The document discusses the UK government's new approach to cloud security which moves away from centralized compliance towards a principles-based risk management model. Under the new approach, cloud service suppliers will publish security information for their services, and government buyers can assess which services meet their minimum security profile based on their specific needs and risk tolerance. This provides more transparency and allows buyers to make pragmatic, risk-based decisions regarding cloud security.

1. CLOUD SECURITY:
A GOVERNMENT STEP
CHANGE
With TONY RICHARDS

2. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
G-CLOUD
WE HAVE VERY RELEVANT EXPERIENCESuppliers offer commodity cloud services
Published via www.gov.uk/digital-marketplace
UK Government buyers select and purchase
best fit services

3. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
OLD RULES – BAD BADGES
WE HAVE VERY RELEVANT EXPERIENCE
Suppliers submitted services to a Pan
Government Accreditation service
In 3 years, out of 19000 services, only 200
were Pan Government Accredited
Buyers were biased towards the PGA badged
services
A PGA badged service may not have been
appropriate or proportional

4. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
USER SECURTY NEEDS
WE HAVE VERY RELEVANT EXPERIENCE
Move away from centralised compliance to
Principles based Risk Management
Align security with the commercial offerings
of commodity services
Simplified - Offer a service, state the security
Buyers select what is relevant and
proportional

5. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
G-CLOUD SECURITY APPROACH
1. Data in transit protection
2. Asset protection and resilience
3. Separation between consumers
4. Governance framework
5. Operational security
6. Personnel security
7. Secure development
8. Supply chain security
9. Secure consumer management
10. Identity and authentication
11. External interface protection
12. Secure service administration
13. Audit information provision to consumers
14. Secure use of the service by the consumer
CLOUD SECURITY PRINCIPLES
51 SECURITY ASSERTIONS
SELECT APPROPRIATE ANSWERS
STATE APPROPRIATE EVIDENCE

6. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
G-CLOUD SECURITY APPROACH
Suppliers security information published as
part of their service description on the UK
Digital Marketplace
Buyers can assess Suppliers services
relevant to business needs and make
pragmatic risk management decisions from a
position of knowledge

7. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
TRANSPARENCY
WE HAVE VERY RELEVANT EXPERIENCE
Suppliers state what security they currently
have in place
No wrong answer, No minimum baseline
Suppliers can update the security information
at any time, for any change
Transparency, not compliance

8. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
MANAGE THE RISK
Buyers should develop a minimum
Security Profile for the service:
1. Identify any legal or regulatory
requirements or constraints
2. Agree with the business any
security or Risk “Red Lines”
3. Identify applicable security
questions
4. Determine the minimum security
assertions that meet your security
requirements
5. Select the minimum supporting
approaches that meet your Risk
Appetite
MINIMUM SECURITY PROFILE

9. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
SERVICE SELECTON
Using the assertions in the Security Profile,
Buyers can incorporate security into the
selection criteria for filtering the Digital
Marketplace to create the Supplier Long List
Buyers can also utilise the supporting
assurance mechanisms to develop a set of
criteria for filtering the Long List to create the
Supplier Short List selection

10. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
SUPPLIER DISCUSSIONS
WE HAVE VERY RELEVANT EXPERIENCE
On request, Suppliers should provide further
details supporting their security assertions
And additional information about their Supporting
Approach’s with references where relevant

11. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
SERVICE ASSURANCE
The consuming organisations Security Team
can compare the Supplier’s Security
Assertions and stated supporting approaches
evidence, against the Security Profile
The consuming organisations Security Team
can then identify any gaps, or areas which
require additional assurance activities
A winning G-Cloud service should be BEST FIT,
and does not need to be 100% perfect

12. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
USEFUL LINKS
https://www.gov.uk/government/collections/cloud-security-guidance
https://digitalmarketplace.blog.gov.uk/2014/11/04/the-g-cloud-6-security-
questions/

13. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
WHO ARE IACS?
• WE ARE SECURITY EXPERTS that
understand business.
• WE ARE DIFFERENT. We thrive on solving
challenges pragmatically at low costs.
• WE BRING BIG 4 EXPERIENCE. Low
overheads enable us to flexible and value
driven.
• GROWING UK SME WITH CREDIBILITY.
Working with UK Government, European
and Asian FS Clients and Partners.
• WE INVEST IN OUR PEOPLE. We are
ISO27001 LAs, ex-CLAS, CCP, CISSP, CSA
CCSK, CSA STAR Advanced Auditors,
TOGAF and Cyber Essential certified.
CLOUD SECURITY
CYBER SECURITY
SECURITY and COMPLIANCE
THREAT and VULNERABILITY

14. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
UK GOVERNMENT EXPERIENCE
CLOUD SECURITY
CYBER SECURITY
• Carried out a discovery exercise and then re-architected and assured a
government departments applications, including full audit and accreditation.
• Provided advice and guidance on cyber security and secure architecture to a
government agency.
• Providing an outsourced & managed security service to a government agency.
• Non-government organisation's key applications secured and assured as part
of the implementation of cloud based, corporate services.
• Architected and assured a government agency’s key applications migration to
cloud infrastructure.
• Developed UK government’s security approach for cloud services.
THREAT and VULNERABILITY
• Government agency’s applications penetration tested and assured annually as
part of a managed security service, including cloud services.
• Conducted penetration testing and IT health checks on a range of secure
systems across a number of prisons.

15. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
CONTACT US
• Information Assurance Consulting
Services LLP
• Unit 7 Park Farm, Tyringham, Newport
Pagnell, MK16 9ES
• See our G-Cloud 7 services on the Digital
Marketplace:
• Cloud Security Architecture Service – G-Cloud
ID: 7795260587117876
• Certified Cyber Security Consultancy and Cloud
Assurance – G-Cloud ID: 7126790914748078
• Cloud IT Health Check Services – G-Cloud ID:
7262973877382092
• Cloud Security Managed Services – G-Cloud ID:
7731390423841686
EMAIL: g-cloud@iacs-llp.com
WEB: www.iacs-llp.com
TEL: 0845 519 6138
TWITTER: @IACSLLP

16. ANY QUESTIONS?
WWW.IACS-LLP.COM