What is Secure Cloud? [The complexity of public sector cloud security]

On the face of it, defining Secure Cloud is simple. It’s a cloud that is more secure than a regular one.

But that’s not quite the full story.

You see, a Secure Cloud offering means many things to many different people. The meaning differs depending on the value of the data or workloads being protected – what they mean to the user, and what they mean to the user’s stakeholders.

When all of these institutions are public sector organisations, their primary stakeholder is the UK citizen. With that, the definition of Secure Cloud changes.

And further, when your users are institutions, maybe underpinning Education, or Healthcare, or even Defence and National Security in the UK, the definition of Secure Cloud changes dramatically, and on a case-by-case basis.

Ultimately, a Secure Cloud can accommodate these workloads, no matter what security classification or the residency and data sharing requirements. A true Secure Cloud should enable choice, innovation and collaboration whilst maintaining data and workload integrity.

So, does that mean ‘Secure Cloud’ is a subjective term? Well, yes. The definition for your industry may differ from that of another.

But one thing is certain…

All public sector organisations must consider the security of their Cloud Service Provider (CSP), and their cloud solution, on a comprehensive level before potentially compromising data, and getting locked into a cloud solution that cannot meet local compliance regulations.

 

 

The Schrems II judgement – Who can access your data?

A recent data privacy judgement, known as Schrems II, ruled last year that the 2016 ‘Privacy Shield’ framework for data transfers between the EU and US was insufficient. Amongst the legal jargon, one message was clear – data transfer with the US would always need a second glance, and that data residency and protection with regards to data sharing is now of immediate relevance and real concern.

The significant point in this decision was the implications and effect this decision would have for UK businesses. Yes, the decision raises concerns around sharing data with countries, such as the US, who adopt a ‘surveillance culture’. But also, the UK’s post-brexit decision to operate similar regulatory frameworks as the EU throws up just as much concern. The UK’s future in data sharing with the US will be a journey on thin ice, watched closely by the EU. But the mere message that US privacy culture is such a foil that it required legal action to dismiss the ‘Privacy Shield’ framework, once accepted as adequate, should send alarms ringing for organisations in the UK.

With a plethora of different privacy rules amongst many countries and trading blocs, organisations MUST be aware of where their data is. Sovereignty, residency and data protection for the UK public sector has never been more important. Especially in an age where the data underpinning applications and services is becoming increasingly valuable, to users, to states and to criminals, as well as becoming ever present in international trade agreements. A Secure Cloud must be able to protect your data from external factors which could compromise it’s integrity and sovereignty. But it’s not just a ‘protector’ – a secure cloud must be an enabler too. With only 19.6% of Local and Central Government organisations stating recently that they feel they can safely share data to effectively collaborate with partners and other agencies, there must be a greater focus on comprehensive uptake of secure cloud to enable the true value of data. We’ll talk a bit more about the importance of this a bit further down…

 

Data Sovereignty and Residency – Where is my data when it’s in the cloud?

A very good question that doesn’t actually have a simple answer. Different cloud service providers will be able to make different guarantees about the residence of your data. It’s your choice where you want your data stored – what guarantees you want for your data – and that all comes down to your cloud strategy.

It’s not just security that is affected by current data residency issues, as alluded to by UKCloud CEO Simon Hansford during a recent webinar hosted by the Centre for Policy Studies and HPE:

“It’s widely understood that 94% of data in the western world is currently hosted in the US – that’s a near data monopoly. It does nothing to drive competition, value, or innovation.”

 

 

It’s never been more clear that data sovereignty, especially for public sector organisations, is imperative and crucial. The integrity of public sector data is becoming tainted, “organisations don’t actually know where their data is, they just think they do” (UKCloud State of Digital and Data Report), and the inability to extract value from this data is stifling innovation.

It’s not just the ‘macro’ view of digital and data that is of grave concern, it’s also the continued reliance of public sector organisations on outdated legacy estates to store their data and workloads. It’s been over 8 years since the government’s ‘Cloud First’ policy, and now months on from the National Data Strategy, wherein public sector organisations were “encourage(d) to uptake digital technologies more broadly – both for the benefit of the economy and wider society”, still 53% of these organisations say their data remains on-premises.

