G-Cloud Supplier Assurance
What is G-Cloud?
The G-Cloud framework allows UK Government bodies to purchase Cloud services, and is aimed at making public sector Cloud service acquisition quicker and more transparent. This selection process eliminates the need to go through a full tender process.
G-Cloud also allows suppliers to sell their Cloud services (such as web hosting services or IT health checks).
All G-Cloud services are available via an online catalogue, called the Digital Marketplace.
All suppliers wishing to include their Cloud service offerings within the Government’s Digital Marketplace are now required to go through a set of security questions, which are determined based on the services they are offering, and provide a self-assertion of compliance.
Who can use G-Cloud?
All government departments, devolved administrations, local authorities, wider public sector bodies and arm’s-length bodies are eligible to buy Cloud services via the Digital Marketplace.
G-Cloud services are divided into the following four lots:
- Infrastructure as a service (IaaS)
- Platform as a service (PaaS)
- Software as a service (SaaS)
- Specialist Cloud service provider
Becoming a G-Cloud supplier
The Digital Marketplace helps organisations sell Cloud technology and digital specialist services to the UK Government. Suppliers can sell services through framework agreements with the government.
Suppliers can use the G-Cloud framework to:
- sell Cloud technology and support (e.g. web hosting and IT health checks);
- provide skilled expertise to work on digital projects (e.g. technical architects and web designers).
Suppliers can apply to sell services when a new version of a framework is published on the Official Journal of the European Union (OJEU).
Providers don’t need to be based in the UK to apply, but do need to agree to the terms of the framework agreement and call-off contract, which are governed by British law.
The four steps to becoming a G-Cloud supplier:
- Supplier submits the services it wants to supply.
- The government creates a framework agreement with the eligible supplier.
- The government conducts an assurance review of the supplier.
- Supplier is accepted into the Digital Marketplace.
Prospective suppliers are required to create an online profile on the Digital Marketplace website.
G-Cloud assurance requirements
Prior to G-Cloud 6, organisations offering Cloud services were required to go through an accreditation process centrally managed by CESG. The accreditation process has now been replaced by a self-assertion process.
The G-Cloud suppliers’ guide provides an overview of the process. The G-Cloud security approach covers fundamental information about supplier assurance.
Suppliers are required to complete a number of defined security statements asserting how their services meet the Cloud Security Principles.
Suppliers are required to provide evidence and documentation to support their assertion to customers who wish to validate them.
Where a government organisation has carried out an accreditation of the service, a supplier can reuse the accreditation as supporting evidence of their assertions.
Providers of Cloud services are expected to consider the 14 Cloud Security Principles and to provide the required assurance of these principles when presenting their offerings to public sector consumers. This will allow consumers to make informed choices about which services are appropriate for their needs.
The 14 Cloud Security Principles
The Cloud Security Principles cover the following key areas:
- Data in transit protection
- Asset protection and resilience
- Separation between consumers
- Governance framework
- Operational security
- Personnel security
- Secure development
- Supply chain security
- Secure consumer management
- Identity and authentication
- External interface protection
- Secure service administration
- Audit information provision to consumers
- Secure use of the service by the consumer
Further guidance on implementing the Cloud Security Principles is available here.
Delivering assurance on the Cloud Security Principles
The G-Cloud framework allows the client (for instance a public sector body) to decide which of the Cloud Security Principles are most important, and which level of assurance they require in the implementation of these principles. Suppliers may be required to deliver assurance on any of the 14 principles.
There are a number of common approaches that can be used to assure the Cloud Security Principles, and these can be used in combination to provide greater assurance to customers.
IT Governance can provide the required expertise in the form of information assurance audits, ISO 27001 certification, and the provision of CESG Certified Professionals (CCP) to undertake the necessary assurance activities. Contact us now on 00 800 48 484 484 or email email@example.com.
Service provider assertion
The service provider (supplier) describes how their service complies with the implementation objectives, but does not provide independent validation of compliance.
- the service provider’s level of maturity around security;
- the existence of an in-house security team;
- proactive testing and historical evidence of responding to security issues.
Suppliers should provide demonstrable evidence of implemented controls.
