Cloud security empowers governments and safeguards citizens [Promoted content]

This series from Amazon Web Services (AWS) focuses on guiding public sector organisations through successful digital transformation processes, and is based on key findings from the AWS Institute. Part 4 explores how hyperscale cloud platforms provide superior security to on-premises alternatives, and how leveraging cloud technology enables public sector organisations to better protect citizens’ data.  

Governments must keep citizens’ data secure. As the cloud has matured and understanding increased, organisations in sectors ranging from defence to international finance recognise that their data is more secure in the cloud than in on-premises data centres.

Organisations typically measure their security in three ways: confidentiality, integrity and availability. These are known in a traditional security risk management context as the “CIA Triad”:

1. Confidentiality – the data can be viewed only by authorised people
2. Integrity – the data cannot be altered or deleted
3. Availability – it must be accessible when it’s needed.

The cloud deals with all three requirements better than on-premises data storage.

Confidentiality

Good data classification can help protect confidentiality. It determines what you have and where it is, and makes sure that it’s properly labelled. It also controls who has access. With the cloud, it’s simpler to know what you have and what you need to secure, and once you have this visibility, it’s simpler to manage and monitor access. There are many tools available to help do this, for example AWS CloudTrail which monitors and logs activity across the organisation’s infrastructure and simplifies auditing.

While managing and monitoring can be done on premises, it will ultimately increase the burden on the organisation. It can be difficult to deploy new encryption keys to secure your systems, and you’re likely to miss things – and there’s no point trying to secure 90 percent of it and leaving 10 percent open.

Integrity

Protecting data against threats and intrusions is a central aspect of integrity. Responsible cloud service providers are focussed on securing the data of millions of customers and are constantly checking for threats and intrusions. The time between an on-premises environment being breached and that breach being detected and closed out is, on average, nine months. 

Economies of scale mean that cloud service providers are able to invest billions of dollars in security, and AWS is architected to be the most flexible and secure cloud computing environment available today. Our infrastructure is built to satisfy the security requirements for the military, global banks, and other high-sensitivity organizations, is monitored 24/7, and allows encryption of all of the data flowing across the network before it leaves our secured facilities. This is backed by a deep set of cloud security tools, with over 300 security, compliance, and governance services and features—more than any other cloud provider.

Availability

Availability is an aspect of security that may not be the first feature people think about. However, government services need to work 24/7 and need constant access to data, and if you store data on premises, you sacrifice availability for a perception of control. There’s a dated view that you have more control because you can see something but, in the cloud, data is stored in multiple data centres, ensuring much greater availability.

To illustrate this, consider the AWS Region. This is a cluster of data centres in a physical location. Each group of logical data centres is known as an Availability Zone (AZ). Each AWS Region consists of a minimum of three isolated and physically separate AZs within a geographic area, rather than a single data centre. Each AZ has independent power, cooling and physical security and is connected via redundant, ultra-low-latency networks. This has benefits for high availability and fault tolerance. All traffic between AZs is encrypted. AZs are physically separated by a meaningful distance, many kilometres, from any other AZ, although all are within 100 km (60 miles) of each other.

Military-approved data security 

Rich Crowther, head of the UK’s Ministry of Defence’s Digital Service, recently commented, “Today I’d say that in most circumstances we can do a better job of security in the cloud than we can do on premises.” 

There are three main reasons for this improved data security. First, hyperscalers can quickly apply updates, ensuring all parts of the technology stack are up to date. Second, cloud platforms are built to adjust easily. This enables users to change security settings, watch for unusual online activity and make sure that servers aren’t vulnerable to hackers. Finally, almost every action in these systems needs approval and there’s a clear record of all such actions and interactions.

Of course, users of cloud still have some responsibility for security. At AWS this is known as the shared responsibility model. As the cloud service provider, AWS secures the hardware and software and also ensures that the database and storage are secure. Customers are responsible for configuring their encryption, traffic protection, the applications they run and so on. There are fine-grained tools to control all these features in accordance with customer’s security policies and risk appetite.

Public Sector organisations will still need clear security policies, based on their appetite for risk, and a Chief Information Security Officer (CISO). Ideally, there should be somebody at board level who understands cybersecurity. However, moving to the cloud significantly improves the quality of security decisions because it improves the quality of information available on which to base such decisions. This ranges from knowledge of threat levels and infrastructure reliability to the capability of your security tools.

The next and final feature in this series from AWS will focus on showcasing how public sector organisations can design digital services that work better for citizens.