Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UK Government To Share Restricted Files In the Cloud

samzenpus posted more than 3 years ago | from the what-could-go-wrong? dept.

Cloud 44

twoheadedboy writes "The UK Government wants to use the cloud to share restricted files. Given the concerns around cloud and security, this will worry some. Nevertheless, a deal between the services arm of the Foreign and Commonwealth Office (FCO) and SaaS provider Huddle has been penned. The SaaS service will run in the FCO's internal cloud, known as the Government Secure Application Environment (GSAE). This will allow civil servants, diplomats and other Government staff to share documents up to the secrecy level IL3, or Restricted."

Sorry! There are no comments related to the filter you selected.

Cloud (2, Interesting)

zget (2395308) | more than 3 years ago | (#36835146)

Summary says it will be ran on FCO's internal servers, and Huddle is providing the software and know-how. If you think about it, I think it's a good thing. Government jobs are given out pretty much on what schools you went to, or worse, who you know. They never really look or test for the actual knowledge. Here we have a provider with actual experience with various big companies and know-how to secure the network. I would trust them more than some random persons who got their job because their father works in different positions for government.

Re:Cloud (3, Interesting)

jojoba_oil (1071932) | more than 3 years ago | (#36835558)

Right. So the government will share internal documents on internal servers. Aside from the buzz and the fud associated with the word "cloud", what is the news in this story?

Huddle got a gov't contract? Good for them.

Re:Cloud (1)

davester666 (731373) | more than 3 years ago | (#36842790)

Just give me a second to copy all these files I suddenly have access to, to my iPhone...

Re:Cloud (1)

kno3 (1327725) | more than 3 years ago | (#36835868)

Err, this is just not true. Any public sector jobs have far stricter rules regarding the procurement of employees compared to private sector. If people try anything like what you have suggested, then they would be risking the sack. Not saying it doesn't happen a bit, but in my experience many businesses are hampered by family and other personal allegiance a lot more frequently.

Re:Cloud (1)

Hazel Bergeron (2015538) | more than 3 years ago | (#36837866)

Any public sector jobs have far stricter rules regarding the procurement of employees

...rules for government overseen by government, without separation of powers or accessibility of information for the public to audit.

The British empire was built on hypocrisy: the appearance of fair rules and staunch ability to look offended at the thought that they might be disobeyed; the implementation of anything but. Its legacy remains throughout government, and things have got much worse since the profit motive of private-public partnerships was reintroduced - John Company is back from the dead.

Might as well... (4, Insightful)

AngryDeuce (2205124) | more than 3 years ago | (#36835166)

Given the current state of security most of these organizations are running (political, corporate, whatever) they might as well just drop plaintext files on TPB themselves. That's where it's gonna end up eventually, whether they use "the cloud" or not...

Re:Might as well... (1)

Anonymous Coward | more than 3 years ago | (#36835302)

they might as well just drop plaintext files on TPB themselves

No doubt along with NHS medical records. [slashdot.org] Who do we sue when, invariably, it all goes wrong and how much public liabilty do these "cloud" companies have?

Re:Might as well... (0)

Anonymous Coward | more than 3 years ago | (#36835500)

Maybe they just want somebody to blame / sue when it gets out. Can't sue anonymous.

Re:Might as well... (0)

Anonymous Coward | more than 3 years ago | (#36836648)

Yeah but then you can't blame anonymous or (insert group of your choice here) for the theft of the files

Private "Cloud" (1)

Anonymous Coward | more than 3 years ago | (#36835174)

This is a non-story. Third-party provides IT services to a government. Happens all the time.

That sounds too braindead, even for government. (0)

Anonymous Coward | more than 3 years ago | (#36835180)

Cue Admiral Ackbar.

Re:That sounds too braindead, even for government. (1)

rbrausse (1319883) | more than 3 years ago | (#36835362)

there is no difference between "Government uses cloud-storage products form Huddle to share files" and "Government uses Sharepoint from Microsoft to share files". If the GSAE (some kind of VPN? found no explanation for this service) is secure a common platform for file exchange can be a Good Thing (tm)

CLOUD CLOUD CLOUD (5, Insightful)

Anonymous Coward | more than 3 years ago | (#36835204)

Please stop using that word. It makes you sound technologically illiterate.

You mean via a network, or on the internet, or something similar. "The cloud" is a stupid buzzword that needs to die RIGHT NOW.

