Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Government To Share Restricted Files In the Cloud

Posted by samzenpus on from the what-could-go-wrong? dept.

twoheadedboy writes "The UK Government wants to use the cloud to share restricted files. Given the concerns around cloud and security, this will worry some. Nevertheless, a deal between the services arm of the Foreign and Commonwealth Office (FCO) and SaaS provider Huddle has been penned. The SaaS service will run in the FCO's internal cloud, known as the Government Secure Application Environment (GSAE). This will allow civil servants, diplomats and other Government staff to share documents up to the secrecy level IL3, or Restricted."

44 comments

  1. Cloud by zget · · Score: 2, Interesting

    Summary says it will be ran on FCO's internal servers, and Huddle is providing the software and know-how. If you think about it, I think it's a good thing. Government jobs are given out pretty much on what schools you went to, or worse, who you know. They never really look or test for the actual knowledge. Here we have a provider with actual experience with various big companies and know-how to secure the network. I would trust them more than some random persons who got their job because their father works in different positions for government.

    --
    Google+ vs. Facebook, and why Google+ will fail
    1. Re:Cloud by jojoba_oil · · Score: 3, Interesting

      Right. So the government will share internal documents on internal servers. Aside from the buzz and the fud associated with the word "cloud", what is the news in this story?

      Huddle got a gov't contract? Good for them.

    2. Re:Cloud by kno3 · · Score: 1

      Err, this is just not true. Any public sector jobs have far stricter rules regarding the procurement of employees compared to private sector. If people try anything like what you have suggested, then they would be risking the sack. Not saying it doesn't happen a bit, but in my experience many businesses are hampered by family and other personal allegiance a lot more frequently.

    3. Re:Cloud by Hazel+Bergeron · · Score: 1

      Any public sector jobs have far stricter rules regarding the procurement of employees

      ...rules for government overseen by government, without separation of powers or accessibility of information for the public to audit.

      The British empire was built on hypocrisy: the appearance of fair rules and staunch ability to look offended at the thought that they might be disobeyed; the implementation of anything but. Its legacy remains throughout government, and things have got much worse since the profit motive of private-public partnerships was reintroduced - John Company is back from the dead.

    4. Re:Cloud by davester666 · · Score: 1

      Just give me a second to copy all these files I suddenly have access to, to my iPhone...

      --
      Sleep your way to a whiter smile...date a dentist!
  2. Might as well... by AngryDeuce · · Score: 4, Insightful

    Given the current state of security most of these organizations are running (political, corporate, whatever) they might as well just drop plaintext files on TPB themselves. That's where it's gonna end up eventually, whether they use "the cloud" or not...

    1. Re:Might as well... by Anonymous Coward · · Score: 1

      they might as well just drop plaintext files on TPB themselves

      No doubt along with NHS medical records. Who do we sue when, invariably, it all goes wrong and how much public liabilty do these "cloud" companies have?

    2. Re:Might as well... by Anonymous Coward · · Score: 0

      Maybe they just want somebody to blame / sue when it gets out. Can't sue anonymous.

    3. Re:Might as well... by Anonymous Coward · · Score: 0

      Yeah but then you can't blame anonymous or (insert group of your choice here) for the theft of the files

  3. Private "Cloud" by Anonymous Coward · · Score: 1

    This is a non-story. Third-party provides IT services to a government. Happens all the time.

  4. That sounds too braindead, even for government. by Anonymous Coward · · Score: 0

    Cue Admiral Ackbar.

    1. Re:That sounds too braindead, even for government. by rbrausse · · Score: 1

      there is no difference between "Government uses cloud-storage products form Huddle to share files" and "Government uses Sharepoint from Microsoft to share files". If the GSAE (some kind of VPN? found no explanation for this service) is secure a common platform for file exchange can be a Good Thing (tm)

  5. CLOUD CLOUD CLOUD by Anonymous Coward · · Score: 5, Insightful

    Please stop using that word. It makes you sound technologically illiterate.

    You mean via a network, or on the internet, or something similar. "The cloud" is a stupid buzzword that needs to die RIGHT NOW.

    1. Re:CLOUD CLOUD CLOUD by rbrausse · · Score: 4, Funny

      why the bad mood? is it cloudy at your place?

