UK Government To Share Restricted Files In the Cloud

twoheadedboy writes "The UK Government wants to use the cloud to share restricted files. Given the concerns around cloud and security, this will worry some. Nevertheless, a deal between the services arm of the Foreign and Commonwealth Office (FCO) and SaaS provider Huddle has been penned. The SaaS service will run in the FCO's internal cloud, known as the Government Secure Application Environment (GSAE). This will allow civil servants, diplomats and other Government staff to share documents up to the secrecy level IL3, or Restricted."

Cloud

[zget]

Summary says it will be ran on FCO's internal servers, and Huddle is providing the software and know-how. If you think about it, I think it's a good thing. Government jobs are given out pretty much on what schools you went to, or worse, who you know. They never really look or test for the actual knowledge. Here we have a provider with actual experience with various big companies and know-how to secure the network. I would trust them more than some random persons who got their job because their father works in different positions for government.

Re:Cloud

[jojoba_oil]

Right. So the government will share internal documents on internal servers. Aside from the buzz and the fud associated with the word "cloud", what is the news in this story?

Huddle got a gov't contract? Good for them.

Might as well...

[AngryDeuce]

Given the current state of security most of these organizations are running (political, corporate, whatever) they might as well just drop plaintext files on TPB themselves. That's where it's gonna end up eventually, whether they use "the cloud" or not...

CLOUD CLOUD CLOUD

Please stop using that word. It makes you sound technologically illiterate.

You mean via a network, or on the internet, or something similar. "The cloud" is a stupid buzzword that needs to die RIGHT NOW.

Re:CLOUD CLOUD CLOUD

[rbrausse]

why the bad mood? is it cloudy at your place?

Re:CLOUD CLOUD CLOUD

[geekmux]

Please stop using that word. It makes you sound technologically illiterate.

You mean via a network, or on the internet, or something similar. "The cloud" is a stupid buzzword that needs to die RIGHT NOW.

Uh, die right now? Yeah, good iLuck with that iShit.

Besides, stop getting all wrapped up in a single-syllable word. It's a word. It never did anything to you directly, so lay off and start attacking those CIOs who think they know what's best because they read all about the "cloud" while sitting in the airplane.

Buzzwords don't kill IT. The leaders that waste money and stand behind lame-ass concepts do.

Cloud or no, it all depends on the security used

[mlts]

If we pull the cloud buzzword out of the picture and consider this a remote storage/collaberation option, it can be decently secure, if controls are put in place doing encryption on multiple levels.

On the workgroup level, PGP NetShare can do a decent job, especially if the PGP keys are stored on cryptographic hardware tokens.

On the enterprise level, there are various IRM/encryption systems which can help, be it LockLizard or others. There is even one built into Windows/Office that is fairly usable.

The key (pardon the pun) is how this gets implemented. Done right, a compromise of the external disks may net a bunch of unreadable files. Done wrong, and the UK might as well just seed their snapshots to demonoid's tracker.

Re:Cloud or no, it all depends on the security use

[VortexCortex]

Sorry, If it's not open source, compiled in house, and uses data encrypted BEFORE it leaves our network -- It's not a secure service. Also: I put it to you that a closed source program or OS is considered harmful in terms of security and transparency (read trust-ability) -- This goes for LockLizard, Symantec's PGP NetShare, and especially Windows -- The US, UK, Russian, Chinese and other governments have the Windows source code, why is that? Security, and also to look for exploit vectors... Being a security contentious individual, Why don't you insist on having the source of your software too?

Even if you can prove that a certain algorithm is being used to encrypt the data, how can I be sure that the program or OS doesn't contain a key-logger that sends the key and/or data where I don't want it to go (Perhaps via a update request)?

If your "SaaS service" (software as a service service?) has the keys to unlock your data -- Well, Your version of "done right" is very different from mine.

Let's not forget the "trust" we put in RSA tokens, letting RSA keep the root keys, and how hackers cracked the collective single point of failure, then used RSA's keys... If those who got hacked as a result of using RSA's "Security as a Service" had instead used Yubikey, they could have installed their own "seed" keys into their own tokens, thus eliminating the centralized key-store. (Additionally, if RSA wasn't using Windows internally they wouldn't have been vulnerable to the attack vector used against them; Google learned this lesson too.)

A true "Thin Client" or Dumb Client, won't be doing much work with your data, allowing data processing remotely means you have no control over your security. I opt for "Real Clients" and in-house services combined with a "Dumb Cloud" that just stores and fetches encrypted blobs.

In short: If someone else has the keys to your kingdom, how secure are you really? (Lockheed thought they could trust RSA in such a way -- Yep, they both got hacked).
--
Don't get me wrong, apply security as needed; Some systems don't need as much security as others (provided backups are made), but why call a less secure solution "done right"?