Credit: Gianni Crestani/Pixabay    Image has been cropped

The Home Office runs more than 250 groups of software applications from a public-cloud environment provided by Amazon Web Services or Microsoft, a minister has revealed.

Tom Pursglove, a junior minister at the department, added that this number of “application groupings” does include “duplications where services may have development, test, pre-product and production environments in either or both” of AWS and Microsoft Azure.

“The Home Office is a large user of both AWS and Azure,” he added, in response to a series of written parliamentary questions from Labour MP Chi Onwurah. “The use of these capabilities varies from business application deployments to encrypted storage and compute. This is supplemented by robust and targeted private hosting capabilities.”

Despite its widespread use of Amazon and Microsoft, the department has nothing at all stored in the an environment provided by the third of the three major public cloud providers: Google Cloud Platform.

“The Home Office, as with other government departments follows the Government Digital Service advice to move towards public cloud first for our computing needs,” Pursglove added. “This allows us to build scale, flexibility and control into our applications and infrastructure.”

In a question to the Cabinet Office, Onwurah asked the department what “assessment [it] has made of the level of risk to UK citizens' data where that data is hosted on public cloud providers; and [what] steps the department takes to protect UK citizens' data on public cloud providers”.

Related content

• Home Office renegotiates £100m AWS deal
• HMRC begins prep for major cloud move
• Home Office signs £5m deal for ‘cloud landing zones’

Heather Wheeler, a junior minister at the central department, said that each discrete Whitehall department – including the Cabinet Office – is responsible for conducting its own “risk-based assessment of their use of cloud providers for the storage of government data up to ‘Official’ level, including UK citizens’ data”. 

‘Official’ is the lowest of the three levels of classification of government data – coming before ‘Secret’ and ‘Top Secret’ – and is applied to “the majority of information that is created or processed by the public sector”.

This “includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile”.

According to Wheeler, when assessing potential suppliers to host such information, central government bodies should consider the cloud security advice set out by the National Cyber Security Centre.

“Departments are required to follow the Technology Code of Practice when choosing a cloud provider, and this is assessed as part of the spend controls function,” she added. “Departments must show that they have chosen the technology which provides the best value for money while meeting user needs. The Central Digital and Data Office carries out ongoing engagement with departments to review their decision-making about hosting. This includes qualitative analysis through user research as well as spend controls.”