In the third blog of our Triad Policing and National Security series, we explore the complex area of protecting sensitive data on the cloud.
Triad has been delivering policing and law enforcement projects for nearly 20 years. We understand the challenges of combining disparate IT systems with complex areas of policing and best in practice methodologies. When it comes to matters of national security, there is a natural tension with technology, and there is perhaps a no better example of this than the cloud.
It’s cool to be on the cloud
Whilst the notion of network-based computing dates back to the 1960’s, many believe that the first use of “cloud computing” in its modern context occurred on August 9, 2006, when then Google CEO Eric Schmidt introduced the term to an industry conference. “What’s interesting [now] is that there is an emergent new model,” Schmidt said, “I don’t think people have really understood how big this opportunity really is. It starts with the premise that the data services and architecture should be on servers. We call it cloud computing—they should be in a “cloud” somewhere.”
This “new emergent model” really took off, undoubtedly due to its many benefits, including cost savings, security, flexibility, mobility, increased collaboration, disaster recovery and loss prevention. Of these, security is often cited as a major influencer for migrating to the cloud.
RapidScale claims that 94% of businesses saw an improvement in security after switching to the cloud, and 91% said the cloud makes it easier to meet government compliance requirements. Why then, are we questioning whether cloud and security are compatible?
When it comes to security, not all data is equal.
Take policing, for example. SIROs (Senior Information Risk Officers) and security experts are typically responsible for deciding how different data is stored, handled, and disposed of. They will categorise data using the Government Security Classifications (Official, Secret and Top Secret), with data handling requirements, such as encryption, audit and alerting, availability, user management and governance, implemented accordingly. Typically, the higher the data’s security classification, the higher the complexity and cost to store, process and retrieve it. When it comes to storing police data on the cloud, a security strategy is the first and perhaps, most important consideration.
What does a security first cloud strategy look like?
The National Cyber Security Centre offers 14 Cloud security principles to help organisations choose a cloud provider that meets their needs. For each of the principles, they explain the security goals that a good cloud service should meet and key aspects to look for in the right cloud solution for your organisation.
Policing organisations have been moving aspects of their operations to the cloud for some time. Many will utilise powerful Cloud-based services to add more value. Speech-to-text, language translation and facial recognition can enrich datasets with searchable metadata, whilst machine learning can boost proactive policing innovations by identifying trends within data and performing predictive analysis.
Some applications may need to remain on infrastructure entirely disconnected from the internet, instead of running on trusted policing networks. Others might allow restricted access to Cloud services and infrastructure, whilst some, such as public facing services, might already be Cloud native. It might be deemed necessary to operate high security-classified systems using on-premise infrastructure. Still, the use of synthetic or redacted data may enable supporting test environments to be hosted on Cloud infrastructure.
Migrating existing services to the Cloud may highlight a need for more stringent controls or adopting a zero-trust security model. Understanding the implications of storing information at different security classifications is essential. For example, data stored in an environment accredited to one security classification, Secret, may be allowed to flow to a more secure environment, such as Top-Secret, but should never flow to a less secure environment, such as Restricted.
Picking low-hanging fruit first, for example, moving less-sensitive public facing applications to the Cloud, has helped policing organisations test and refine their approach to Cloud adoption. With experience under their belts, they can move more sensitive parts of their core domain to the Cloud, using specialised Cloud services to enrich data and enable greater transformational change.
This leads us back to the question we started with. Are internet security and cloud computing mutually exclusive? No. But they are not mutually inclusive either. It is a balancing act between exploiting technology to improve detection and prevention vs protecting data and information that could be, for some of our clients, matters of national security. This takes careful consideration. And we are always on hand to help.
We hope that you have found this blog useful. If you are interested in our law enforcement work or have a question for the Triad Policing and National Security team, please contact Jon Graham – firstname.lastname@example.org or 07912490295