Government advises public sector organisations on cloud services

Document intended to help organisations consider security features of IaaS, PaaS and SaaS

The UK government has released security guidance for public sector organisations that are seeking to adopt cloud services.

Whitehall has been keen to encourage public sector organisations - both at local and national level - to purchase cloud services from a wide range of service providers in the most cost effective manner possible. This is why it established the G-Cloud framework, as part of a drive to reduce the amount government spends on IT services from large suppliers by removing some of the pre-qualifying paperwork.

The government said the guidance document is "intended to help organisations consider the security features of cloud services they wish to use". It said that this is the first of a number of guidance documents for the public sector relating to the use of cloud services to process official information.

The principles are to apply equally to Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) as defined by the National Institute of Standards and Technology.

"Consumers [of the cloud services] will need to decide how much, if any, assurance they require in the different security principles which matter to them," the government said.

The document lists 14 cloud service security principles that need to be taken into account. These are: data in transit protection; asset protection and resilience; separation between consumers; governance; operational security; personnel security; secure development; supply chain security; secure consumer management; secure on-boarding and off-boarding; service interface protection; secure service administration; audit information provision to tenants; and secure use of the service by the consumer.

Within the personnel security guidance category, the government states that service provider staff should be subjected to adequate personnel security screening for their role.

"At a minimum his should include identity, unspent criminal convictions, and right to work checks. For roles with a higher level of service access, the service provider should undertake and maintain appropriate additional personnel security checks," the document reads.

The guidance publication is in BETA and the government has asked for feedback on the content.

Last week, a report found that nine in ten local councils have made no G-Cloud procurements. But this was largely down to the councils' lack of awareness as opposed to any security fears.