The AWS Institute / ...
Accelerate public sector transformation with the cloud: Security
Accelerate public sector
transformation with the cloud: Security
PDF | 10 minute read
Five challenges of digital transformation
Introduction
The cloud enables governments to accelerate the transformation of their services. Examples of successful transformation using the cloud, from Singapore to the UK, India to Iceland, Australia to Argentina and many countries in between, show that the public sector can respond to their citizens’ changing needs. However, they also show that transformation is about more than modern technology. There are common elements that underpin success. There are also common challenges. Some nations are well advanced, and those who started their transformation journey more recently can benefit from the experience of early adopters.
The Amazon Web Services (AWS) Institute has taught almost 5,000 government leaders in 23 countries through its Executive Education programme, in collaboration with leading academic and international nongovernmental institutions. Participants deliver government services of varying types and sizes. They raise five common challenges.
Five common challenges to digital transformation:
1. Where to start
2. How to build capability
3. How to acquire new IT and manage legacy systems
4. The security of citizens’ data
5. How to design better digital services for citizens
This guide summarises the answers from experts, many of whom have first-hand experience of nation-scale transformation. There are links to real examples and additional resources, including technical guides. The guide is in five distinct sections that reflect the most common challenges. Find more insight and solutions for other transformation challenges specific to your region or service at the AWS Institute.
I have to protect people’s data – is the cloud secure?
A note from the expert contributors:
Security is a major concern in today’s connected world – but the cloud can be more secure than relying on your own on-premises systems.
This section explains how hyperscale cloud platforms are a better solution for technology security. It provides examples of powerful tools to leverage in the cloud and explores why the UK’s Ministry of Defence is among organisations that consider the cloud to be safer than on-premises data centres.
Expert contributor
Alex Meek-Holmes
Sovereignty and Strategic Infrastructure Senior Manager, AWS
Data is more secure in the cloud than on-premises
Governments must keep citizens’ data secure. As the cloud has matured and understanding increased, organisations in sectors ranging from defence to international finance recognise that their data is more secure in the cloud than in on-premises data centres.
Organisations typically measure their security in three ways: confidentiality, integrity and availability. These are known in a traditional security risk management context as the CIA Triad:
- Confidentiality – the data can be viewed only by authorised people
- Integrity – the data cannot be altered or deleted
- Availability – it must be accessible when it’s needed
The cloud deals with all three requirements better than on-premises data storage.
The thing people worry about most is that somebody else can see it, and should not be able to see it, and then do something bad with it – such as delete it. It’s important at a base level to be able to know what you have in order to secure it.
Confidentiality
“The thing people worry about most is that somebody else can see it, and should not be able to see it, and then do something bad with it – such as delete it,” explains Alex Meek-Holmes. “It’s important at a base level to be able to know what you have in order to secure it.”
Good data classification can help with that: It determines what you have and where it is, and makes sure that it’s properly labelled. It also controls who has access. With the cloud it’s simpler to know what you have and what you need to secure. Once you have visibility it’s simpler to manage and monitor access. For example, AWS Identity and Access Management (IAM) offers granular control of the people and systems that can access cloud resources. Meanwhile, a tool such as AWS CloudTrail monitors and logs activity across the organisation’s infrastructure, which simplifies auditing.
Managing and monitoring can be done on premises, according to Meek-Holmes, but it will increase the burden on the organisation. He explains, “It goes back to configuring things. It can be difficult to deploy new encryption keys to secure your systems; you’re more likely to miss things, particularly if you’re talking about managing the boundaries of your environment. That’s important because there’s no point trying to secure 90 per cent of it and leave 10 percent open.”
Integrity
Protecting data against threats and intrusions is a central aspect of integrity. Cloud service providers are focussed on securing the data of millions of customers and so they constantly check for threats and intrusions. Richard Price says: “The time between an on-premises environment being breached and that breach being detected and closed out is, on average, nine months.”
Cloud service providers invest billions of dollars in security.. This investment leads to innovations such as the AWS Nitro System, which splits the operations of a computer chip into two so the processes that manage data are separate from those that run the cloud. This secures the data from a range of advanced cyber attacks.
Availability
Availability is an aspect of security that may not be the first feature people think about. However, government services need to work 24/7 and you need constant access to data. “If you store data on premises, you sacrifice availability for a perception of control,” explains Meek-Holmes. “There’s a dated view that you have more control because you can see something. In the cloud, data is stored in clusters of data centres, ensuring that it’s still available if there’s a problem with one of them. These are geographically defined because some organisations, such as governments, want to confirm their data is not passed into foreign jurisdictions.”
To illustrate this concept, consider the concept of a Region at AWS. A Region is a cluster of data centres in a physical location. Each group of logical data centres is known as an Availability Zone (AZ). Each AWS Region consists of a minimum of three isolated and physically separate AZs within a geographic area, rather than a single data centre. Each AZ has independent power, cooling and physical security and is connected via redundant, ultra-low-latency networks. This has benefits for high availability and fault tolerance. All traffic between AZs is encrypted. AZs are physically separated by a meaningful distance, many kilometers, from any other AZ, although all are within 100 km (60 miles) of each other.