Re:CLOUD CLOUD CLOUD (4, Funny)

rbrausse (1319883) | more than 3 years ago | (#36835288)

why the bad mood? is it cloudy at your place?

Re:CLOUD CLOUD CLOUD (0)

Anonymous Coward | more than 3 years ago | (#36835702)

It's cloudy at everyplace. That's the point.

Re:CLOUD CLOUD CLOUD (1)

daktari (1983452) | more than 3 years ago | (#36836144)

If it means we can finally start moving vendor lock in from terminals to servers in the enterprise I would still be in a sunny disposition, regardless of the dark clouds outside and buzz words flying around.

As a web dev I'm less anti-Microsoft these days, but certainly very much still against governments essentially spending top dollar on being Microsoft shops while allowing their employees to connect (Active Directory/Sharepoint anyone?) to the main network with Windows boxes ONLY (usually running outdated versions at that).

It seems that a lot of the functionality that these services with "that foggy term" can be built to be accessible from terminals running just about any OS. And that should be a good thing.

Re:CLOUD CLOUD CLOUD (1)

cp.tar (871488) | more than 3 years ago | (#36836494)

It’s Britain. It’s always cloudy there. And it rains very often. On everyone’s parade, too.

Re:CLOUD CLOUD CLOUD (1)

antdude (79039) | more than 3 years ago | (#36837444)

Maybe there aren't any happy clouds over there? :)

Re:CLOUD CLOUD CLOUD (0)

Anonymous Coward | more than 3 years ago | (#36835506)

"The cloud" is a stupid buzzword that needs to die RIGHT NOW.

The belief that things need to be other than they are is one of the root causes of suffering. Holding this belief is causing you real pain. Let it go.

Re:CLOUD CLOUD CLOUD (1)

JaredOfEuropa (526365) | more than 3 years ago | (#36835912)

Sure, it's a buzzword, but not a bad one if you think about it from an IT manager's perspective, as something similar to the little clouds in network diagrams. Other than some ground rules around security, functionality and availability (laid down in an SLA) you don't know how it works, nor do you care about the details. All you care about is that it somehow works, and keeps working. "On the internet" does not capture the black box aspect of SaaS, and could just mean hosting.

Re:CLOUD CLOUD CLOUD (2)

geekmux (1040042) | more than 3 years ago | (#36836180)

Please stop using that word. It makes you sound technologically illiterate.

You mean via a network, or on the internet, or something similar. "The cloud" is a stupid buzzword that needs to die RIGHT NOW.

Uh, die right now? Yeah, good iLuck with that iShit.

Besides, stop getting all wrapped up in a single-syllable word. It's a word. It never did anything to you directly, so lay off and start attacking those CIOs who think they know what's best because they read all about the "cloud" while sitting in the airplane.

Buzzwords don't kill IT. The leaders that waste money and stand behind lame-ass concepts do.

Re:CLOUD CLOUD CLOUD (1)

geekoid (135745) | more than 3 years ago | (#36838300)

No, the mean the cloud. IT's what we call a distributed storage access able from many point, even point not yet defined.

It's has meaning and value. That fact that you can't see that is YOUR limitation.

Network. That's how you connect, that says nothing about storage or distribution of the data, so that would be useless.
on the internet - The fact that you say that tells me you don't actually know what the internet actually is other then a link to /. and amazon.

To quote NIST:

"Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

NIST know a shit load more then you do about this, so I'll just go with what they say. Since it's a clear definition that's used everywhere.

Re:CLOUD CLOUD CLOUD (0)

Anonymous Coward | more than 3 years ago | (#36844098)

To quote NIST:

"Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

NIST know a shit load more then you do about this, so I'll just go with what they say. Since it's a clear definition that's used everywhere.

Did you read their definition? Cloud computing is a model for a network that works better than any network YOU'VE. EVER. USED. BEFORE. That's what NIST is calling the cloud.

Let's have Cirrus Computing, it could be a model for enabling Cloud Computing environments to provide on-demand network access to a shared pool of....."

Read that last bit again: "...to provide on-demand NETWORK ACCESS...." and that's straight from your NIST quote.

Sure, the cloud is about more than network access, so let's agree that Cloud computing is a time-saving word used to prefer to a suite of technologies that all require network access.

