Head of Government Pre-Sales, BAE Systems Applied Intelligence
10 Nov 2020
Cloud computing has been around for years, but fully deploying it within government and critical national infrastructure is no small feat. Chris Poole takes a look at what might be done
Cloud computing – a term and approach which has quickly taken root. Even those of us who may not understand it will doubtless use it at some point – think Spotify, Microsoft 365, or Netflix, to name a few.
Government, too, is alive to its possibilities, and parts of it have being using it to its full advantage for years.
But while hungry for its numerous benefits – such as reduced IT costs and empowered mobile workforces – it often requires higher assurance for “high trust sectors” such as Defence and National Security. So how can they, too, reap the potential dividends on offer?
Government organisations historically possess large data holdings across multiple complex environments. Public servants have services to deliver, missions to run, as well as the need for high security. There are three different areas we’ve seen growing quickly over the last year that can help fuel their journey to cloud, starting with cross domain solutions.
1) Cross-domain as an enabler to Digital Transformation
Picture an organisation with classified data. It wants the benefits of cloud services and ecosystems on both their unclassified and classified environments (as well as the added diversity of people too), and to take advantage of modern ways of working across both environments. Cross domain enables this. Whether it’s enabling import or export of data between environments; developing applications in public cloud; searches running across environments; or collaboration across environments.
But there are many challenges.
Any solution has got to balance security and usability – what’s the point of having the most secure system, if it’s not usable? Users also need to be able to collaborate using different tools, whether that’s email, video calls, chat, or collaboration platforms such as Microsoft Teams and Slack. In other words, users expect their work IT to be as good or better than their home laptops or phones – quick, easy to use and stress-free (whilst still being secure.)
Moving to cloud also requires a change in mentality for organisations in the high trust sector – it requires buy in from business leaders, security and IT departments. It can’t be driven by any one of these groups, who may have competing risks. There’s a need, therefore, to identify champions from these groups, people who will talk up the benefits and help make the case for change.
Process and policy is central to any transformation programme. Organisations need the right governance in place. This typically involves a good understanding of existing culture, processes and policies, but also a good understanding of how working across classifications works in practice. And organisations also need to understand how to deploy and integrate capability securely, and how to optimise cost and performance as much as possible whilst maintaining security.
2) Make way for mission cloud
Some organisations want to use public cloud for sensitive business and mission applications, whilst maintaining a low risk profile – we have proved it can be done, through something we internally refer to as “mission cloud”.
The exam question here is how to do this whilst defending against nation states and the most sophisticated crime groups – with sufficient assurance. This is not always easy.
Typically, we find you risk ending up with one of two things. Either a security driven approach resulting in solutions with limited utility, or a standard cloud provider based controls approach resulting in either insufficient security, or difficulty demonstrating sufficient and appropriate security to assurance stakeholders. The challenge is getting the balance right.
3) Setting up secure serverless
From a developer’s perspective, serverless architectures are all about removing the need to maintain physical infrastructure and systems – you pay for resources that your application consumes. But what about the security? As for mission cloud, doing serverless securely has its challenges.
Take data residency, for example. Serverless architectures use cloud-based functions. Where is the data? How do I maintain assurance and audit on a solution that is changing so fast? Again, how do you get the balance right between a security driven approach, and a standard cloud provider based controls approach?
A solution for organisations wanting to become “risk managed” rather than “risk averse” is to take a threat based approach to cloud security.
Threat based cloud security
Firstly, understand the business context. Next, understand the threats to the use cases. These could be, for example, very different for a military customer looking for a deployed solution vs law enforcement hosting sensitive data.
From this, put together a context focused threat assessment and threat model. Iterate it, and stress it. This then informs the controls that need to be put in place, which can then be tested.
This process is typically iterative. Firstly, because threats change and it’s good practice to continually understand and evolve your threat model. And secondly, because everything is very “point-in-time” dependent – threat models assess many cloud services, but it’s equally important to keep on top of the services, as they can evolve quickly.
As for the future, it’s hard to predict what’s coming next but it’s fair to say that classified cloud systems will become more widely available. The rest of the world will certainly benefit from large cloud investments in the US (such as the JEDI programme) – but these will still need to be customised and developed for different geographies.
Secure Edge computing (think cut-down cloud capability in the field) is another likely development and likely to be driven initially by Defence with their need for capability that quickly and simply interoperates with the main enterprise. Cloud providers are already acquiring 5G networking companies, such as Microsoft buying metaswitch, which will lead to some truly innovative and integrated solutions.
Finally, there will be more sensitive applications and data on public cloud. Processes, patterns and technologies will mature more, leading to maybe even classified data on public cloud with suitable controls.
Watch this space.
About the author
Chris Poole is Head of Government Pre-Sales at BAE Systems Applied Intelligence
Cloud burst: securing data cross domains. Cloud computing is now a fact of life for organisations in both the public and private sectors – but how can their data be shared securely? The solution, says Sam Neath, lies in secure cross domain…
Cloudy with a chance of Transformation. Cloud computing has rapidly become an accepted and widespread feature of the IT landscape. But Andrew Williams explains that challenges still remain – not least when it comes to security and skills…