inherently less secure, she told Computer Weekly.

“It’s a really good piece because it’s short and simple and gets to the point really quickly. The one thing that is holding back adoption of cloud is this perception that public cloud is less secure than private cloud,” she said.

Citing Kable’s own research, Figueras said nearly a third of public sector IT buyers cited security and concerns about data protection as barriers to using cloud.

“The one thing that is holding back adoption of cloud is this perception that public cloud is less secure than private cloud”
Jessica Figueras, Kable

“There hasn’t really been a very clear rebuttal of this central perception [from GDS] before, which risks holding back public cloud adoption because of security concerns,” she added.

The guidance does concede there may be a “very small number of situations” where it would be inappropriate to use cloud services, particularly in instances where data sovereignty is a major consideration.

In such circumstances, public sector IT buyers will need to give an account of the reasons why they cannot use cloud to the GDS spend controls team, the document continues.

Cloud security is shared responsibility

It also makes a point of reminding public sector organisations that moving their data to the cloud does not absolve them of responsibility for looking after it and ensuring it is securely stored.

“With cloud services, you need to take a shared approach to responsibility,” the document continues. “You should understand how responsibility for security is shared between you and the cloud provider. Where appropriate you should layer security controls on top of those built into the cloud services you are using.”

The publication is long overdue, former G-Cloud lead Mark Craddock told Computer Weekly, given central government has been following a cloud-first mandate since 2013.

“It has taken a long time for such a simple but powerful message,” he said. “For me, this shows GDS changing to [become] more focused on standards and principles.”

Figueras said the document could inspire another tranche of public sector users to start using the public cloud services offered by the likes of Amazon Web Services (AWS) and Microsoft, and home-grown firms such as UKCloud.

Particularly now so many of them are taking action to address the data sovereignty concerns of potential public sector cloud buyers by opening UK datacentres, allowing them access to locally hosted services.

“They all stand to benefit, but it’s also worth bearing in mind that cloud isn’t a black and white thing, as many organisations are going to opt for hybrid clouds and most of the larger public sector organisations will have complex infrastructures and there will be some incredibly old stuff in there, which they may or may not be able to move,” she added. 

A new name for outsourcing

Even with GDS’s stamp of approval for public cloud services in place, Paolo Vecchi, CEO of open source-focused IT provider Omnis Systems, said IT buyers should take their time to get to grips with what moving to the cloud will really entail for their organisation.

“GDS is promoting public cloud as the best alternative to locally managed IT services, but, in reality, it’s just a new name for outsourcing that has been proven over the years to increase costs and reduce efficiency,” he told Computer Weekly.

“Anybody who has a basic grasp of mathematics can add up the basic costs of a public cloud service and find out that over two years a modern in-house equivalent service will cost about the same.”

Particularly once the additional and often unexpected costs involved with moving IT off-premise and into the cloud kick in, he added.

“Adding [in] all the other relevant costs, like additional consultancy, unplanned and obscure add-on services, licensing, user directory migrations, bandwidth, backups, security and risk management, the first year [of using a] public cloud service could cost a lot more than planned,” he said.

“Especially when talking about US-based cloud providers, whose services have increased in price due to the devaluation of the pound because of Brexit, which in turn will make public cloud even less competitive than it is now.”

Read more about public sector cloud use

  • The government needs to do more to emphasise the benefits of using the G-Cloud framework to local authorities, according to Eduserv, as its research shows a quarter of councils’ procurement policies do not support the use of it.
  • G-Cloud champion Memset is threatening to withdraw from the cloud procurement framework, blaming the “pitiful returns” the company has seen from its long-standing involvement in the initiative.

Read more on Infrastructure-as-a-Service (IaaS)