Public sector use of the public cloud

This guide outlines what to consider when putting services or data into the public cloud.

It’s possible for public sector organisations to safely put highly personal and sensitive data into the public cloud. Many UK departments have made this decision based on risk management assessments once they have put appropriate safeguards in place.

Cloud providers have a significant budget to maintain, patch and secure their cloud infrastructure. This means public cloud services can mitigate many common risks that often pose challenges for government organisations.

Make a risk based decision

Well-executed use of public cloud services will be appropriate for the vast majority of government information and services. However, each organisation needs to make their own risk-based decision for their specific systems or data.

There are a very small number of situations where it may not be appropriate to use cloud services for specific systems or data. For example, when there are specific legislative requirements around data sovereignty. If you decide a system or set of data is not appropriate for the public cloud, you must be able to clearly understand the issues preventing its use so you can explain these to the central spend controls team.

Organisations should have a plan in place for reviewing their architecture decisions as opportunities develop, such as new policy and legislation, public cloud capabilities or design approaches.

Assessing risks involved in moving data to the cloud

While the core principles of risk management are the same for the cloud or on-premise systems, there are substantial differences in the technical and assurance details. With cloud services, you need to take a shared approach to responsibility.

You should understand how responsibility for security is shared between you and the cloud provider. Where appropriate you should layer security controls on top of those built into the cloud services you are using.

To understand how to approach security when using a cloud service, we recommend:

  • reviewing your provider’s cloud security best practices
  • following the cloud security guidance from the National Cyber Security Centre

Vendor best practices

Major cloud infrastructure or platform providers understand security concerns are important to their customers. Because of this, they have invested heavily in implementing secure products and produced guidance on how to use their cloud services securely. You should apply your provider’s cloud security best practices and ask them for guidance on how to provide the best data protection for your users.

Cloud Security Principles

These 14 Cloud Security Principles can help departments and agencies evaluate the security of any cloud service.

Data protection

There are some legal requirements you need to consider when adopting cloud services, like the Data Protection Act and the EU Data Protection Directive. In general, large cloud service providers have experience with these requirements, and have standard contractual terms that can help you meet your responsibilities.

Published 16 January 2017