https://digitalmarketplace.blog.gov.uk/2014/07/11/security-classifications-in-the-cloud-environment/

Security classifications in the cloud environment

As you may know, since April 2014, the classification system in Government changed from 'Unclassified', 'Protect', 'Restricted', 'Confidential', 'Secret' and 'Top Secret' to just 'Official' 'Secret' and 'Top Secret'. A new Cloud Security Principles guide was published to support this.

The greatest impact on cloud services will be in the OFFICIAL tier. OFFICIAL cloud services can be broadly identified in two groups:

  1. OFFICIAL, connected via the internet. This includes Public Clouds, Community Clouds and Hybrid Cloud models.
  2. OFFICIAL, connected via Public Service Network (PSN), which will be Community Clouds, dedicated to services offered to the "PSN Community" or "PSN with Encrypted overlay Community". Here the PSN IA conditions will impose additional controls.

The classifications of SECRET and TOP SECRET have little impact on cloud services, as any cloud infrastructure at these tiers would either be Private Clouds or small, specific Community Clouds.

It must be noted that ‘OFFICIAL-SENSITIVE’ is not a classification. However, in some instances it provides a handling caveat where a more limited need to know must be enforced and assured.

3 comments

  1. Comment by Andy Powell posted on

    Apologies for nit-picking and I might be missing something but...

    OFFICIAL is a classification that applies to information assets is it not? On that basis, the phrase "OFFICIAL cloud services" is presumably a short-hand way of saying "cloud services that are appropriate for managing OFFICIAL information assets"? Using the phrase "OFFICIAL cloud services" seems to me to introduce further confusion into what is already a highly confused area in terms of terminology and is more or less as bad as using the phase "IL2 cloud services" which is what I thought you wanted to move away from?

    Beyond that... I'm not clear what you are suggesting here? Are your two groupings ("OFFICIAL, connected via the Internet" and "OFFICIAL, connected via PSN") intended to be used in some specific way? Surely, whether "the PSN IA conditions, will impose additional controls" depends on what controls have been layered over any available Internet connection?

    Sorry, I'm confused!

    • Replies to Andy Powell>

      Comment by Raphaelle Heaf posted on

      Yes, "OFFICIAL cloud services" is a short-hand way of saying "cloud services that are appropriate for managing OFFICIAL information assets". Government has stopped using the terms "impact levels" as these have been superseded by Government Policy and the Government Security Classifications.

      There is no intention to use the two OFFICIAL cloud groups differently, it is merely the fact that those services connected via the PSN are subject to the PSN IA Conditions, where those connected via the internet are not. The PSN IA Conditions are specific to the PSN.

      • Replies to Raphaelle Heaf>

        Comment by Simon Telfer posted on

        Raphaelle,

        Although there is no intention to use two groups, surely this will be inferred as there will be two different levels of PGA cerficate issued, and each cloud can only be one of these:

        "OFFICIAL information and connect to the PSN"
        "OFFICIAL information and connect to the PSN encrypted overlay only"

        In cloud services the process of 'chosing your PSN flavour is something you need to do at the outset as a the PSN guidance does not allow a multi-tenant private cloud to simply plug into both PSN flavours.

        I'm not a specialist in this area though and will call our CLAS team to help me understand, but if there are any simple explanations you can provide I would be very appreciative.

        regards