 

 

This is a growing problem – one which is causing the UK to fall behind in its national digital capability. A point which was summarised in a statement by Julia Lopez MP at the digital government conference:

“In order to make the most of data we need to fix the elephant in the room - legacy IT. Because as long as we continue to rely on outdated systems and technology, we will be unable to fully harness the opportunities of emerging technologies and modern digital solutions.”

Moving away from these environments can be particularly tricky, and even seem scary, especially for sensitive workloads. However, in order to be in control of your data, you don’t need to be watching the flashing lights of your data centre. Cloud can be secure enough to host even the most sensitive workloads – that goes for defence too – but it is so important to explore what requirements you need, and what each CSP can offer.

Embracing Secure Cloud, one which can ensure data sovereignty, is the key to unlocking the door for safe internal and external collaboration, as well as to simply have peace of mind as to where your data is.

 

 

Security Domain levels – How secure can you go?

Let’s talk a bit more now about what makes a secure cloud so secure. Security and risk is one of the most significant inhibitors to cloud adoption, with 85.2% of public organisations reluctant to move workloads to the cloud as a result.

Public, private or hybrid cloud, whatever your cloud hosting solution, you can achieve your required level of assurance. It’s time the public sector opened their eyes to secure public cloud; a solution that can host your workloads with no compromises, and the same level of security as a more expensive private cloud solution. It’s simply an isolated multi-tenant environment, a true cloud solution with all of the cost savings, efficiencies and scalability, with the same no-compromise security. Though labelled ‘Public’ it really is better defined as ‘Genuine Cloud’, or ‘Multi-Tenant Cloud’, not hosted on premises like a private cloud, but still completely secure and totally isolated, enough to host even the most sensitive workloads.

How can that be? Well, it’s all about the security domains on which your solution is based. These domains represent the different levels of Secure Cloud, and certain services such as Cross Domain Security Zones (CDSZ) can allow easy and safe transfer of data between each tier. Your organisation’s security requirements will define the required security domain, thus your definition of Secure Cloud.

OFFICIAL Sensitive

The OFFICIAL Sensitive domain classifies all security domains previously contained between IL0 and IL3. This definition takes into account a range of security domains, which inherently means there is almost a ‘cross contamination’ of simple internet connected services, as well as connections with a higher level of security. As such, at UKCloud, we prefer to break this down further into Assured OFFICIAL, and Elevated OFFICIAL. This allows organisations to separate lower classification workloads (Internet, Janet, HSCN and PSN-A-based traffic) with more senstitive data using PSN-Protected (PSNP) and RLI connections to increase data security. UKCloud offers the Cross Domain Security solution to allow for highly secure data communications between each security domain, ensuring that internet-based workloads can be connected to secure data without affecting security.

 

 

Assured OFFICIAL (IL0, IL1, IL2)

An Assured OFFICIAL platform can be natively connected to the internet in order to support citizen facing public services. It can also enable connections to a variety of community networks including the Health & Social Care Network (HSCN), the Joint Academic Network (Janet) and the Public Services Network (PSN).

Elevated OFFICIAL (IL3)

UKCloud’s Elevated OFFICIAL security domain is only directly connected to private networks and secure government networks such as PSNP and RLI which provides an even higher level of assurance and trust for the most sensitive data and applications. Ideally, this domain is for users directly connected to these networks to provide backend services or data for internet connected use via the Assured OFFICIAL services.

Above OFFICIAL (IL4, IL5)

The Above OFFICIAL domain was previously classified as IL4 or IL5. Only a limited number of CSPs can offer this level of security, and UKCloud is the first cloud provider to offer genuine cloud services suitable for workloads that are classified as Above OFFICIAL, and the only CSP able to support workloads which require IL5 on a genuine cloud. This platform incorporates even stronger security controls, including High Grade Crypto to connect to the most secure UK sovereign systems and networks.

 

Enabling collaboration and interoperability

The Centre for Policy Studies and HPE webinar, discussed earlier, explored the topic of data sharing, and a quote from Rt Hon John Whittingdale OBE MP, Minister of State for Media and Data, sums up the current state:

“At the moment people view data sharing as a threat or as a risk… but what they don’t hear about is the benefits that flow from sharing data. In fact, one of the consequences of the last year is that we have managed to share data in a whole range of different areas to the huge benefit of the effort to tackle the pandemic.”

