UK gov introduces simpler security classifications – 90% of data now cloud friendly

As with a lot of enterprise IT, it's often not the technology itself that drives modernisation, but the governance and process changes that make the big difference. This week the Cabinet Office in the UK made an announcement about changes to its security classifications – a simplification that it says makes government 'fit for a digital age'. Essentially it has reduced six previous levels of protective marking (Unclassified, Protect, Restricted, Confidential, Secret and Top Secret) to just three: Official, Secret and Top Secret.

On the face of it the announcement is quite difficult to penetrate and the significance  not immediately obvious. The government press release states the following:

“This system dated from a time when civil servants only worked with paper. Using this system with government IT has led to unnecessary controls, complexity, and misunderstandings. Reforming the system will help save the taxpayer money, allowing government to buy standardised IT rather than expensive bespoke solutions.” 

Here's a nice Cabinet Office image explaining the new markings:

But what does this actually mean? It took some sifting through numerous policy documents and some serious Googling to find out how this could possibly make a difference to the public sector's use of IT going forward.

This could be good news for G-Cloud

As many reading this will know, the UK government has set a cloud first policy for central government, which is meant to be backed up by the availability of thousands of services on the G-Cloud framework – a pre-approved list of suppliers that offer cloud products and services via an online portal. However, one of the main complaints and sticking points to date has been the security accreditation process, where a bottleneck of suppliers keen to get assured to the all important Business Impact Levels 2 and 3 soon emerged. Impact Levels 2 and 3 are required to host government data – with 3 being the requirement for more sensitive information.

Although the new security classifications aren't yet replacing the business impact levels, there were some interesting phrases used in the government's policy document. It seems that data that will be classified as Official (approximately 90 percent of government data) will be suitable for Business Impact Level 2 and 3. The guidance document states:

“Assured Public Cloud (formerly Impact Level 2) services will be subject to a suitably scoped ISO27001 certification and other assurance activities as described in the GCloud Information Assurance Requirements and Guidance. Such services may be appropriate for the generality of OFFICIAL information, although organisations should carefully consider the scope of the IS027001 certification, the geographic location of the hosting, and any other residual risks identified as part of the G-Cloud Accreditation Statement. It is unlikely that these services will be suitable for more sensitive information. 

“ Formally accredited Public Cloud (formerly Impact Level 3) or Private Cloud services will be subject to a full HMG accreditation and will be hosted within the UK. These services are likely to be appropriate for most OFFICIAL information, although organisations should still be mindful of any risks involved in outsourcing services and data to the cloud (including those set out in the G-Cloud Accreditation Statement).”

Simply put: a big bloody chunk of government data is going to be suitable for even the lower level of security assured hosted services. Tony Richards, head of security and accreditation for G-Cloud summed it up nicely by saying:

“In general terms, information assets that were previously classified up to and including RESTRICTED should be managed at OFFICIAL and where some information was over marked at CONFIDENTIAL and this may be appropriate to manage as OFFICIAL too.”

Richards said that the latest iteration of the G-Cloud framework, which opened for submission on the 25th February this year, will still refer to the older system – Business Impact Level2 and Business Impact Level 3. However, this is going to be a transition period and a new approach is going to be developed to be better aligned to the Official data classification. This could mean a far simpler system for suppliers for many that will only be interested in targeting the 90 percent of government data that is Official, but also for buyers that are wanting to put their data in the cloud. The process is being simplified.

A few words of warning

There are, however, a couple of things that buyers and suppliers need to bear in mind when this gets into full swing – and, as always, much of the detail has been buried within the depths of many dull Whitehall documents. Firstly, offshoring data is still a sensitive subject and government buyers need to really think carefully about where the data is going to be located – even if it is within the EU. Also, the words 'personally responsible' are highlighted and underlined many a time throughout the documents – in other words, although most things are going to be classified as Official, make damn sure that they actually are.

There was one other small 'caveat' that might throw up a few problems. The document states: 

“Some particularly sensitive information will attract a Caveat (e.g. OFFICIAL-SENSITIVE) or Special Handling Instructions (e.g. CODEWORDS or National Caveats) to denote the need for further controls, particularly in respect of sharing. The impact of compromise of this information may be higher, but this does not imply that it will necessarily be subject to the threat model applicable to higher tiers.”

How broadly this Official-Sensitive classification will be used remains to be seen, but will likely impact things like health records or data with identifiable information on it – names, addresses etc. How this then impacts putting the data in in the cloud, is still unclear. Any updates we receive will be added to the story at a later date.

All in all an interesting development and something that if done properly could really simplify decision making for IT buyers and even prove a subtle but significant boost for the G-Cloud. I will close with Cabinet Office Minister Francis Maude's positive outlook:

“We have changed a security classification system that was designed decades ago and introduced a new system fit for the digital age. It will make it easier to share information and save money. There has been a tendency to over-mark documents rather than to manage risk properly. 

“The most important and sensitive materials must continue to be protected as ‘Top Secret’ or ‘Secret’ but for other information the new ‘Official’ category, with its emphasis upon personal responsibility and accountability, will be appropriate for most of what government does.”