Published: 10 February 2017

Reading time: About 3 minutes

The common misconception about the Cloud is that it’s not a safe data storage solution. At Automated Intelligence, we know that the reality couldn’t be more different. In our experience, Cloud investment (from Microsoft and other providers) is extensive. Security around Cloud platforms like Microsoft Office 365 and Azure now eclipses most legacy or on-premise approaches.

The Government Digital Service (GDS) has now endorsed this opinion. They recently published guidance, for UK Public sector organisations, that states it is “possible for public sector organisations to safely put highly personal and sensitive data into the public cloud.”

This means Public Sector organisations have official backing from the UK Government to begin building Cloud-based information strategies. This will come as a huge relief to many authorities who have felt resistance to adopting Cloud technology before now.

So, what does this guidance mean in reality? Let’s break it down:

Public Cloud for Public Sector

Addressing key steps that organisations should be aware of before adopting a Cloud platform, the guide includes advice on:

  • How to make a risk-based decision: “Organisations should have a plan in place for reviewing their architecture decisions as opportunities develop, such as new policy and legislation, public cloud capabilities or design approaches.”
  • Who has responsibility for data in the Public Cloud: Organisations, vendors, or Cloud platform providers?
  • Assessing risks involved in moving data to the Cloud: Organisations ‘should understand how responsibility for security is shared between you and the cloud provider. Where appropriate, you should layer security controls on top of those built into the cloud services you are using.’
  • Cloud Security Principles: The guidance provides 14 Cloud Security principles which are available below.
  • Data protection: There are some legal requirements you need to consider when adopting cloud services. For example, incoming GDPR and existing Data Protection requirements.

Risk Management, a shared responsibility

While giving the thumbs-up to Cloud, the guide also makes clear that organisations have a responsibility to ensure their data is managed appropriately. It states; “Well-executed use of public cloud services will be appropriate for the vast majority of government information and services. However, each organisation needs to make their own risk-based decision for their specific systems or data.”

The advice from GDS states that the same risk management rules apply to Cloud as on premise systems. This means that responsibility is shared between Cloud services vendors and the organisations. Steps should be taken by the organisation to understand how this responsibility is shared, and where appropriate, layer security controls on top of the ones already in place.

Data Protection and Security

The guide refers specifically to legal requirements such as the Data Protection Act and the EU Data Protection Directive. Both must be considered when adopting Cloud services. Organisations should also be aware that GDPR comes into force on 25th May 2018. This legislation will be in place to help govern to processing of information on EU citizens. Organisations unsure of their responsibilities under these requirements are advised to:

  • Use the 14 Cloud Security Principles to evaluate the security of Cloud services
  • Get in touch with Cloud service providers who can help with meeting these responsibilities

 Automated Intelligence can help

We have a range of solutions designed for organisations to transfer data safely and cost effectively to the Cloud. While at the same time meeting the requirement to securely manage the life-cycle of data while in the Cloud. Get in touch to help better understand your responsibilities.