As the UK Government iteratively develops its G-Cloud multi-source procurement frameworks, now into their third phase with “G-Cloud iii”, it seems that the messages are somewhat confused. Just because a supplier and service is available via the CloudStore doesn’t necessarily mean that it is accredited or certified to a particular security level. For example, I’ve seen public references to services like those from Memset as being IL2 accredited but what does that mean? Reports suggest that their “differentiated” IL2 service is available via the “public infrastructure” – well, from their website descriptions, they have dedicated servers in their own data centre(s) so I assume this means access via the Internet although it’s not clear whether this requires some form of VPN or SSL for encryption purposes. I would have thought it should be accessed via the Public Services Network (PSN) which is, by definition, accredited to IL2.
In fact the UK Government’s ICT Strategy is based on the architectural trichotomy comprising the:
- Public Services Network (PSN); and
- CloudStore or Government Application Store (G-AS).
The overall architecture is illustrated in Figure 1 below.
Figure 1 – High Level Architecture of G-Cloud
As such, the G-Cloud is a private cloud which is available only to the UK Public Sector community (which includes wider government, i.e. the Third Sector). Any SaaS applications that sit outside in the Public Cloud, such as Salesforce.com or Microsoft’s Office 365, should therefore be accessed via a secure gateway service if architectural integrity is to be maintained. This is where Integration and Management Services come into play!
CloudStore is an online procurement portal through which buyers can call-off services from the frameworks but these and the architecture are still evolving. Until we get more clarity on the target architecture and roadmap its going to be a bumpy ride.