Independent validation of assertions
An independent third party reviews and confirms the service provider’s assertions.
This approach has some shortcomings, because the third-party review may not be performed to a recognised standard. This means that the assessment might not thoroughly assess the security delivered by the implementation of the Cloud Security Principles. Suppliers will need to instill confidence that the third party has carried out adequate testing and has the right skills to undertake such a review.
The service provider holds a certificate of compliance with a recognised standard.
A shortcoming with this assurance approach according to the CESG is that, depending on the standard or certification, the scope of certification may not address the implementation objectives of the specific Cloud Security Principle. This is because the auditor only needs to verify that controls exist (for instance a policy/procedure), and does not verify that said controls are present and effective.
Certification and implementation of controls are reviewed by a qualified individual.
A suitably qualified individual (such as a CESG Certified Professional ‘Accreditor’ or ‘IA Auditor’ at the senior or lead level, or a recognised information security subject matter expert) reviews the scope of the certification and the implementation of the controls.
This approach provides a higher degree of confidence that the service meets the stated objectives through certification against an appropriate standard.
If the supplier holds an accredited ISO 27001 certification then an additional audit may not be necessary.
Independent testing of implementation
Independent testers demonstrate that controls are correctly implemented and objectives are met in practice.
Independent testing can be conducted with penetration tests to establish whether the implementation of controls achieves the objectives. Independent testing reduces the reliance on supplier assertions. Testers should have appropriate industry-recognised qualifications for the testing they are carrying out.
IT Governance is a CREST-accredited penetration testing provider and meets the requirements for independent testing.
The test results will reflect a service at a particular moment in time; as a service evolves, it will need to be regularly retested.
A suitably qualified individual reviews the scope of testing.
Validation should ensure that all service-impacting controls are within the scope of the testing. The skills and experience of the qualified reviewer will affect the confidence that can be placed in the review.
IT Governance prides itself on the qualifications, expertise and track record of its testing and IA audit professionals. Our CCP certified accreditors and IA auditors at senior and lead level meet CESG’s stringent requirements.
Assurance in the service design
A qualified security architect is involved in the design or review of the service architecture.
Service providers can source experts with suitable qualifications, such as CCP certified ‘IA Architect’ at the senior or lead level, to secure the required confidence in the reviewer’s ability. Reviewing the design of the service architecture (and implementation of its recommendations) will give confidence that:
- the architecture defends against common attacks;
- the proposed security controls are appropriate;
- the proposed architecture would allow effective secure operation of the service.
Such a review does not verify that components have been properly configured, or that the components are correctly or robustly implemented.
Assurance in the service components
Independent assurance in the components of a service (such as the products, services and individuals that a service uses).
Misconfiguration or misuse of the product can undermine any assurance gained. Independent security testing can be used to address this issue. The assurance of the component needs to be relevant to its use within the service. Independent testing of systems and components can help iron out any configuration or misuse issues and provide assurance to potential clients.
Foundation-level assurance provides a good level of security for all products, services and individuals within the scope of the G-Cloud service offering – contact IT Governance for assistance.
ISO 27001 and G-Cloud assurance
Under the new G-Cloud Security Approach, a supplier can use a suitably scoped ISO 27001:2013 accredited certification as independently validated supporting evidence that the supplier’s assertions for a number of Cloud Security Principles objectives are true.
Because ISO 27001:2013 certification alone does not meet the CESG’s assurance requirements to support all of the assertions, a combination of evidence is required, such as additional testing and audits, which can be carried out by IT Governance’s team of qualified professionals.
It is important to note that the ISO 27001 certificate must be awarded by a recognised certification body, such as UKAS.
How can IT Governance help?
You can reduce the hassle of trying to make sense of the G-Cloud requirements by getting advice from the experts.
IT Governance has the security expertise and industry knowledge to assist Cloud service providers wishing to make an application to join the G-Cloud framework and to meet the complex requirements of building a portfolio of evidence that meets the strict assurance criteria.
Get in touch with a G-Cloud expert today by calling us on 00 800 48 484 484 or emailing firstname.lastname@example.org.