CLOUDIER STILL – SOME POINTERS FOR CLOUD IT BEST PRACTICE

The article below was something that I penned with Dr Matt Peck back in 2018. Long before 'remote' was the new norm. It's interesting to see where and what principles still prevail. Having led a UK niche information security provider through major change and significant accreditations, I think there are some great pointers here that may be useful to any other CEO/COO looking at cloud and hybrid technologies as a means to support their enterprise in the 'Covid economy'.

Cloud approaches to IT and business process open a tremendous range of opportunities but also offer challenges and thinking points in equal measure. The first myth to debunk is that cloud does not necessarily mean easy, even if it may mean less expensive – caveat emptor.

The least-expensive is seldom the best-value and isn’t often the easiest to implement and secure.

From a professional services perspective, consultants and others spend a lot of time and effort with, and on behalf of, our customers providing the assurance that the boundaries and interfaces of systems, processes and interactions that help data flow seamlessly and quickly are secure and robust. Cloud is offering some great savings but to realise the savings there needs to be even more effort spent from the onset on appropriate design and robust implementation. Investing up-front in appropriate design and understanding through-life costs, constraints and opportunities is key for future interoperability.

When we utilise cloud services, what exactly do we mean?

Although there are a number of ways of spinning this, however cloud really boils down to using third-party applications, data, storage or processes. A simplistic view is simply “using someone else’s” computer. But what happens to the data, how does it get to the user and back, who is connected to the applications, what protections are in place, what’s the data privacy angle, how do we know it works, who’s managing it, is the data replicated and backed-up off shore etc. If you are working in a government department and you are using a government issued computer or mobile device you probably should know. If you are operating using your own device, you should definitely know. Your Chief Information Security Officer (CISO) will have sent you numerous emails and briefs on the importance of understanding the information life-cycle. If you do not know who your CISO is, find out and heed their advice. Work with them. Security is an enabler not a blocker if done well.

Where cloud helps is that more and more applications can be used to conduct government business in a seamless manner. Renewing vehicle documents, taxation, passport and identity checks all have elements of cloud-based delivery. The interesting area comes where information boundaries get cross between public and private sector entities. Identity checking relies on commercial data provision and hosted services, mapping and demographic information is delivered multiple sources (geology, topography, flood, insurance data) and this is a good thing. Commercial organisations have been using this ‘mash up’ model for years. Government ‘mash ups’ of data and services may not be so eye-catching as those provided by the likes of Google but the principles are the same. Cloud offers scaling (with pricing certainty) and also allows mass-access to common platforms and services. However, this model is not wholly applicable to all government departments due to information classifications (or protective markings), restrictive boundary conditions and codes of connection that protect departments from hackers, malicious actors, data-loss or data-leaks. So, whilst cloud offers great utility it is certainly not a question of one-size-fits-all. Understanding your own data holdings and obligations and being clear on what data you need to operate with is critical to determining your operating model.

In my experience of IT security practices and principles government (its supply-chain) and commercial customers are all using frameworks (in the UK) such as Cyber Essentials, Cyber Essentials Plus and ISO27001 to work out their risk-appetite. This risk-appetite then maps to a clear understanding that data is the asset that is being protected and harnessed. In turn this informs the architectural decisions and policies that are required to determine which options fit best. What is paramount is to understand where the interfaces are as data transits boundaries and what services sit where. This is good IT practice and any organisation relying on external services really needs to have a clear set of interface controls in place. In short this suggests that there is no single ‘right answer’ as to which form of cloud platform or services you should adopt (if any). Understanding your digital boundaries and who and what interfaces with them is an essential engineering task that all organisations must manage and control and advocate at an institutional level but enforce at all endpoints.

In a world where data is an asset and people (and personal data) become ‘products’ it is incumbent on everyone working with data and technology to think about where data is flowing, what it’s provenance is, and to whom it belongs and who it impacts.

1. Investing up-front in appropriate design and understanding through-life costs, constraints and opportunities is key for future interoperability.
2. If you do not know who your CISO is, find out and heed their advice. Work with them. Security is an enabler not a blocker if done well.
3. Understanding your own data holdings and obligations and being clear on what data you need to operate with is critical to determining your operating model.
4. Understanding your digital boundaries and who and what interfaces with them is an essential engineering task that all organisations must manage and control and advocate at an institutional level but enforce at all endpoints.

First published November 2018 - www.drixtech.com - all views are my own.

Simon