Governments need to take bold action to protect the data they hold about their citizens. Physical, legacy data infrastructure and security systems are often too expensive to run and maintain, interoperable and susceptible to cyberattacks. Russia’s invasion of Ukraine, which is being fought in cyberspace as well as on the ground, is an example of the need to protect critical digital national infrastructure.
Mark Evans, principle security strategist at Amazon Web Services (AWS), outlines why governments need to increase their take-up of cloud services, and how this can bolster national security.
How do governments currently leverage data? Are the current systems outdated?
As per the 2022 legacy IT guidance, “legacy IT is a multi-billion pound problem” for the UK government and the technical debt that goes with that. I think we have a combination of approaches to tackle this technical debt. But large parts of the government are already well on the road to modernising – especially in regard to data storage. Some of that is simply lift and shift migration [of data] to the cloud. But most of the departments that I work with are looking at how they can more effectively utilise the datasets in the context of cloud services. For example, in the UK, HM Land Registry was able to cut document review time by 50 per cent, the UK Driver and Vehicle Standards Agency (DVSA) was able to lower costs by 42 per cent, and the Registers of Scotland was able to innovate and modernise the world’s oldest public land register, by moving to AWS and leveraging the wide range of services available.
What are the potential benefits of governments using cloud technology over on-premises data environments for security purposes?
One of the benefits that I see hyperscale cloud offering is the ability for governments to more effectively share data in a secure manner. With cloud, governments can bring together concepts like data spaces to build single primary systems for indexing data. For example, key data can be centralised on a single citizen record system, rather than having copies of the same information spread across multiple departments. Utilising the security features and capabilities of the cloud, the data will be available via an Application Programming Interface (API) to many departments but with the single record system controlling who and what has access to that data.
How secure would cloud services in a government context – holding millions of citizens’ data – be?
Security is the central pillar around which AWS infrastructure and services are designed and managed. We have an executive focus from the top down within the organisation. This is reflected in the compliance regimes that we run globally, as well with the third-party audits that we are subject to around the globe. AWS offers a deep set of 300+ cloud security tools and supports 143 security standards and compliance certifications. And because we invest in those security services, we’re better at it than most. Our customers benefit from a cloud and network architecture built to meet the requirements of the most security-sensitive organisations and industries, including the government, financial services and healthcare.
[See also: You can’t retrofit security into AI – it needs to be built in at the start]
Can you explain how the adoption of cloud technology for security purposes can also be cost-effective?
Cloud is effectively a price-on-consumption model, so you’re paying for what you use. But you also have to factor in the underlying capital costs that you would normally have incurred with legacy systems. By moving to cloud, you’re removing the need to worry about a lot of those capital costs: the physical servers and data centres, and all of the lifecycle costs around those, all of those need maintenance and upkeep.
With AWS cloud infrastructure, and our broad set of security services, and partners, organisations are able to integrate powerful security technology and control that enable their business to innovate securely.
How do you see AWS helping public institutions bolster their security provisions via cloud services?
Organisations using AWS get the most secure cloud infrastructure, the ability to automate services and create end-to-end security for their businesses. And that gives governments visibility across the state from a security point of view, and much tighter control. Everything’s visible through an API as well, which really gives governments the opportunity to start to drive automation into their security. For example, automating remediations to items that might come up on a regular basis, and allowing security resources to really focus on the monitoring of major threats and attacks.
AWS was lead sponsor at the NCSC’s CyberUK 2023 event. What stood out regarding the sector’s demands on security and the cloud?
The theme of this year’s CyberUK event focused on securing an open, resilient, digital future. Resilience is something that AWS cloud provides inherently as part of its feature set. One point that particularly stood out from the conference was the need for resilience in the face of nation-state actors. Victor Zhora, deputy chairman and chief digital transformation officer of the State Special Communications Service (SSSCIP) of Ukraine, in one of the keynote speeches, spoke about how Ukraine had utilised partnerships with the cybersecurity specialists in the private sector to safeguard its critical data and digital infrastructure. AWS was at the forefront of that, working with the Ukrainian government to enable their digital economy to continue to function in the face of concerted cyberattacks by Russia.
How pressing is the case for the government to take up cloud systems for security purposes?
The government has to act now because of the breadth of legacy estate and technical debt that it has overall, which is costing more and more to maintain, and becoming more vulnerable to potential attacks.
AWS Security | AWS content hub | Register for AWS Public Sector Day 2024 | CyberUK 23 – The role of leadership, culture and skills