The realisation that cloud-based collaboration services are more agile, cost-efficient and flexible are allowing organisations to adapt and grow their business operations, communications and stakeholder engagement.
With the abundance of digital tools readily available for organisations to use for collaborative working, it can prove to be a challenging task to specify how secure an online collaboration space is. As online spaces vary in the degree of service, it is not as simple as having a one size fits all stamp of approval to indicate how secure online services are.
To solve this problem, firstly, a classification system was established to measure the degree of security sensitivity of the data, and secondly, a framework used as a benchmark to measure the overall security levels of the data handling services were put into place.
Skip to Section:
What is the UK government security classification?
How have the UK government security classification levels changed over the years?
What are the NCSC’s 14 Cloud Security Principles?
What does the classification change mean for users?
What is the UK government security classification?
Historically, the UK Government used a seven-tier Business Impact Level system (NO IMPACT, UNCLASSIFIED, PROTECT, RESTRICTED, CONFIDENTIAL, SECRET, and TOP SECRET) to assess information and ICT systems. In April 2014, the Government Security Classifications Policy changed the system into three levels of security classification: OFFICIAL, SECRET, and TOP SECRET.
Kahootz currently focuses on supporting the sharing of information marked as OFFICIAL as this covers about 85% of all government information. A small subset of OFFICIAL information is marked as OFFICIAL-SENSITIVE (OS), which is not a classification; it is about the information that requires a handling caveat.
We understand the need for organisations to find and procure a ‘cloud commodity’ collaboration solution that accommodates for securely sharing OS information with external stakeholders. In 2015, Kahootz was selected by the MOD as the main provider for their information and collaboration infrastructure. After a meticulous amount of due diligence, the MOD departmentally accredited Kahootz to store and share information marked up to OS; with appropriate and particular handling instructions.
How have the UK government security classification levels changed over the years?
Historically, the UK Government used Business Impact Levels to assess information and ICT systems. These consisted of a six-tier system classifying information as:
BIL0 – NO IMPACT
BIL1 – UNCLASSIFIED or NON-PROTECTIVELY MARKED
BIL2 – PROTECT
BIL3 – RESTRICTED
BIL4 – CONFIDENTIAL
BIL5 – SECRET
BIL6 – TOP SECRET
Business Impact Levels provide a very handy seven-point scale which allows organisations to make an informed assessment of what security measures they would need to put into place to meet their confidentiality requirements. Under this legacy scheme, in 2013, Kahootz managed to achieve Pan-Government Accreditation (PGA) for Business Impact Level 2 (PROTECT).
As mentioned previously, in 2014, the UK Government changed the way it classified information. Under the new three-tier (OFFICIAL, SECRET, and TOP SECRET) classification of information, the OFFICIAL replaced everything up to and including information that was previously marked in the old classification system as RESTRICTED.
The new tiers classify information in the following levels as:
OFFICIAL – This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile.
SECRET – Very sensitive information that justifies heightened protective measures to defend against determined and highly capable threats. For example, where compromise could seriously damage military capabilities, international relations or the investigation of serious organised crime.
TOP SECRET – HMG’s most sensitive information requiring the highest levels of protection from the most serious threats. For example, where compromise could cause widespread loss of life or else threaten the security or economic wellbeing of the country or friendly nations.
With the subsequent change in the classification, the adaption period has seen some positive and negative impacts for solutions like Kahootz. For example, with the old classification scheme, B2B collaboration was significantly more limited between agencies and stakeholders, unless team members were provided access to internal network applications or had very expensive bespoke applications residing on dedicated end-user devices (i.e. locked-down laptops). With the new classification, B2B multi-agency collaboration and their ‘duty to share’ information was made easier and created more opportunities for the likes of Kahootz.
On the other hand, IT systems with previous classifications – however established – were once again thrown in with the mix of newer online and cloud services and ultimately, starting their information storage and capacity classification process from scratch.
What are the NCSC’s 14 Cloud Security Principles?
Once you have an understanding of the security classification system, the next step is how then do you assess the security integrity of an online information system.
With so many cloud and IT services on the market, it was impossible for them all to be regularly assessed and accredited. To counter security concerns, the UK Government’s National Cyber Security Centre (NCSC) created the 14 Cloud Security Principles. The 14 Cloud Security Principles function as a framework to provide a systematic approach to help you evaluate and determine the level of security of any cloud service. Depending on your organisation’s particular security requirements, using the cloud security principles is recommended as a guide and checklist of questions to understand whether the cloud service you are considering matches your security needs. Building a career in the field of cybersecurity requires a strong understanding of the 14 principles of cloud security outlined by the NCSC.
A summary of the 14 Cloud Security Principles can be found here.
What does the classification change mean for users?
Now that you are able to measure the degree of the security sensitivity of your data, using the new simplified classification system, you can actively look for a cloud service that meets the data security thresholds. By using the cloud security principles to benchmark which security levels you need for your information from a service provider, you can make an informed choice.
For more information on how Kahootz meets the 14 cloud security principles, download our guide.