SmartNumbers Cloud – CESG Accreditation

Among the most critical concerns for organisations looking to move to Cloud-based services are those of resilience and security. As new vendors rush to make their services ‘Cloud-Based’ it stands to reason that some of these will take short-cuts on the way there.and in so doing will put their customers at risk. Without independent accreditation, it’s impossible to know those that have taken these short-cuts, and those that have done the job properly. Keep in mind that even the reputation of the vendor in other areas of business may not be sufficient to ensure that when it comes to providing services from the Cloud since short cuts can be taken accidentally as well as on purpose. 

There are many aspects in both the design and operation of the Cloud that will make it susceptible to risks and in which corners can be cut. These fall into a number of major categories;

• It’s design and architecture, especially with respect to scalability and security
  
• The quality of the hardware, software and network interconnects using to built it
  
• The processes around the ongoing management and maintenance of the Cloud
  
• The people responsible for running these processes

Weaknesses in any one of these areas could present a major problem to customers. Weakness in several of these could prove catastrophic. But without benchmarks for formal cloud accreditation, it’s impossible to know the quality of the basked in which customers are being asked to put their eggs. Even Service Level Agreements (SLA) are of little help, since most vendors do not publish their performance against SLA’s and very few protect against the business impact to the client if an SLA is breeched.

One UK solution to this problem is the accreditation provided by the Communications-Electronics Security Group (CESG). This is the government body that provides formal accreditation for any technology or service to be provided to the UK Government. While CESG accreditation is mandatory for the deployment of technology into the UK Defence sector, it’s also becoming widely adopted across major government and commercial organisations. More information on CESG accreditation can be found here:  http://www.cesg.gov.uk/about_us/whatwedo.shtml

CESG accreditation is very rigorous and time-consuming to achieve, and once achieved only relates to the version of the hardware/software/service that was accredited. From a business perspective, BT’s aim was to achieve CESG accreditation for our cloud-based SmartNumber services so that they could be deployed within the UK Ministry of Defence and other government customers.  The CESG accreditation process looked in great detail at;

• The design of BT DFTS SmartNumbers Cloud, at both a macro and micro level and it’s dependences on any third party interfaces
  
• Assessment of the components used to build, monitor and maintain the Cloud
  
• The quality and resilience of the Network Operations Centre used to monitor the day to day running of the Cloud
  
• The processes around maintaining the cloud, including provisioning, helpdesk
  
• The people managing the operation of the Cloud, education, qualifications, security clearances
  
• Scalability and Penetration testing to try to expose any weaknesses regarding resilience, security, and scalability

I’m delighted to report that SmartNumbers has finally achieved CESG accreditation, the first such accreditation given to cloud-based voice services. While this is essential for the delivery of our Cloud-based voice services into government, this should also provide reassurance to customers in the financial services, retail and pharmaceutical sectors. When looking at other suppliers and their Cloud-based credentials, organisations would be well advised to consider those that have been CESG accredited and those that have yet to submit themselves to such rigour.