    2. Re:CLOUD CLOUD CLOUD by Anonymous Coward · · Score: 0

      "The cloud" is a stupid buzzword that needs to die RIGHT NOW.

      The belief that things need to be other than they are is one of the root causes of suffering. Holding this belief is causing you real pain. Let it go.

    3. Re:CLOUD CLOUD CLOUD by Anonymous Coward · · Score: 0

      It's cloudy at everyplace. That's the point.

    4. Re:CLOUD CLOUD CLOUD by JaredOfEuropa · · Score: 1

      Sure, it's a buzzword, but not a bad one if you think about it from an IT manager's perspective, as something similar to the little clouds in network diagrams. Other than some ground rules around security, functionality and availability (laid down in an SLA) you don't know how it works, nor do you care about the details. All you care about is that it somehow works, and keeps working. "On the internet" does not capture the black box aspect of SaaS, and could just mean hosting.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    5. Re:CLOUD CLOUD CLOUD by daktari · · Score: 1

      If it means we can finally start moving vendor lock in from terminals to servers in the enterprise I would still be in a sunny disposition, regardless of the dark clouds outside and buzz words flying around.

      As a web dev I'm less anti-Microsoft these days, but certainly very much still against governments essentially spending top dollar on being Microsoft shops while allowing their employees to connect (Active Directory/Sharepoint anyone?) to the main network with Windows boxes ONLY (usually running outdated versions at that).

      It seems that a lot of the functionality that these services with "that foggy term" can be built to be accessible from terminals running just about any OS. And that should be a good thing.

      --
      A fool sees not the same tree that a wise man sees. -- Willam Blake
    6. Re:CLOUD CLOUD CLOUD by geekmux · · Score: 2

      Please stop using that word. It makes you sound technologically illiterate.

      You mean via a network, or on the internet, or something similar. "The cloud" is a stupid buzzword that needs to die RIGHT NOW.

      Uh, die right now? Yeah, good iLuck with that iShit.

      Besides, stop getting all wrapped up in a single-syllable word. It's a word. It never did anything to you directly, so lay off and start attacking those CIOs who think they know what's best because they read all about the "cloud" while sitting in the airplane.

      Buzzwords don't kill IT. The leaders that waste money and stand behind lame-ass concepts do.

    7. Re:CLOUD CLOUD CLOUD by cp.tar · · Score: 1

      It’s Britain. It’s always cloudy there. And it rains very often. On everyone’s parade, too.

      --
      Ignore this signature. By order.
    8. Re:CLOUD CLOUD CLOUD by antdude · · Score: 1

      Maybe there aren't any happy clouds over there? :)

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    9. Re:CLOUD CLOUD CLOUD by geekoid · · Score: 1

      No, the mean the cloud. IT's what we call a distributed storage access able from many point, even point not yet defined.

      It's has meaning and value. That fact that you can't see that is YOUR limitation.

      Network. That's how you connect, that says nothing about storage or distribution of the data, so that would be useless.
      on the internet - The fact that you say that tells me you don't actually know what the internet actually is other then a link to /. and amazon.

      To quote NIST:

      "Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

      NIST know a shit load more then you do about this, so I'll just go with what they say. Since it's a clear definition that's used everywhere.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    10. Re:CLOUD CLOUD CLOUD by Anonymous Coward · · Score: 0

      I have had to repeatedly explain to management that the "cloud" is just a buzzword for keeping your files or applications on a remote server. I explain you can ditch your local installations of Office for something like Google Docs, but what are you going to do if their service goes down; or, even worse, if after a few years of building up inertia they decide it's no longer free and you can't open your files without paying whatever price they've decided you will pay? This usually gives them pause for a few months before they're back asking me how they can "leverage the cloud" to build our business. Fuck, I hate salespeople.

    11. Re:CLOUD CLOUD CLOUD by madhi19 · · Score: 1

      Please stop using that word. It makes you sound technologically illiterate.

      You mean via a network, or on the internet, or something similar. "The cloud" is a stupid buzzword that needs to die RIGHT NOW.

      Yeah let revert to the old Mainframe label.

    12. Re:CLOUD CLOUD CLOUD by Anonymous Coward · · Score: 0

      To quote NIST:

      "Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

      NIST know a shit load more then you do about this, so I'll just go with what they say. Since it's a clear definition that's used everywhere.

