On the face of it, defining ‘Secure Cloud’ is straightforward – it’s a cloud that is has greater security protection than a regular one.   

But that’s not quite the full story.  

A Secure Cloud offering, however, is inevitably going to mean many different things to many different people. The meaning will change depending on the value of the data or workloads which need to be protected – primarily assessed by what they mean to the cloud service user, and to the cloud service user’s stakeholders.   

When considering institutions which are public sector organisations, their primary stakeholder will be the UK citizen. With that, the definition of Secure Cloud changes. Further, when your users are institutions, maybe underpinning education, or healthcare, or perhaps even Defence or National Security in the UK, the definition of Secure Cloud changes once more, often on a case-by-case basis.  

Ultimately, a Secure Cloud can accommodate these workloads, no matter the individual security classification, the residency of personal data, or the specifics of data sharing requirements. A true Secure Cloud should enable choice, innovation and collaboration whilst maintaining data security and workload integrity.  

‘Secure Cloud’ is a subjective term, and the definition for your industry may differ from that of another.   

But one thing is certain…  

All public sector organisations must assess the security credentials of their Cloud Service Provider (CSP) – and their hosted cloud solutions – before potentially compromising valuable datasets, or getting locked into a cloud solution that cannot meet their operational requirements or local compliance regulations.  

THE SCHREMS II JUDGEMENT – WHO CAN ACCESS YOUR DATA? 

A recent data privacy judgement, known as Schrems II, ruled last year that the 2016 ‘Privacy Shield’ framework for data transfers between the EU and US was insufficient. Amongst the legal jargon one message was clear – data transfers with the US would always need special attention.

This judgment has implications for UK businesses, raising concerns around sharing data with countries outside of GDPR (such as the US), who have adopted a surveillance culture. The UK’s post-Brexit decision to operate similar regulatory frameworks as the EU requires similar caution: future data sharing with the US will require much more diligence, and will be watched closely by the EU. It’s more evident than ever that the US privacy culture is no longer similar to that of the UK and EU. The requirement of legal action to dismiss the ‘Privacy Shield’ framework, once accepted as adequate, should send alarms ringing for organisations in the UK whom rely on cloud solutions.  

With a growing disparity in the different privacy rules amongst many countries and trading blocs, organisations must be aware of where their data is. Sovereignty, residency and data protection for the UK public sector has never been more important. Especially in an age where the data underpinning applications and services is becoming increasingly valuable, to users, to states and to criminals. A Secure Cloud must be able to protect your data from external factors which could compromise its confidentiality, sovereignty and integrity. But it’s not just a ‘protector’ – a Secure Cloud must be an enabler too. With only 20% of Local and Central Government organisations stating recently that they feel they can safely share data to effectively collaborate with partners and other agencies, there must be a greater focus on comprehensive uptake of secure cloud to enable the true value of data. We will discuss the importance of this more shortly…  

DATA SOVEREIGNTY AND RESIDENCY – WHERE IS MY DATA WHEN IT’S IN THE CLOUD? 

A very good question that doesn’t always have a straightforward answer. Different cloud service providers will make different declarations about the residence of your data. It’s your choice where you want your data stored, and what guarantees you seek for your data’s security – considerations driven by your own cloud strategy.  

It’s not just security that is affected by current data residency issues, as noted by UKCloud CEO Simon Hansford during a recent webinar hosted by the Centre for Policy Studies and HPE:  

“It’s widely understood that 94% of data in the western world is currently hosted in the US – that’s a near data monopoly. It does nothing to drive competition, value, or innovation.”  

It’s never been clearer that data sovereignty, especially for public sector organisations, is a significant requirement. The integrity of public sector data is becoming tainted, “organisations don’t actually know where their data is, they just think they do” (UKCloud State of Digital and Data Report). Organisations are placing their valuable data at risk.  

