UK government issues guidance on public sector use of public cloud services

The Cabinet Office wants government departments to buy public cloud rather than services from the Public Services Network (PSN).

A recent guide was issued, outlining what department heads need to consider when putting services or data into the public cloud.

“It’s possible for public sector organisations to safely put highly personal and sensitive data into the public cloud. Many UK departments have made this decision based on risk management assessments once they have put appropriate safeguards in place,” the guidance says.

Public clouds are secure

The benefits of using public cloud solutions are touted in the guidelines, recognising the security budgets and expertise in the private sector.

“Cloud providers have a significant budget to maintain, patch and secure their cloud infrastructure. This means public cloud services can mitigate many common risks that often pose challenges for government organisations,” the document says.

Government users are advised that while the core principles of risk management are the same for the cloud or on-premise systems, there are considerable differences in the technical and assurance details.

“With cloud services, you need to take a shared approach to responsibility…[And] you should understand how responsibility for security is shared between you and the cloud provider. Where appropriate you should layer security controls on top of those built into the cloud services you are using.”

Government departments are also encouraged to turn to vendors for their expertise, and “apply your provider’s cloud security best practices and ask them for guidance on how to provide the best data protection for your users.”

Data protection

The official government guideline acknowledges that in general, large cloud service providers have experience with the legal requirements to consider when adopting cloud services, for example, the Data Protection Act and the EU Data Protection Directive.

Public sector departments can take advantage of “standard contractual terms that can help you meet your responsibilities.”

The internet is OK

James Stewart, Director of Technical Architecture and Head of Technology at the Government Digital Service, indicated in a blog post entitled ‘The internet is ok’ that the PSN would be discontinued. He said the government is “on a journey away from the PSN”.

“Of course, it’s not going to happen immediately,” he said. “Organisations that need to access services that are only available on the PSN will still need to connect to it for the time being.”


Edited from sources by Cecilia Rehn.