Re:CLOUD CLOUD CLOUD (0)

Anonymous Coward | more than 3 years ago | (#36839782)

I have had to repeatedly explain to management that the "cloud" is just a buzzword for keeping your files or applications on a remote server. I explain you can ditch your local installations of Office for something like Google Docs, but what are you going to do if their service goes down; or, even worse, if after a few years of building up inertia they decide it's no longer free and you can't open your files without paying whatever price they've decided you will pay? This usually gives them pause for a few months before they're back asking me how they can "leverage the cloud" to build our business. Fuck, I hate salespeople.

Re:CLOUD CLOUD CLOUD (1)

madhi19 (1972884) | more than 3 years ago | (#36843636)

Please stop using that word. It makes you sound technologically illiterate.

You mean via a network, or on the internet, or something similar. "The cloud" is a stupid buzzword that needs to die RIGHT NOW.

Yeah let revert to the old Mainframe label.

Cloud or no, it all depends on the security used (4, Insightful)

mlts (1038732) | more than 3 years ago | (#36835282)

If we pull the cloud buzzword out of the picture and consider this a remote storage/collaberation option, it can be decently secure, if controls are put in place doing encryption on multiple levels.

On the workgroup level, PGP NetShare can do a decent job, especially if the PGP keys are stored on cryptographic hardware tokens.

On the enterprise level, there are various IRM/encryption systems which can help, be it LockLizard or others. There is even one built into Windows/Office that is fairly usable.

The key (pardon the pun) is how this gets implemented. Done right, a compromise of the external disks may net a bunch of unreadable files. Done wrong, and the UK might as well just seed their snapshots to demonoid's tracker.

Re:Cloud or no, it all depends on the security use (2)

VortexCortex (1117377) | more than 3 years ago | (#36836206)

Sorry, If it's not open source, compiled in house, and uses data encrypted BEFORE it leaves our network -- It's not a secure service. Also: I put it to you that a closed source program or OS is considered harmful in terms of security and transparency (read trust-ability) -- This goes for LockLizard, Symantec's PGP NetShare, and especially Windows -- The US, UK, Russian, Chinese and other governments have the Windows source code, why is that? Security, and also to look for exploit vectors... Being a security contentious individual, Why don't you insist on having the source of your software too?

Even if you can prove that a certain algorithm is being used to encrypt the data, how can I be sure that the program or OS doesn't contain a key-logger that sends the key and/or data where I don't want it to go (Perhaps via a update request)?

If your "SaaS service" (software as a service service?) has the keys to unlock your data -- Well, Your version of "done right" is very different from mine.

Let's not forget the "trust" we put in RSA tokens, letting RSA keep the root keys, and how hackers cracked the collective single point of failure, then used RSA's keys... If those who got hacked as a result of using RSA's "Security as a Service" had instead used Yubikey [yubico.com] , they could have installed their own "seed" keys into their own tokens, thus eliminating the centralized key-store. (Additionally, if RSA wasn't using Windows internally they wouldn't have been vulnerable to the attack vector used against them; Google learned this lesson too.)

A true "Thin Client" or Dumb Client, won't be doing much work with your data, allowing data processing remotely means you have no control over your security. I opt for "Real Clients" and in-house services combined with a "Dumb Cloud" that just stores and fetches encrypted blobs.

In short: If someone else has the keys to your kingdom, how secure are you really? (Lockheed thought they could trust RSA in such a way -- Yep, they both got hacked [pcmag.com] ).
--
Don't get me wrong, apply security as needed; Some systems don't need as much security as others (provided backups are made), but why call a less secure solution "done right"?

Re:Cloud or no, it all depends on the security use (0)

Anonymous Coward | more than 3 years ago | (#36836926)

It depends on your objectives:

If I had a number of acquaintances and we were wanting to share documents securely (without needing a mechanism for locking individual documents), PGP/gpg encrypting them and storing them on a private sftp server would be good enough.

However, part of security with businesses is CYA. If RSA's product fails, a client can point to them and say "blame them, we acted in good faith by buying their product which is FIPS, Common Criteria, etc. certified." If a no name product failed, the buck may stop with that client, and in the Sarbanes-Oxley, HIPAA, or FERPA arenas, it might mean someone goes to prison. This is why a lot of businesses rather pony up the dollars for a commercial solution so they can say they are acting in due diligence by buying the top tier security brands.

I agree with you -- the ideal is to have anything that leaves the secured local network segment heavily encrypted. However, when one gets a business with a lot of users, there isn't much that can scale up that high.