As well as the external view of digital and data that is of grave concern, it’s also the continued reliance of public sector organisations on outdated legacy IT estates to store their data and workloads. 53% of these organisations say their data remains on-premises, and reliance on this infrastructure is plaguing the public sector. Not just from a security point of view, but from one of enablement. It’s been over 8 years since the government’s ‘Cloud First’ policy, and now months on from the National Data Strategy, wherein public sector organisations were “encourage(d) to uptake digital technologies more broadly – both for the benefit of the economy and wider society”, it is clear there is still inhibitions about cloud. 

The continued lack of action in migrating and transforming is a growing problem – one which is causing the UK to fall behind in its national digital capability. As noted in a statement by Julia Lopez MP at the digital government conference:  

“In order to make the most of data we need to fix the elephant in the room – legacy IT. Because as long as we continue to rely on outdated systems and technology, we will be unable to fully harness the opportunities of emerging technologies and modern digital solutions.”  

Moving away from these environments can be particularly tricky, and could even seem intimidating, especially for sensitive workloads. However, in order to be in control of your data, you don’t need to be managing your own data centre. Cloud can be secure enough to host even the most sensitive workloads – including critical defence applications – but it remains essential for you to evaluate and understand exactly what requirements you need, and carefully assess how each CSP measures up against these factors.  

Embracing Secure Cloud, and one which can ensure data sovereignty, is the key to unlocking the door for safe internal and external collaboration, secure applications and Software as a Service (SaaS) solutions, as well as to simply have peace of mind as to where your data is. 

Then what is a Secure Cloud?  

A Secure Cloud comprises of multiple security domains that align to an organisation’s varying data sensitivities, with a secure means of communication between domains to provide a complete solution. 

And how would that work? 

CREATING YOUR SECURE CLOUD SOLUTION

Let’s evaluate what makes a Secure Cloud secure. Data security and risk management are two of the most significant inhibitors to cloud adoption, with 85.2% of public organisations reluctant to move workloads to the cloud as a result. 

There are three types of cloud: 

• Public – Multi-tenant cloud wherein many share a single resource for maximum cost effectiveness. 
• Private – A single-tenant cloud for the sole use of one organisation. 
• Hybrid – A customised combination of public and private clouds, including the use of on-premise infrastructure and other 3rd party providers. 

It’s important to note that whatever your cloud hosting solution, public, private or hybrid cloud, you can achieve your required level of assurance. The public sector should consider secure community cloud; a public cloud solution that can host your workloads with no compromises, and the same level of security as a more expensive private cloud solution.  

According to Gartner, community cloud computing refers to a shared cloud computing service environment that is targeted to a limited set of organisations with similar ethos and values. 

For a secure community cloud to be effective, there must be a strong emphasis on ensuring there are multiple security domains. The current guidelines for data sensitivity have been simplified to ‘OFFICIAL’,’OFFICIAL SENSITIVE’, ‘SECRET’ and ‘TOP SECRET’. However most cloud providers will vary in their application of security domains and may have a narrower workload classification capacity. 

An ideal secure community cloud should offer several security domains that can be securely connected using appropriate cross domain protocols. This allows you to choose the right security domain for certain sets of your data, whilst still allowing for citizens to access services from their internet connection, whilst also securing back-end data. 

Your organisation’s security requirements will define the required security domains of your cloud provider, thus your definition of Secure Cloud.

ENABLING COLLABORATION AND INTEROPERABILITY

The recent Centre for Policy Studies and HPE webinar, explored the topic of data sharing, and a quote from Rt Hon John Whittingdale OBE MP, Minister of State for Media and Data, summed up the current state:  

“At the moment people view data sharing as a threat or as a risk… but what they don’t hear about is the benefits that flow from sharing data. In fact, one of the consequences of the last year is that we have managed to share data in a whole range of different areas to the huge benefit of the effort to tackle the pandemic.”  

And data sharing is a core part of the government’s future plans, according to Julia Lopez MP: “We are committed to transforming the way data is collected, managed and used across government. We intend to create a joined up and interoperable data infrastructure.”  

Initiatives such as GAIA-X reinforce how real and important data sharing is for creating competitive advantage and delivering innovation. GAIA-X is Europe’s plan for a collaborative digital future, and is described as “the cradle of an open, transparent digital ecosystem, where data and services can be made available, collated and shared in an environment of trust”. The platform will connect centralised and decentralised infrastructures, transforming them into a homogeneous, user-friendly system.   

