Digility Ltd

New UK Government Guidance that doesn’t do much to Guide Action

Recent government guidance encouraging departments to consider cloud solutions outside the UK is well intended. But it leaves more questions than answers in a topic that is both complex and nuanced.

Well intended guidance, but leaving more questions than answers

The UK Government Digital Services – part of the Department for Science, Innovation and Technology – has recently published guidance for how the public sector should adopt a multi-region approach to cloud technology1. At first sight this appeared refreshing. Any unnecessary constraints on hosting arrangements (or any other non-functional requirements) reduce the available market of providers, constrain competition, and therefore inevitably reduce value for money. If parts of Government, whether central, regional or local, have felt that everything must be hosted in the UK then it makes sense to produce guidance that clarifies this perception and helps to open their options up.

But if guidance is to be useful it should guide. It should make it easier for people to take actions that they previously would have discounted. The guidance in this case, which at 1420 words is almost as short as this article, probably leaves the reader with more questions than answers. It may convert some “unknown unknowns” into “known unknowns”, but without increasing certainty.

In a nutshell

A summary of the guidance is as follows (with a little emphasis for effect):

  1. Look wider than UK.   Many cloud solutions may not offer UK hosting, particularly new innovative solutions that haven’t scaled up yet.  Irrespective, their staff are likely to be distributed around the world if the service is supported 24×7.  There may also be other benefits in looking wider than UK hosting, such as enabling better business continuity and disaster recovery options if the vendor only has one UK site.
  2. Get legal advice.   Before you even consider a non-UK option you need to seek advice from your own legal advisors and your data protection officer (DPO).
  3. Ensure compliance with ICO guidance.   Before you even consider a non-UK option you need to check and make sure that any international transfer of personal data will be compliant with the Information Commissioner’s Office (ICO) guidance, and get further guidance from your own legal advice and DPO.
  4. Do a full review of vendor security.   Before you even consider a non-UK option you need to make sure the vendor and solution are compliant with your own security policies.

So, in a nutshell, it says “you should consider options outside of the UK but only if you have checked everything is legal and secure”.  This seems to be verging on a statement of the obvious; the difficult thing about going offshore is covering all of the legal, regulatory and security compliance aspects!

Adequacy is a moment in time

On point 3, the guidance points out data protection compliance is easier if the country in question is considered by the ICO to be adequate – having equivalent regulations for data protection to the UK.  Sound advice.  But even this is not that simple.  For instance, the USA is not considered adequate unless it is under an extension of the EU-US Data Privacy Framework2.  This framework is dependent on an Executive Order3 that the Biden administration put in place, and it is entirely possible that it will be revoked by the current administration. If such an action was taken, or if for any other reason the EU decides that adequacy is no longer met (also not unlikely given Herr Schrems has achieved this twice already and has stated he plans to challenge the DPF), then the vendor will no longer be considered compliant.

Consideration is far wider than Residency

Security is far wider than data residency though.  This is where point 4 both states the obvious and understates the complexity.  Managing risk in the supply chain is inherently difficult.  Cloud providers, and particularly SaaS solutions, aggravate this challenge by an order of magnitude.  By their nature they are solutions designed for a broad and varied range of customers.  This means they will always involve compromise.  If they tried to meet the most demanding requirements, they would price themselves out of the scale marketplace.  If they went for the lowest common denominator, they would be unable to meet the requirements of the majority. An individual customer can rarely dictate a specific security requirement for themselves.

They are also highly opaque.  The vendor presents their service as a black box.  The features delivered to the customer are defined, but much of the underlying design and the means the vendor uses to manage it in operation are hidden.  This makes assessing the risk far more of a judgement call than when the design and delivery is conducted under your control.  Depending on the supplier, and the leverage that the customer has over them, it may be possible to get some information and assurances; but the right questions need to be asked, and the answers need to be interpreted correctly.  Third party certifications and audits, such as the ISO27k series of standards or the SOC1, SOC2 and SOC3 reports, can also provide some additional assurances.  But only the customer will be able to decide the extent to which they can mitigate the risk, and the confidence they have in the supplier to manage their own. This is a business decision informed by the specifics and nuances of the risks being considered.

Summary

It is important to minimise the non-functional requirements and keep an open mind about potential solutions and vendors.  This includes looking wider than just the UK when national security requirements are not paramount.  But this is not something that can be distilled onto a single sheet of A4 in any meaningful way.  Yes, there are legal and regulatory issues that need to be reviewed.  And geopolitical risk needs to be factored in, considering how you would respond to future external changes that are outside of the UK’s control. 

But from experience, the greatest challenge is getting comfortable that the vendor’s organisation and their solution have adequate security – this applies equally whether the solution is hosted in the UK or overseas.  The SaaS world is opaque, and balances priorities across a broad and varied customer base.  The public sector needs to increase its adoption of cloud and SaaS solutions to remain efficient and relevant, in the same way that the private sector has had to.  But the route to responsible adoption is more nuanced, requiring candid conversations with suppliers, and ultimately an informed but subjective judgement by the customer’s leadership.

  1. DSIT Guidance for Multi-region cloud and software-as-a-service ↩︎
  2. ICO Guide to International Transfers ↩︎
  3. Executive Order (E.O.)14086 of October 7, 2022, on Enhancing Safeguards for United States Signals Intelligence Activities ↩︎

Share:
More Posts

How to Protect the Digital Achilles Heel of Military Capability

Our demographics and the moral value we place on life as a society mean our military must rely on it exploiting technological advantage. But the increased dependence on support from suppliers makes the supply chain an extended part of the networked battlespace, and their security and resilience are critical.

Microsoft’s and Google’s poor discipline is weakening herd immunity

Email was insecure by design, but additional standards have progressively improved that. However, our recent research has indicated that poor discipline at Microsoft and Google is putting all of that hard work at risk. As the dominant providers of email services to our businesses this puts all of us at risk.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top