      Did you read their definition? Cloud computing is a model for a network that works better than any network YOU'VE. EVER. USED. BEFORE. That's what NIST is calling the cloud.

      Let's have Cirrus Computing, it could be a model for enabling Cloud Computing environments to provide on-demand network access to a shared pool of....."

      Read that last bit again: "...to provide on-demand NETWORK ACCESS...." and that's straight from your NIST quote.

      Sure, the cloud is about more than network access, so let's agree that Cloud computing is a time-saving word used to prefer to a suite of technologies that all require network access.

  6. Cloud or no, it all depends on the security used by mlts · · Score: 4, Insightful

    If we pull the cloud buzzword out of the picture and consider this a remote storage/collaberation option, it can be decently secure, if controls are put in place doing encryption on multiple levels.

    On the workgroup level, PGP NetShare can do a decent job, especially if the PGP keys are stored on cryptographic hardware tokens.

    On the enterprise level, there are various IRM/encryption systems which can help, be it LockLizard or others. There is even one built into Windows/Office that is fairly usable.

    The key (pardon the pun) is how this gets implemented. Done right, a compromise of the external disks may net a bunch of unreadable files. Done wrong, and the UK might as well just seed their snapshots to demonoid's tracker.

  7. Already doing so... by ftobin · · Score: 1

    I thought the US government spearheaded sharing classified files with the cloud. They just called it Tor over here.

  8. Sweet Nepotism by Anonymous Coward · · Score: 0

    N/t

  9. Tomorrow's headline: by JustAnotherIdiot · · Score: 1

    UK Government shocked when all its restricted files are found all over the internet.

    --
    What do I know, I'm just an idiot, right?
    1. Re:Tomorrow's headline: by marcosdumay · · Score: 1

      You are assuming they'll find those files. Do they routinely search TPB?

      --
      Rethinking email
    2. Re:Tomorrow's headline: by JustAnotherIdiot · · Score: 1

      Define they. If they = UK government, probably not.
      But if they = media, the ones that make the headlines? Yes, because they love stuff like this these days.

      --
      What do I know, I'm just an idiot, right?
  10. So that means... by Anonymous Coward · · Score: 0

    ... that loosing harddrives all over the country was intentionally done to jumpstart their cloud...?

  11. ARGH idiotic idea by Anonymous Coward · · Score: 0

    Huddle are a US company. Therefore under their "Patriot" Act, any US agency with a three-letter acronym can request all the foreign office data without a court order and without the foreign office being told. This does assume that Huddle have access to the information, which is almost certain to happen if it doesn't already. Other countries must start to use local service providers until this is resolved. Encrytion will work to a point, but encryption can be broken.

  12. No problem here! by Anonymous Coward · · Score: 0

    Foreign and Commonwealth Officer: "Let's store all of our secret data on the internet. How can this go wrong in any way?"

  13. Good idea by PPH · · Score: 1

    Think of all the disk space you can save by sharing it with Julian Assange.

    --
    Have gnu, will travel.
  14. I have seen the future :) by Anonymous Coward · · Score: 0

    "I want to report a wrongful arrest"

    "You want Information Adjustments. Different department"

    link

  15. Re:Cloud or no, it all depends on the security use by VortexCortex · · Score: 2

    Sorry, If it's not open source, compiled in house, and uses data encrypted BEFORE it leaves our network -- It's not a secure service. Also: I put it to you that a closed source program or OS is considered harmful in terms of security and transparency (read trust-ability) -- This goes for LockLizard, Symantec's PGP NetShare, and especially Windows -- The US, UK, Russian, Chinese and other governments have the Windows source code, why is that? Security, and also to look for exploit vectors... Being a security contentious individual, Why don't you insist on having the source of your software too?

    Even if you can prove that a certain algorithm is being used to encrypt the data, how can I be sure that the program or OS doesn't contain a key-logger that sends the key and/or data where I don't want it to go (Perhaps via a update request)?

    If your "SaaS service" (software as a service service?) has the keys to unlock your data -- Well, Your version of "done right" is very different from mine.