The customer retains some responsibility for security. In AWS this is known as the shared responsibility model. As the cloud service provider, AWS secures the hardware and software and also ensures that the database and storage are secure. Customers are responsible for configuring their encryption, traffic protection, the applications they run and so on. There are fine-grained tools to control all these features in accordance with your security policies and risk appetite.
Your organisation will still need clear security policies, based on its appetite for risk, and a chief information security officer (CISO). Ideally, there should be somebody at board level who understands cybersecurity. However, Price explains that moving to the cloud significantly improves the quality of security decisions because it improves the quality of information available on which to base such decisions. This ranges from knowledge of threat levels and infrastructure reliability to the capability of your security tools.
Security trusted by the military
Many organisations are pleased to move to the cloud because managing the security of their on-premises estate is becoming expensive and difficult. For the UK Ministry of Defence, the cloud offered many benefits. Rich Crowther, as head of the Defence Digital Service, wrote, “Today I’d say that in most circumstances we can do a better job of security in the cloud than we can do on premises.”
He gave three main reasons for that: patching, scale and authorisation. It is worth considering each in turn because they are relevant to a wide range of organisations.
Patching
Today I’d say that in most circumstances we can do a better job of security in the cloud than we can do on premises.
Keeping systems patched by installing the latest updates is a vital part of security, whether you’re aiming to protect a personal laptop or an entire nuclear power plant. All threat actors – from bored and mischievous teenagers through to nation states – have the capability to attack an unpatched system. But new vulnerabilities are being discovered all the time, so the number of patches can be overwhelming.
Few organisations have a capacity for patching to match that of hyperscale cloud service providers. They can apply patches quickly to every layer of the technology stack as soon as they’re available. This can be before smaller organisations are even aware of a problem. It’s a simpler task when you run an operation at hyperscale.
Scale
The scale advantage runs right through every part of the cloud platform. If you want to change your security controls for an in-house system, that might entail someone visiting each location to manually update servers and switches. At cloud level, if you need immediate monitoring of traffic leaving your system, that’s straightforward. It’s similarly simple to check that your internet-exposed servers aren’t open to hackers. And if your challenge is to ensure your administrators’ access is recorded in an immutable log and stored indefinitely, then that is quickly addressed, too.
These things can be done in on-premises environments, but some could represent hours, days or even weeks of effort, whereas they are simple and quick to achieve in the cloud.
Bespoke systems, although tempting for those who are wary of the cloud, can struggle with scale. When they try to scale and can’t, they tend to stop working entirely. Cloud platforms are specifically designed with flexible scaling at their core.
Authorisation
Anyone who has deployed infrastructure in a cloud environment will be aware that there is a strong focus on identity and authorisation. Almost any action can be set to require authorisation and an audit trail kept of every one of these actions. The decision logic can account for who is logging in, where from, whether the action they want to take is allowed, and more.
Ultimately, what cloud platforms allow is a security scope and scale that most organisations could not manage themselves. With that taken care of, they can focus on their core business tasks.
You can work just as hard to change a small service as a big one. It’s very important to pick one that you can use as a showcase, to demonstrate progress and get people used to the idea and direction of travel. Use it to show you understand the problem and are good.”
Data security case studies
United Kingdom
How the UK National Cyber Security Centre balanced user needs and security through the cloud
Ukraine
Securing government data in the cloud in a time of crisis
Share this article
Additional resources
- The AWS Institute
- Video: Confidential computing: an AWS perspective
- Blog: AWS Public Sector Transformation Essentials: Security in the cloud
- Podcast: AWS Conversations with Leaders: Making security personal for the public sector
- The Data Protection and Data Privacy Center
- Blog: Confidential computing: an AWS perspective
- Blog: AWS cloud services adhere to CISPE Data Protection Code of Conduct for added GDPR assurance
- AWS-sponsored IDC whitepaper: Trusted Cloud: Overcoming the Tension Between Data Sovereignty and Accelerated Digital Transformation
- AWS Regions and Availability Zones explained
Expert contributor
Alex Meek-Holmes
Sovereignty and Strategic Infrastructure Senior Manager, AWS
Alex Meek-Holmes is a digital transformation leader on the government transformation team at AWS. He worked in the UK civil service before joining AWS. He was most recently responsible for cybersecurity across UK industry. As chief operating officer of the Government Digital Service (GDS), he played a key role in the digital transformation of UK government, improving services for citizens and saving billions of pounds. Previously he worked in HM Treasury, where he devised and implemented spend controls, which helped the UK government move to cloud computing. He is a policy fellow at the Royal Academy of Engineering.
Editor
Sarah Ryle AWS Institute senior content manager