Infrastructure > PSN

PSN compliance: are we learning from past experiences?

Published 18 February 2015

Des Ward, compliance lead at PSNGB, warns against tinkering with assurance regimes and maintains any PSN consultation process must put user need front and centre of any compliance changes


In a recent blog post from Mark Smith, Head of PSN Compliance at GDS, he gave an update on how the alpha version of the new PSN compliance process (PSSS) was progressing, following its kick off in December. In the blog post, Smith explained that the feedback received thus far had been positive and constructive and that they are now extending the reach of the prototype to more organisations.

Whilst it is still inappropriate to comment on the alpha version of the PSSS as it is under evaluation, and subject to change, we are starting to see more about the intended approach from Mark's post. An approach that provides rigour at an organisational level, and then allows a more agile approach to service assertions is laudable. However, we must ensure that the user is front and centre of any proposed compliance changes.

Information sharing must be safe, not secure

The key user need in the public sector is to facilitate safe information sharing, both within the sector and with its partners. Note the use of the word 'safe', and not secure; we have already seen the negative impact that derives from trying to lock systems down too much, with the so called 'zero tolerance regime' resulting in many local authorities stopping transformation to migrate across to the PSN.

The nuance in language is crucial because to effectively share information with the least amount of barriers possible requires a significant cultural and behavioural change. The balance between having a controlled environment whereby information is protected and a platform that people choose, with no barriers to adoption, is of vital importance.

The Delone and McLean Information System success model - the seminal research piece which sought to understand the success factors involved in information systems - clearly highlights that the understanding of the benefits of the information system must outweigh the pain of the process and costs involved, otherwise individuals look to use other methods of working to get their job done. In this case, use of the unsecured internet. This is a key point, as the vast majority of breaches are not evil hackers, but simple mistakes or individuals trying to get their jobs done.

So, how do we create a safe environment to share information that people want to use? To achieve this, we need to look at buying behaviours in the digital age. If we take eCommerce sites such as Amazon, procurement is easy; people search for items, and then filter by relevance, cost and ratings before buying them. In the blog, Smith outlined how they are changing the way in which the services are assessed so that they are more in line with G-Cloud. Despite the G-Cloud reaching its sixth iteration, there is still a slow rate of procurement for cloud services from within the public sector; understanding the reasons for this would greatly influence both the needs of the user and how to address them with PSN.

Defining the product

One challenge to be overcome is that it's actually difficult to determine what products are relevant to the needs of the end user; one thing that Cloud has brought into the marketplace is a series of acronyms that add little to the understanding of the products. The NIST definitions used to describe Cloud services don't meet all the common uses of Cloud; examples of this is with Virtual Private Servers, these are shoe-horned into either Infrastructure as a Service or Platform as a Service when they fit in neither definition. Cloud has great benefits, but with 'Jargon as a Service' taking prevalence in an attempt to describe the services sold, we need to look to aiding understanding to ensure that effective risk assessments can be made.

Within PSNGB, the definition of services is something that we are actively researching to see if there is a way to present services in a more consistent light using pre-determined language to describe components used; this, however, will only address part of the issue as we also need to show the end user that the services are safe to use.

Determining safety of a service

How do you determine if a service is safe to use? It's interesting to return to the turn of the century when the UK government considered this question and arrived at the British Standard 7799 (BS-7799), the internationally recognised standard for implementing an Information Security Management System, where a common set of controls were agreed. These controls were found to be of limited use for assessment without a way of measuring the governance behind their adoption, which required the creation of BS-7799 Part 2. Those of you who have been in the industry long enough will know that this developed into ISO/IEC-27001:2005 (now revised in 2013).

We now appear to have returned full circle, with the requirement for certification to ISO/IEC-27001 having been removed from G-Cloud (and likely PSN) in favour of Cloud Security Principles that look at the level of implementation against a set of agreed criteria.

The rationale for this approach seems that the barriers to entry were too great, and often too expensive, under the old regime. However, I tend to find that most of the rhetoric surrounding ISO/IEC-27001 is anecdotal. My experience of ISO/IEC-27001 (in both iterations) is that you needed to know the answer to three questions:

- What assets do you have?
- What issues do you have (from failing to meet obligations relating to the assets)?
- What are you doing to address the issues?

Yes, there are costs associated with certification to these standards, but ultimately we need to create a marketplace where customers can determine both their needs and if the services can meet those needs. My concern is that we will rapidly realise that the Cloud Security Principles themselves will not influence buying behaviours, with customers requiring a level of assurance beyond mere assertions.

Self-assertion, does it work?

This concern is bolstered by a recent article from PSNGB member, Richard Blanford in which he looks at self-assertion and the challenges for SMEs wishing to supply IT services to the public sector. We need to ensure that we do not concentrate on technology at the expense of governance, with the Cloud Security Alliance (CSA) highlighting that a readily understood control such as encryption can be of limited use if not implemented correctly; this implementation doesn't come from an assertion but good governance.

The challenge is not to make it easier to list services on a marketplace, but to provide a stable marketplace that allows customers to determine what they want and for suppliers to provide it with the minimum of complexity.

That stability (and continued investment from suppliers) won't happen if we keep tinkering with the assurance regimes, and I hope that whatever evolves from the PSN consultation process will put user need at the forefront to ensure that it endures. PSNGB has already given its support to evolving the PSN, removing complexity and delivering to enterprise agreements, using open standards where possible; we also advocate learning from the past to ensure that we deliver a platform for growth and a single PSN, assured by compliance that meets the user need.

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.