As you may know, since April 2014, the classification system in Government changed from 'Unclassified', 'Protect', 'Restricted', 'Confidential', 'Secret' and 'Top Secret' to just 'Official' 'Secret' and 'Top Secret'. A new Cloud Security Principles guide was published to support this.
The greatest impact on cloud services will be in the OFFICIAL tier. OFFICIAL cloud services can be broadly identified in two groups:
- OFFICIAL, connected via the internet. This includes Public Clouds, Community Clouds and Hybrid Cloud models.
- OFFICIAL, connected via Public Service Network (PSN), which will be Community Clouds, dedicated to services offered to the "PSN Community" or "PSN with Encrypted overlay Community". Here the PSN IA conditions will impose additional controls.
The classifications of SECRET and TOP SECRET have little impact on cloud services, as any cloud infrastructure at these tiers would either be Private Clouds or small, specific Community Clouds.
It must be noted that ‘OFFICIAL-SENSITIVE’ is not a classification. However, in some instances it provides a handling caveat where a more limited need to know must be enforced and assured.