How to bridge the public sector cloud gap
The public sector still perceives cloud as insecure, but times are changing, according to analyst Kable's Daniel Jones
While the pace of cloud computing adoption has reached new peaks, the public sector continues to lag behind private companies, despite initiatives to allay fears and spur uptake.
There are a number of key reasons for this, but the major issue is still the perception of insecurity. Although some innovative councils - and more recently, the Metropolitan Police - are beginning to embrace cloud adoption, the majority of the public sector remains overly risk averse and this has been a crucial blocker of adoption.
In many minds, loss of control will always equate to an insecure environment. A continued lack of due diligence from the media has also added to this feeling of insecurity. Continually, large-scale cyber breaches of all forms are reported as "cloud" breaches, when most still target corporate networks, not the cloud service providers (CSPs) themselves. The distinction, if made at all, is often unclear.
The marketing strategy of some cybersecurity firms has also played a negative role. In lieu of data to conclusively demonstrate ROI of security spend at board level, scaremongering has become a default marketing strategy. This is counterproductive in the long term.
However, despite these fears, a cloud environment can actually be far more secure than in-house capabilities.
Firstly, the nature of cloud computing allows reconfiguration in response to threats far easier. These threats are real, but are not necessarily more or less threatening to the cloud than to any other environment. We are too ready to forget the shortcomings of more familiar environments, particularly with regard to economies of scale and specialisation. Indeed, one of the major benefits of moving to the cloud is the ability to leverage the expertise of the vendor.
Most CSPs with sufficient scale see many thousands of times more threats than the average enterprise. In a growing and diverse threat landscape, this is a powerful driver of uptake. Additionally, given the prevalence of risk from insider threats, there is also a strong argument that cloud environments can significantly hinder the potential damage a malevolent employee can wreak by physically separating them from where data is stored. This also makes common tactics such as social engineering much more difficult.
CSPs should also help customers test for security, regardless of any other provisions in place. Crucially, buyers should never accept a one-size-fits-all approach, regardless of how basic or limited a requirement they believe is needed. A good CSP will always be willing to work with the customer to create a cloud environment that is particular to their organisation.
Migrating to the cloud is the perfect time to undertake a holistic security audit of processes, assets and people. While the CSP has a crucial role to play in allaying fears, the buyer should of course undertake significant due diligence on both their potential providers. IT security standards such as ISO27001 and the Cloud Security Alliance Cloud Controls Matrix (CCM) should be supplemented by personnel security standards such as BS7858.
The Cloud Security Principles issued in 2014 offer helpful guidance when building or implementing a cloud computing platform in the public sector. Empowered by changes to the Government Security Classification Policy, the requirements are far less prescriptive and more flexible than previous iterations and allow for easy adoption of off-the-shelf cloud products at the lowest "official" security band.
Additionally, recent changes to the VAT regime for contracted-out services in central government and the NHS have also shifted the cost calculation, as commodity cloud is now eligible for rebate. Taken together, these are powerful enablers of uptake, and of significant help in bridging the public-private cloud computing gap.
Dan Jones is senior analyst at public sector analysis group Kable