 

 

And data sharing is a core part of the government’s future plans, according to Julia Lopez MP: “We are committed to transforming the way data is collected, managed and used across government. We intend to create a joined up and interoperable data infrastructure.”

Initiatives such as GAIA-X reinforce how real and important data sharing is for creating competitive advantage and delivering innovation. GAIA-X is Europe’s plan for a collaborative digital future, and is described as “the cradle of an open, transparent digital ecosystem, where data and services can be made available, collated and shared in an environment of trust”. The platform will connect centralised and decentralised infrastructures, transforming them into a homogeneous, user-friendly system.

Such exciting and enabling plans force one to wonder how such a plan could benefit the UK. But in order to achieve this level of comprehensive safe data sharing and cohesion, an equally comprehensive uptake of secure cloud across the UK public sector has to occur. Only when organisations digitally mature can true and effective collaboration be enabled.

 

 

Robust infrastructure is the key to interoperability and collaboration, if organisations cannot ensure the safe sharing of data, it could have grave compliance and security ramifications: but this is a risk which is mitigable.

There’s so much value in the safe sharing of data. For organisations, and citizens, and nowhere else has this been so vividly displayed in the last 12 months than in health and care, as described by John Whittingdale earlier. But this can be taken many steps further, and many are calling for such a push. Allowing for collaboration and interoperability through secure, compliant and ethical sharing of data between Health and Social Care providers is a key recommendation of Public Policy Projects’ (PPP) Digitisation of Healthcare and Medical Technologies report. Secure cloud-based access to networks such PSN, HSCN and RLI open the door to a future of Health and Social Care collaboration, a future which can only be achieved through the rapid and comprehensive adoption of Secure Cloud.

This sort of opportunity is not limited by industry, but by ambition and desire for innovation. In the digital age, the value of data and collaboration is too important to pass up, yet, blindsided by inertia and inhibitions, organisations are not realising these opportunities.

Building cyber resilience and extra security protections

Cyber attacks have almost become the new criminal trend. Countless organisations have fallen victim to ransomware attacks, and with the recent ransomware attack on the Irish Health Service (HSE), it is clear that public sector organisations, big or small, are not off the list of potential targets for these syndicates. The NCSC released a great article recently tackling ransomware attack preparation and response.

How can you be so sure that your move to the cloud won’t be met by a cyber attack?

Well, that is a good question. Certainly, without careful consideration of security, your organisation will be putting it’s data at risk. However, data and workloads are just as at risk, if not more so, in ageing on-premise data centres. Because cloud, in state-of-the-art data centres, can be protected behind a steel wall of security protections, your data is safe from external threats. Often, attacks on cloud and on-premise data come from human error, such as phishing scams. However, with outdated and siloed hardware, Legacy IT is a ticking time bomb, and in no way a resilient and long-term solution.

With Legacy IT, there is a need to upgrade and consistently protect against threats and downtime – this becomes expensive and resource-intensive. Cloud solutions can differ depending on the provider, but most will offer many levels of cyber protection. Much of this we discussed earlier, but extra security protocols such as data encryption, Security Operations Centres (SOC), and disaster recovery support, all of which mortar the wall of Secure Cloud cyber resilience.

Once again, staring at the flashing lights of your data centre doesn’t make your data any more secure. Siloed, outdated cloud solutions are placing sensitive and valuable data at risk every day, much of which can be mitigated through migrating to a Secure Cloud. It’s time to sure up our cyber resilience with cloud. To take your first steps to becoming more Cyber-aware as an organisation, see the recently refreshed ’10 steps to Cyber Security’ infographic from the NCSC.

The most important avenue to change is speaking to cloud vendors. Have conversations with responsible providers about your ideal Secure Cloud solution, and your worries and qualms. UKCloud have a commitment to ‘doing the right thing’ by serving the best possible value to the taxpayer. Our goal is to encourage the wider uptake of digital technologies in the UK public sector, and to make transformation happen. To plan your Secure Cloud strategy, reach out to our Professional Services team today. If you want to learn more about Secure Cloud, browse our cloud solutions, or talk to one of our experts today.

To help personalise content, tailor and measure adverts, we use cookies. By clicking on or navigating the site, you agree to allow us to collect information through cookies. Learn more in our Privacy and Cookies policy.