Eduserv, the not for profit Managed Cloud Service Provider (MCSP), recognised the growing demand from the public sector for a fully managed Infrastructure as a Service (IaaS) cloud offering. The UK Government’s ‘Cloud First’ mandate was fuelling interest in the G-Cloud framework but multiple providers were often needed to meet service requirements. This made the transition to the cloud complex and difficult to manage; an issue further compounded by the revision of the Government Security Classifications Policy (GSCP), which left many organisations uncertain over how to classify, migrate and manage data. Consequently, cloud migration has either been adopted piecemeal, deferred or required expensive self-accreditation of services.
Eduserv decided to tackle the complexity of migration by providing a complete array of services in a highly secure environment with the option to host using its own datacentres. To achieve this Eduserv decided to pursue full Pan Government Business Impact Level 3 (PGA IL3) accreditation and sought assistance from a specialist CLAS consultancy to meet the stringent criteria involved.
“We wanted to offer a managed service that would cover all aspects, from the customer tenancy right through to their operating systems. Very few CSPs are accredited to IL3 but those that are tend to offer a flat-pack service: they might predrill the wood but it’s up to you to construct the final wardrobe. With our offering, we wanted to offer a comprehensive, polished end-to-end solution. Cloud Compute (IL3) covers all the angles, relieving the customer from any DIY.” Explains James P. Mulhern, CISO, Eduserv
Eduserv has over 15 years’ experience in hosting government data and serves public sector and charity establishments including the Citizens Advice Bureau, Guide Dogs, the Information Commissioners Office and the Department for Education.
Eduserv wanted to design a managed cloud solution that would offer the highest level of security assurance over a multi-tenanted architecture. The Cloud Compute service would need to be PGA IL3 accredited and demonstrate compliance with a wide range of security standards and procedures. This complex process required specialist knowledge, prompting Eduserv to seek assistance from CLAS consultancy Auriga Consulting, who were experienced in a wide range of information assurance (IA) aspects.
Auriga Consulting had worked with Eduserv before, advising upon projects undertaken for the Department of Education, and the consultancy’s experience in advising on public sector cloud deployments and achieving certification made it a natural choice.
The Auriga Shield portfolio of services is specifically designed to meet accreditation requirements, providing guidance on how to achieve compliance with security standards such as and RMADS, as well as the transition to GSCP, making it ideally suited to the Eduserv project. The Auriga team were able to advise upon each stage of the process, working closely with Eduserv while making recommendations to satisfy the appointed Pan Governmental Accreditor.
In the initial stages, Auriga worked in an advisory capacity, reviewing the solution design and making recommendations for the Cloud Compute Service Description. This was duly submitted to the G-Cloud Framework office followed by the scoping of security standard ISO 27001 and identification of high-level controls. Auriga were able to make further recommendations to address endpoint protection and customer tenancy which saw the introduction of a specialist solution to address patch management, anti-virus and the lock-down of endpoint devices.
Performing a full IT Health Check (ITHC) was next on the agenda and Auriga was again on hand to review the documentation. An independent CHECK certified tester was then brought in to corroborate the technical resilience of the architecture, the endpoints, and the separation provided on the platform, as well as non-technical aspects, such as the provisions made to protect the confidentiality, integrity and availability of data.
At the same time, Eduserv tackled the thorny subject of the Government Security Policy Framework (GSCP), seeking Auriga’s help in determining how to implement the policy in the Cloud. GSCP effectively redrew the classification criteria for newly created data. The previous six categories were now reduced just three: OFFICIAL, SECRET, TOP SECRET. But while this made sense in principal, reducing the complexity of classification going forward, Mulhern says there was a lack of technical guidance from central government which threatened customer confidence.
“The challenge for us was understanding how GSCP related to what we were delivering. The classification levels were simple and straight-forward but what it meant in terms of technical controls was more complex.
