While the pace of cloud computing adoption has reached new peaks, the public sector continues to lag relative to the private, despite initiatives to allay fears and spur uptake. There are a number of key reasons for this, but the major issue above all others is still the perception of insecurity. Although some innovative councils and even, more recently, the Metropolitan Police are beginning to embrace Cloud adoption, the majority of the public sector remains overly risk averse and this has been a crucial blocker of uptake.
In many minds, loss of control will always equate to an insecure environment. A continued lack of due diligence from the media has also added to this feeling of insecurity. Continually, large-scale cyber breaches of all forms are reported as "cloud" breaches, when most still target corporate networks, not the CSPs (Cloud Service Providers) themselves. The distinction, if made at all, is often unclear. The marketing strategy of some cybersecurity firms has also had a negative role to play. In lieu of data to conclusively demonstrate ROI of security spend at board level, scaremongering has become a default marketing strategy. This is counterproductive in the long term.
However, despite these fears, a cloud environment can actually be far more secure than in-house capabilities. Firstly, the nature of cloud computing allows reconfiguration in response to threats far easier. These threats are real, but are not necessarily more or less threatening to the cloud than to any other environment. We are too ready to forget the shortcomings of more familiar environments, particularly with regard to economies of scale and specialisation. Indeed, one of the major benefits of moving to the cloud is the ability to leverage the expertise of the vendor. Most CSPs with sufficient scale see many thousands of times more threats than the average enterprise. In a growing and diverse threat landscape, this is a powerful driver of uptake.
Additionally, given the prevalence of risk from insider threats, there is also a strong argument that cloud environments can significantly hinder the potential damage a malevolent employee can wreck by physically separating them from where data is stored. This also makes common tactics such as social engineering much more difficult.
CSPs would be well served to highlight transparency and security reporting features and capabilities. Transparency in particular can allay fears over loss of control. If these fears also extend to vendor lock-in, CSPs should emphasise interoperability. For example, some cloud services have gained such widespread uptake they have become defacto standards, with their functions emulated by others. Compliance with these APIs can ease the issue of vendor migration.
CSPs should also help customers test for security, regardless of any other provisions in place. Crucially, buyers should never accept a one-size-fits-all approach, regardless of how basic or limited a requirement they believe is needed. A good CSP will always be willing to work with the customer to create a cloud environment that is particular to their organisation.
Migrating to the cloud is the perfect time to undertake a holistic security audit of processes, assets and people. While the CSP has a crucial role to play in allaying fears, the buyer should of course undertake significant due diligence on both their potential provider. IT security standards such as ISO27001 and the Cloud Security Alliance Cloud Controls Matrix (CCM) should be supplemented by personnel security standards such as BS7858.
The Cloud Security Principles issued in 2014 offer helpful guidance when building or implementing a cloud computing platform in the public sector. Empowered by changes to the Government Security Classification Policy, the requirements are far less prescriptive and more flexible than previous iterations and allow for easy adoption of off-the-shelf cloud products at the lowest OFFICIAL security band.
Additionally, recent changes to the VAT regime for contracted out services in central government and the NHS has also shifted the cost calculation, as commodity cloud is now eligible for rebate. Taken together, these are powerful enablers of uptake, and of significant help in bridging the public-private cloud computing gap.
Dan Jones is a Senior Analyst at Kable with the remit of defence, national security and information security. Prior to joining Kable, Dan was a defence & security analyst for an independent business information provider in the City of London.