Don’t Trust Cloud, Says Government Security Adviser

The head of information policy and security at the UK Highways Agency has urged caution when it comes to the adoption of hosted or cloud applications such as Google Apps and Windows Live, which he believes should not be used for critical tasks at present.

Speaking at the European Computer Audit, Control and Security (EuroCac) conference in Budapest this week, Ray Butler, a former information systems auditor at HM Customs for more than 25 years, told an audience of audit and IT specialists that hosted applications were still an unknown quantity in terms of security.

Asked by eWEEK Europe UK whether he believed web office applications such as Google Docs were inherently more insecure than local applications, Butler said that it depended on the circumstances but he wouldn’t advise using such tools for confidential or critical information.

“It depends doesn’t it. I work collaboratively, not in Google Docs but in Huddle and Microsoft Office Live,” he said. “But I wouldn’t use it for anything that would screw me up or my organisation up if it got lost or improperly released or anything simply because I don’t know how good the security is.”

How reliable are hosted apps?

Several high profile UK companies have opted to introduce Google Apps into their businesses. Rentokil Initial announced plans in October last year to deploy Google Apps Professional Edition to around 35,000 staff by the end of 2010. “By deploying Google Apps, we can overcome a wide range of technical and communication issues, and enhance our ability to deliver operational excellence throughout the organisation,” said Bryan Kinsella, chief information officer of Rentokil Initial, at the time.

Butler went on to explain that some hosted or cloud application providers will provide service level guarantees for business customers which could mitigate some of the risk. But he also explained that despite such assurances government departments are blocked from accessing online tools for security reasons. “You need to know where it [the data] is going. Certainly, in government circles all those things are fire-walled out because of the data leakage risk and we are told not to send government information outside the controlled government intranet.”

Butler added that the government has systems in place to prevent key information from being sent outside the firewall to non-authorised recipients. “There are applications that will stop you doing that. If information is marked above a certain level it will say “don’t be silly Ray, you can’t send it to him, he hasn’t got the right credentials” and if I try again it will tell my boss and he will slap me,” he said.

Tracking changes on the “dodgy dossier”

Despite the perceived shortcomings of hosted applications and government attempts to control data leakages, Butler admitted that some public security loop-holes still persist. He made reference to the so-called “dodgy dossier”, which was used by the UK government to justify the invasion of Iraq and was later shown to contain weak sources and misinformation.

“I was told that when the Word document that contained the dossier was released, to make the people who had made key decisions look better, somebody did this [click on track changes] and suddenly the track changes were left in place,” he said.

Word 2007 and Word 2010 prevent documents with the revisions hidden from being sent out but earlier versions still allow it, Butler said. “We are still using 2003 and you can still circulate stuff that looks clean and the revisions will still be there and you won’t notice. Even if you hide them and attach the document to an email and send it somebody I might not know that when they get it, they can still see the changes.”

The security experts said that the decision to alter the track changes setting in Word was because of the Iraqi dossier incident. “I believe there was a lot of flak with Microsoft with that dodgy dossier incident which kicked them into making that functionality available,” he said.

Earlier this year, the Highways Agency launched an application for the iPhone to help drivers navigate around traffic jams and cut carbon emissions.