Such exciting and enabling plans makes one wonder how such a plan could benefit the UK. But in order to achieve this level of comprehensive safe data sharing, an equally comprehensive uptake of secure cloud across the UK public sector has to occur. Only when public sector organisations digitally mature can true and effective collaboration be enabled.  

Robust infrastructure is the key to interoperability and collaboration, but it is vital that the use of secure networks and SaaS applications are monitored and managed to ensure they are not misconfigured and allow the solution to be compromised. If organisations cannot ensure the safe sharing of data, it could have grave compliance and security ramifications: but this is a risk which can be minimised.  

There’s ample value in the safe sharing of data. For organisations, and citizens, and nowhere else has this been so vividly displayed in the last 12 months than in health and care, as described by John Whittingdale earlier. But this can be taken many steps further, and many are calling for such a push. Allowing for collaboration and interoperability through secure, compliant and ethical sharing of data between Health and Social Care providers is a key recommendation of Public Policy Projects’ (PPP) Digitisation of Healthcare and Medical Technologies report. Secure cloud-based access to networks such PSN and HSCN open the door to a future of Health and Social Care collaboration, a future which can only be achieved through the rapid and comprehensive adoption of Secure Cloud.  

This sort of opportunity is not limited by industry, but by ambition and desire for innovation. 

Ask yourself, what is stopping you? 

Because, in the digital age, the value of data and collaboration is too important to pass up, yet, blindsided by inertia and inhibitions, organisations are not realising these opportunities.  

BUILDING CYBER RESILIENCE AND EXTRA SECURITY PROTECTIONS

Cyber-attacks have become a significant element of global criminal activity. Many organisations have unwittingly fallen victim to ransomware attacks, and with the recent ransomware attack on the Irish Health Service (HSE), it is clear that public sector organisations, whatever their size, are equally likely to be potential targets for cyber criminals. The NCSC released an article recently addressing ransomware attack preparation and response.  

How can you be so sure that your organisation’s move to the cloud won’t be met by a cyber-attack at some point?  

Well, that is a good question. Without careful consideration of data security, your organisation may be putting its data at increased risk of attack or compromise. It is also true, however, that data and workloads are also susceptible to risk in ageing on-premise data centres. No defences are guaranteed, but with the robust security benefits of cloud, including state-of-the-art hardware and well managed and monitored software, you can significantly improve the security of your data. However, with outdated and siloed hardware and software, Legacy IT is more susceptible to failure, and is not considered to be a resilient or long-term solution. There is no solution that guarantees full resilience; often attacks on cloud and on-premise data come from human error, such as phishing scams. 

With Legacy IT, there is a need to manage your own upgrades and protections against threats and downtime – this may become expensive and resource-intensive. Cloud solutions can differ depending on the provider, but most will offer many levels of cyber protection, as well as patching, asset life cycle management and monitoring. Further, cloud offers extra security protocols such as data encryption, Security Operations Centres (SOC), and disaster recovery support, all of which complement cyber resilience.  

Once again, managing your own data centre doesn’t make your data any more secure. Legacy IT solutions are placing sensitive and valuable data at risk every day, much of which can be mitigated through migrating to a Secure Cloud. It’s time to sure up your cyber resilience with cloud. To take your first steps to becoming more Cyber-aware as an organisation, see the recently refreshed ’10 steps to Cyber Security’ infographic from the NCSC.  

The most important avenue to explore is speaking to potential cloud service vendors. Have conversations with responsible providers about your ideal Secure Cloud solution, and explain your specific requirements and perceived risks. UKCloud has a commitment to ‘doing the right thing’ by serving the best possible value to the taxpayer. Our goal is to encourage the wider uptake of digital technologies in the UK public sector, and to make transformation happen. To plan your Secure Cloud strategy, reach out to our Professional Services team. If you want to learn more about Secure Cloud, browse our cloud solutions - https://ukcloud.com/solutions, or talk to one of our experts today. https://ukcloud.com/contact/