    Let's not forget the "trust" we put in RSA tokens, letting RSA keep the root keys, and how hackers cracked the collective single point of failure, then used RSA's keys... If those who got hacked as a result of using RSA's "Security as a Service" had instead used Yubikey, they could have installed their own "seed" keys into their own tokens, thus eliminating the centralized key-store. (Additionally, if RSA wasn't using Windows internally they wouldn't have been vulnerable to the attack vector used against them; Google learned this lesson too.)

    A true "Thin Client" or Dumb Client, won't be doing much work with your data, allowing data processing remotely means you have no control over your security. I opt for "Real Clients" and in-house services combined with a "Dumb Cloud" that just stores and fetches encrypted blobs.

    In short: If someone else has the keys to your kingdom, how secure are you really? (Lockheed thought they could trust RSA in such a way -- Yep, they both got hacked).
    --
    Don't get me wrong, apply security as needed; Some systems don't need as much security as others (provided backups are made), but why call a less secure solution "done right"?

  16. Advantage by Hognoxious · · Score: 1

    At least a junior civil servant can't get drunk and leave a cloud in the back of a taxi.

    Unless he went for a curry after the pub.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  17. Re:Cloud or no, it all depends on the security use by Anonymous Coward · · Score: 0

    It depends on your objectives:

    If I had a number of acquaintances and we were wanting to share documents securely (without needing a mechanism for locking individual documents), PGP/gpg encrypting them and storing them on a private sftp server would be good enough.

    However, part of security with businesses is CYA. If RSA's product fails, a client can point to them and say "blame them, we acted in good faith by buying their product which is FIPS, Common Criteria, etc. certified." If a no name product failed, the buck may stop with that client, and in the Sarbanes-Oxley, HIPAA, or FERPA arenas, it might mean someone goes to prison. This is why a lot of businesses rather pony up the dollars for a commercial solution so they can say they are acting in due diligence by buying the top tier security brands.

    I agree with you -- the ideal is to have anything that leaves the secured local network segment heavily encrypted. However, when one gets a business with a lot of users, there isn't much that can scale up that high.

    Devil's advocate here: Yes, Windows has some security issues, but Windows has the best tools for the enterprise for management. If the BSA comes a knocking, it isn't difficult to find a tool to cough up a software inventory list on every Windows box in use company-wide. Same if a security auditor demands to know the status of every antivirus install on each machine connected to the LAN. Because of this, businesses stick with Windows.

  18. Impact Level 3 by mattsday · · Score: 1

    It's worth noting that IL3 isn't exactly top secret - patient records (such as xray scans) are also classified as IL3.

    Really top secret stuff is IL6 which has a very different set of security requirements. Whether this makes it more secure is a different matter, but don't expect diplomatic cables, submarine designs and MI6 café menus on this system.

    --
    Now there's one hoopy frood who really knows where his towel is!
  19. Many of you son't seem to know what the Cloud is by geekoid · · Score: 1

    From the NIST:
    "Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

    What you think it needs to be offsite, run by someone else or accessibly by anyone show you have no fucking clue.

    I wish /. had personal tags. I would love to start filtering put poster who regularly don't read the article who has the most reasoned replies.

    Would it match the general population bell? or would some people really stand out?

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  20. What impact levels mean by Anonymous Coward · · Score: 0

    They're not about secrecy, they're about business impact, i.e. potential consequences.
    The official definitions are at http://www.cesg.gov.uk/policy_technologies/policy/media/business_impact_tables.pdf

  21. Re:Many of you son't seem to know what the Cloud i by dbIII · · Score: 1

    That's becuase the cloud has more of a nebulous definition according to salesfolk that use it a lot - typically it's not really a cloud in their view unless it's something they can sell to you. If it's your own servers on site or in somebody elses rack and they don't sell rack space they insist it's not a cloud. It's used as a buzzword jammed into whatever crevice is convenient at the time.
    I'm still trying to get over the urge to vomit from first reading the buzzword collision of "iCloud".

  22. Let's just cut to the chase... by Genda · · Score: 1

    Let's save everyone a lot of time and energy. Have D.C. Bureaucrats duct tape classified documents to one anothers' ass, Then en masse assemble at Radio City doing the Can-Can in a dance line. Whatever you can read... you can keep.

    Besides saving tremendous time and energy on all sides, it should prove incredibly entertaining... perhaps we can sell tickets to help reduce the deficit.