Devil's advocate here: Yes, Windows has some security issues, but Windows has the best tools for the enterprise for management. If the BSA comes a knocking, it isn't difficult to find a tool to cough up a software inventory list on every Windows box in use company-wide. Same if a security auditor demands to know the status of every antivirus install on each machine connected to the LAN. Because of this, businesses stick with Windows.

Already doing so... (1)

ftobin (48814) | more than 3 years ago | (#36835374)

I thought the US government spearheaded sharing classified files with the cloud. They just called it Tor over here.

Sweet Nepotism (0)

Anonymous Coward | more than 3 years ago | (#36835516)

N/t

Tomorrow's headline: (1)

JustAnotherIdiot (1980292) | more than 3 years ago | (#36835564)

UK Government shocked when all its restricted files are found all over the internet.

Re:Tomorrow's headline: (1)

marcosdumay (620877) | more than 3 years ago | (#36835956)

You are assuming they'll find those files. Do they routinely search TPB?

Re:Tomorrow's headline: (1)

JustAnotherIdiot (1980292) | more than 3 years ago | (#36836284)

Define they. If they = UK government, probably not.
But if they = media, the ones that make the headlines? Yes, because they love stuff like this these days.

So that means... (0)

Anonymous Coward | more than 3 years ago | (#36835668)

... that loosing harddrives all over the country was intentionally done to jumpstart their cloud...?

ARGH idiotic idea (0)

Anonymous Coward | more than 3 years ago | (#36835730)

Huddle are a US company. Therefore under their "Patriot" Act, any US agency with a three-letter acronym can request all the foreign office data without a court order and without the foreign office being told. This does assume that Huddle have access to the information, which is almost certain to happen if it doesn't already. Other countries must start to use local service providers until this is resolved. Encrytion will work to a point, but encryption can be broken.

No problem here! (0)

Anonymous Coward | more than 3 years ago | (#36835810)

Foreign and Commonwealth Officer: "Let's store all of our secret data on the internet. How can this go wrong in any way?"

Good idea (1)

PPH (736903) | more than 3 years ago | (#36836120)

Think of all the disk space you can save by sharing it with Julian Assange.

I have seen the future :) (0)

Anonymous Coward | more than 3 years ago | (#36836146)

"I want to report a wrongful arrest"

"You want Information Adjustments. Different department"

link [imdb.com]

Advantage (1)

Hognoxious (631665) | more than 3 years ago | (#36836254)

At least a junior civil servant can't get drunk and leave a cloud in the back of a taxi.

Unless he went for a curry after the pub.

Impact Level 3 (1)

mattsday (909414) | more than 3 years ago | (#36837016)

It's worth noting that IL3 isn't exactly top secret - patient records (such as xray scans) are also classified as IL3.

Really top secret stuff is IL6 which has a very different set of security requirements. Whether this makes it more secure is a different matter, but don't expect diplomatic cables, submarine designs and MI6 café menus on this system.

Many of you son't seem to know what the Cloud is (1)

geekoid (135745) | more than 3 years ago | (#36838388)

From the NIST:
"Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

What you think it needs to be offsite, run by someone else or accessibly by anyone show you have no fucking clue.

I wish /. had personal tags. I would love to start filtering put poster who regularly don't read the article who has the most reasoned replies.

Would it match the general population bell? or would some people really stand out?

Re:Many of you son't seem to know what the Cloud i (1)

dbIII (701233) | more than 3 years ago | (#36841906)

That's becuase the cloud has more of a nebulous definition according to salesfolk that use it a lot - typically it's not really a cloud in their view unless it's something they can sell to you. If it's your own servers on site or in somebody elses rack and they don't sell rack space they insist it's not a cloud. It's used as a buzzword jammed into whatever crevice is convenient at the time.
I'm still trying to get over the urge to vomit from first reading the buzzword collision of "iCloud".

What impact levels mean (0)

Anonymous Coward | more than 3 years ago | (#36838630)

They're not about secrecy, they're about business impact, i.e. potential consequences.
The official definitions are at http://www.cesg.gov.uk/policy_technologies/policy/media/business_impact_tables.pdf

Let's just cut to the chase... (1)

Genda (560240) | more than 3 years ago | (#36841970)

Let's save everyone a lot of time and energy. Have D.C. Bureaucrats duct tape classified documents to one anothers' ass, Then en masse assemble at Radio City doing the Can-Can in a dance line. Whatever you can read... you can keep.

Besides saving tremendous time and energy on all sides, it should prove incredibly entertaining... perhaps we can sell tickets to help reduce the deficit.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?