Report shows UK Government and IT security experts willing to change governance to benefit from the cloud

London, UK, 14th December 2010 – CSC (NYSE: CSC) today announced the results of a study that reveals a willingness within the government and IT community to be flexible around security governance, in order to benefit from cloud computing and shared services. Results show that users are open to sharing sensitive activities in the cloud, as long as the parties involved share similar characteristics and have the same cultural approach to security.

The report, titled 'Shared Services: A perfect storm of opportunity,' was developed by CSC with support from UK government body CESG (Communications-Electronics Security Group), the information assurance arm of GCHQ (Government Communications Headquarters). Respondents included 200 senior security and IT experts working across central and local government and their associated suppliers, who attended the Government's Information Assurance flagship event, IA10 in September this year.

With security of utmost concern to UK government departments, the survey asked what the inhibitors are to achieving full cost savings and efficiencies from cloud computing. The research revealed that the main barrier to the adoption of cloud services are the different approaches to information security across potential users, and that confusion still exists about the cloud.

Enthusiasm to find the middle ground on governance was demonstrated by the majority of respondents (65 percent) being willing to share Security Operations Centre (SOC) services, as an interim measure to build trust between users. People also declared that a reduction in the number of audit events to be monitored – along with a revision to internal governance, risk and compliance policies and processes – were the two most important compromises when migrating to cloud services.

“Reaping the cost benefit of shared services is of paramount importance to local and central government but security policies and compliance regulation have made this a real challenge,” said Ron Knode, CSC’s director for Global Security Solutions. “The most startling discovery in the survey is that the public sector is more flexible and willing to look at alternative approaches to certain aspects of security, and develop stepping stones towards using shared services. Previously, nobody was willing to do this – departments had their rules and that was that. Now suddenly, people are indicating that ‘if you’re a lot like me,’ maybe they can come together with an altered set of governance processes and decision-making criteria to gain the benefits of the cloud.”

When asked what the most important aspects are when establishing shared services, the “cultural approach to Information Assurance (IA) and Information Risk Management” was respondents’ top answer. Desktop applications are the first choice for respondents when questioned about which service functions they were most comfortable in sharing. In addition, while the vast majority strongly agreed that the use of a public cloud would substantially increase risk to confidentiality, a majority also agreed that a shared private cloud (or community cloud) among users with similar security cultures would likely be an acceptable risk.

Confusion around what contributes to the development of cloud services was also evident with respondents. When asked what technologies and approaches used to develop cloud services were the most mature, the survey unveiled conflicting opinions with no clear outcome.

Survey presents three key recommendations:

“For progress to be made in cloud computing, departments need to focus on the paths of least resistance, such as creating a like-minded community sharing lower-risk services. By establishing a governance test-bed, users can examine and validate potential areas of flexibility of governance. Transparency also has to be included in every proposed cloud standard and advocates should resist the urge to develop too many clouds but rather explore progressive or layered clouds, which accommodate different user standards,” Knode added.

To help increase confidence in shared services and build momentum in cloud adoption within government, CESG and CSC have made three key recommendations following the survey:

Recommendations summary:

1. Common bond payoffs: The willingness to be flexible in governance presents an opportunity that should not be missed. Concentrate on affinity: If you can find a team outside your immediate organization whose security culture, maturity and general obligation to security governance is close to your own, then hunt for shared functions, business processes or applications. If they emerge, then that’s a great way of kicking-off a shared service model and capturing the shared service payoffs. Why not use a community cloud to share similar-risk services?

But don’t just set out to prove the technology; instead, establish a focused, cloud-based risk-governance test-bed (not just a general cloud pilot) and use it to test scenarios that examine and validate potential areas of flexibility in governance.

Finally, there’s evidence that industry may be prepared to go as far as the sharing of security officer services. Include this in the trial and – if it’s successful – momentum for more shared services will surely follow. You’ll need a champion, of course – someone to lead the sharing initiative. The right IT partner will be able to help.

2. Cloud usage barriers: New cloud standards are inevitable, whether developed by central government or by the industry itself. Either way, transparency must be a fundamental characteristic in any and every agreed standard.

For most public services, data anchoring in some form or another will be hugely important, so government departments need to be sure to include a mandate for geographic, platform and process anchoring of data and transactions. Transparency and accountability in the cloud are key, so get them specified in the standards where possible.

3. Compliance adjustment: The danger with ensuring every cloud-based process or service complies with a specific standard is that you end up with multiple clouds. It is far better to exploit the willingness to be flexible with governance in establishing, measuring and confirming compliance. Explore progressive (layered) cloud solutions that enable people to add their own degrees of compliance and certification when they need to. Fix the methodology, not the cloud.

CSC is a global leader in providing technology-enabled solutions and services through three primary lines of business. These include Business Solutions and Services, the Managed Services Sector and the North American Public Sector. CSC’s advanced capabilities include system design and integration, information technology and business process outsourcing, applications software development, Web and application hosting, mission support and management consulting. The company has been recognized as a leader in the industry, including being named by FORTUNE Magazine as one of the World’s Most Admired Companies for Information Technology Services (2010). Headquartered in Falls Church, Va., CSC has approximately 94,000 employees and reported revenue of $16.1 billion for the 12 months ended October 1, 2010. For more information, visit the company’s website at

CESG is the Information Assurance (IA) arm of GCHQ based in Cheltenham, Gloucestershire, UK. We are the UK Government's National Technical Authority for IA, responsible for enabling secure and trusted knowledge sharing to help our customers achieve their business aims. CESG aims to protect and promote the vital interests of the UK by providing advice and assistance on the security of communications and electronic data. We deliver information assurance policy, services and advice that government and other customers need to protect vital information services. We work on a cost recovery basis for all customer-specific solutions and services, though IA policy and Guidance documentation is usually free of charge to the UK official community. For more information, visit

Source: Highland Marketing – on behalf of CSC

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.