What Auriga were able to do was reassure us in terms of what to expect, tell us the direction of travel and help pilot us through. Consequently, we are now able to advise our customers on how the policy works in the cloud and how they can adapt to meet its requirements.
The breadth of information that ‘OFFICIAL’ now encompasses makes it more difficult for customers to differentiate the new solution from lower assured solutions. That’s where the IL3 accreditation comes into its own, as it reassures customers when hosting OFFICIAL information with us that such data will be awarded the highest levels of protection.” He said
Following a green light from the Pan Government Accreditor, Auriga then became actively involved in the creation and production of a Cardinal Risk Management Accreditation Documents Set (RMADS). This process ensured that risks were identified, assessed, and documented, with the risk appetite for the business an integral consideration. In compliance with the government Security Policy Framework (SPF), systems used to store process and transmit protectively marked data via G-Cloud must be accredited with IS1/2. Thus a further two stage process then ensued that saw the performance of a risk assessment based on HMG IA Standard 1, with the mitigation of those risks then addressed in HMG IA Standard 2.
As Mulhern explains meeting the compliance requirements for the IL3 service was demanding. “The strength of personnel, process and technical controls is greater, and the extent of the assurance provided is stronger.It was a substantial undertaking andAuriga were able to help us at the major milestones of the project, advising upon the high level and low level design, implementation, HMG IA 1 and 2 and the production of a full Cardinal RMADS. They flagged up possible areas for attention and acted as a sounding board for any concerns we had.”
After the RMADS was complete, Eduserv were able to put in place risk controls and draw up remediation documents before producing the auxiliary information necessary to inform customers on every aspect of the service, from shared security policy to tenant obligations. Six to eight weeks later, the Pan Government Accreditor was able to put forward a recommendation for PGA IL3 approval, making Eduserv only the third provider to achieve this accolade.
Eduserv launched its PGA IL3 Cloud IaaS services in May 2014. Cloud IaaS offers compute, storage and network connectivity via the Internet, the PSN or Janet. The service is available as a public or dedicated private offering, managed or self-service, and is complemented by a Managed Infrastructure service, thereby simplifying the move to cloud and allowing organisations to concentrate on their core business.
Cloud Compute (IL3) is competitively priced through the use of a multi-tenanted architecture. Server utilization ratios are increased on multi-tenanted platforms, effectively creating economies of scale and lowering the cost for the customer.
Consequently, highly secure cloud services, which are usually the preserve of bespoke or private cloud deployments, are now affordable to many public or third sector organisations for the first time. As Mulhern details. “With offerings like Cloud Compute (IL3), we feel we can help specific sectors reap the benefits of the cloud. The Government has tried to push more technical services out to charities and it’s an area where we can help. In some charities the level of information security is quite low and the organisation is dealing with sensitive data such as personal information so there are real security concerns. A managed service solution housed on a multi-tenant architecture can make the cloud easy to use and affordable helping them to move forward and adopt better security practice.”
Built upon Cisco UCS and Net App Storage, the Cloud Compute service can scale with ease and the Managed Infrastructure element covers the customer platform, management infrastructure, endpoints and other necessary operations, such as protective monitoring, creating what Mulhern describes as a “one stop shop”. The IL3 accreditation also relieves customers from having to seek compliance themselves.
Summing up Mulhern says. “Cloud Compute (IL3) is delivered by us and hosted by us with minimal third party support. The burden on the customer to accredit their tenancy is considerably lessened due to the way we produced a cardinal RMADS with Auriga. Plus customers like the reassurance the accreditation confers.”
The innovation encouraged by G-Cloud coupled with the stringent criteria of PGA IL3 accreditation has allowed Eduserv to bring to market a cost-effective, fully managed secure cloud service. Auriga was instrumental in helping Eduserv meet these requirements, sharing its expertise and ensuring due diligence to make sure the accreditation process ran swiftly and smoothly. As a result, many public sector and charitable organisations will now have access to the highest levels of security and data management available in the cloud today.