Blogs
Highlights
Categories
Tags
AI Alignment Apple application management apps Archimate Atos Themes bionic computing Business Transformation Changing Customer Cloud cloud computing Collaboration Connected World Current Affairs data downturn Education enterprise architecture Facebook generation y Google ideas information security Innovation Java Knowledge and Craftmanship Linux London2012 media Microsoft mobile New ways of working open innovation open source Oracle Practical recession Research SaaS Security semantic web social media Social networking The Future! Transformation Twitter virtualisation web Working in IT
G-Cloud maybe, One Government definitely
July 15th, 2010 Atos Blog Tags: G-cloud, Government, information security, The Future!
Posted in CIO Agenda, Firm of the Future, Markets |
With the coming together of the Conservatives and the Liberal Democrats, David Cameron and Nick Clegg did something that people thought impossible. Well that is child’s play compared to what needs to happen next if they are going to drive down the cost of Government.
The thing is that every major government department actually is a complete world in itself, with it’s own hierarchy; IT systems, support services, contracts and view of the world.
A bit like Europe each department has its leaders who meet regularly and agree to work together but the departments themselves actually don’t trust each other and certainly rarely work well together.
How many times have we read in the papers that some catastrophe or other could have been avoided if information had been shared? And usually the combined IT systems which were created to allow information sharing have failed due to “lack of stakeholder management”, that is, the departments they were for couldn’t agree on what the system had to do.
Security is often cited as a reason why information cannot be easily shared or why a department cannot use another’s database and so must produce an identical one of its own. Certainly the thought of empire building and control could not possibly be the reason but let’s get back to Information Security.
The main thing about Information Security is that you need to allow the right people access to the right information at the right time. What usually forces departments down the “build it yourself” route is that while different departments might hold similar or even identical information, how they value that information varies.
So we fail at the first hurdle because the very first step in developing an Information Security Strategy is to identify what information you wish to protect and how much do you value it, known as the “Impact Level” of the information.
Why is it called the Impact Level? This was an innovation developed by CESG, the National Technical Authority on Information Security, which said “When thinking about the value to place on information think about the Impact it would have on your business if that information was compromised”, also known as the “Red Top test” in reference to some high profile leaks that appeared in the press.
The problem we have is that each department has a different view on what the Impact would be for different types and volumes of information. As a result, we systems built to defend the information they contain to different impact levels. While there are a few exceptions, most systems are built to only defend one level of impact. And the others? Well they are complex and expensive.
This poses a problem for the proposed G-Cloud, a private cloud of computing resources which is currently in vogue. G-cloud would allow government departments to use and pay only for the computing resources they actually use and to easily scale up or down as demand changes. It is a strong model and has the ability to radically slash costs, which is why it has the commercial world in such a flurry of excitement.
But what impact level do you build your G-Cloud to? Maybe you have one G-Cloud that is capable of defending information at the highest impact level? This would be prohibitively expensive. Maybe you build a G-Cloud which can change impact levels? This would be very complex and again expensive. So maybe you build separate G-Clouds for different impact levels; this probably is the only answer, so now which information goes where?
With government departments unable to agree on the same impact level for the same information they hold then you end up with many databases and systems running at different Impact Levels and yet holding the same data. As a result the cost savings the private sector enjoys through the use of “The Cloud” do not materialize in the government version and once more we have another failed project.
However if those different government departments could all identify what information they hold, then get rid of the information they don’t need and then finally sit down together (probably with David and Nick) and agree at a Cabinet level what the business impact of that information is, then they can store it once (cost saving), not over protect it (cost saving), and enjoy the savings and flexibility that the cloud model offers.
The ability to drive down the costs of Government IT is there, the technology is available and Information Security has the techniques needed to make this a reality. However, we need to get past the first hurdle and that doesn’t need industry, it needs the Senior Information Risk Owners (SIROs) to all sit down together and agree.
Impossible? Well many thought the current coalition was impossible!
Interesting article and very topical the moment. I can not agree on the statement about Impact Levels however. The Information Owner, i.e. the person that created the information is charged with assigning the correct Protective Marking (read Impact Level). Someone else or another Department can not change this to suit their own understandings or Empire. What is most worrying about the transition to the PSN (or GCN) is the Cabinet Office strategy enabling departments to decide how they do it: either brown field, green field, don’t join etc etc and delivering solutions which are not currently on the CAPS such as dynamic tunnel solutions (CESG’s PRIME).
And that is just Central Government
We then need to re-apply the model at local government level across, Health, Emergency Services, Education etc. The savings would be enormous!