Tuesday, May 13, 2014

Officially Uncertain

It turns out that the new security classifications, introduced at the start of April 2014, have collapsed into a single new tier - Officially Uncertain.  I worried that this might happen earlier in the year.

Last week, for instance, it was clearly explained to me that "OFFICIAL is not a protective marking, it does not convey any associated controls on how the information is to be handled."

What that means, of course, is that because there are no particular controls that one might agree were the baseline necessary for protecting the information that is marked OFFICIAL that isn't actually marked by a protective marking, each department or government entity is able to decide, alone, what it should do to protect that information.  Adios commodity cloud.

In a different meeting with different people, it was explained to me, just as clearly, that because no one was going to go back and revisit their historical data and check what label should be applied to it (on an individual file by file basis).  The only conclusion, therefore, was that all historical data should be marked OFFICIAL SENSITIVE (notwithstanding that, if OFFICIAL isn't a protective marking, then neither is this one nor that the guidance suggests that use of "sensitive" is by exception only - this is one big exception).  And given it's all a bit sensitive, that historical data should be treated as if it were IL3 and kept in a secure facility in the UK.  Adieu commodity cloud.

All is not yet lost I hope.  Folks I speak to in CESG - sane, rational people that they are - recognise that this is a "generational change" and it will take some time before the implications are understood.  The trouble is that whilst time is on the side of government, it's not on the side of the smaller/newer players who want to provide services for government and for whom UNCERTAINTY is anathema.

In these early days, some guidance (not rules) would help people navigate through this uncertainty and support the development of products that met the needs of the bulk of government entities (be they local, central, arms length or otherwise).  The existing loose words - I can't stretch to guidance for these - known as the "Cloud Security Principles" get to the precipice of new controls, look over and leap sharply backwards, all a tremble.

Indeed, the summary of the approach recommended by those who best understand security is:

1. Think about the assets you have and what you're trying to do with them

2. Think about the attackers who'll be trying to interfere with those assets as you deliver your business function

3. Implement some mitigations (physical, procedural, personnel, technical) to address those identified risks

4. Get assurance as required in those mitigations

5. Thinking about the updated solution design, go back to step 1 to see if you've introduced any new risks.

6. Repeat until you've hit a level of confidence you are happy with

My guess is that 6, alone, could lead to an awful lot of iterations that culminate in "guards with machine guns, patrolling with dogs around a perimeter protected by an electric fence".  Of course, the number of guards, the type of guns, the eagerness of the dogs, the height of the fence and the shock provided by the fence will vary from entity to entity.

There is sunshine through some of the clouds though ... some departments are rolling out PCs using native BitLocker rather than add-on encryption, others are trialling Windows 8.1 on tablets, whilst managed iPads have been around for some months.

But a move of central government departments to public cloud services (remember - 50% of new spend to be in the public cloud by 2015) looks to be a long way from here.  I don't think I can even soften it an say that a significant move to even a private, public sector only, cloud is that close.