CTB Panel of Experts: cloud security
With the help of our Panel of Experts, Counter Terror Business looks at the potential benefits cloud technology can offer to forces at the front line and the potential obstacles the technology may face
Cloud computing has made substantial strides in delivering huge efficiencies and cost savings to organisations across the private sector. With the policing and security sector, like most other industries in the UK, working towards becoming fully equipped for the digital age, the cloud represents a good opportunity for the police force to improve its digital capabilities. Alongside the NHS and local government, the police in the UK continue to be stretched in terms of expectations and workload, all the while working on a shrinking budget.
According to the Metropolitan Police, the force has had to find approximately £600 million of savings, with government funding having fallen by 40 per cent in real terms since 2011. This has contributed to the loss of a third of police staff posts, which are down from 14,330 to 9,985, as well as two-thirds of police community support officer (PSCO) posts, which are down from 4,607 to 1,591. Cloud technologies therefore have become crucial in providing police with cost‑effective and flexible ways of managing investigations and operations.
A varied offering
Paul Parker, chief technologist of Federal and National Government at SolarWinds, is quick to note that in the security sector, as well as in defence, ‘IT needs are extremely varied, ranging from mission-critical communications and satellite imaging for deployed troops to intelligence insight for reconnaissance in remote areas’. When looking at our military presence, both close to home and wide afield, cloud‑based technologies invariably provide a solution to many of the problems that come with taking IT infrastructure on location. According to Parker, UK-based defence organisations spent more than £64 million embracing cloud technology in the five-month period from May through September 2017, although the Ministry of Defence has stated that less than 25 per cent of its IT infrastructure has been migrated.
This emphasises the contrasting adoption and appreciation of cloud technologies. Many place importance on reliability, maintaining confidence in holding storage and network connections locally. However, not only does this require ‘taking huge amounts of equipment from location to location’, sometimes in unfavourable conditions, but it also depends upon ‘backing up all data by copying over to physical tape storage’. On the other hand, ‘leveraging cloud technology takes advantage of the ever-improving global communication network’, seeking a faster and more flexible service. This also enables the creation of mobile tactical kits that provide ‘the same, if not better, access to information without the need for excess equipment’.
There is no doubt that cloud offers a very significant shift in the way we work, a notion that Simon Daykin, chief technology officer at Leidos highlights in our recent conversation. He says that the key to benefiting the new technology is to exploit it for your own needs, providing organisations the chance to assess ‘what is the problem we are really trying to solve?’ and then re-thinking the way we can use technology to deliver that. Moving forward, with the counter terrorism industry in mind, it is imperative that we ‘don’t fossilise the way we do things’ in the cloud, but thoughtfully re-imagine how it can be used to ‘improve real time collaboration’, exploiting increased bandwidth and rapid information sharing.
We only have to look at how other companies and industries are making the most of cloud technologies. Vendors such as Amazon, Microsoft and Google continue to work closely with organisations to provide them with exactly what they need, while through digital innovation companies like Netflix have replaced the way that people hire videos, and Uber, a taxi company that doesn’t really own any taxis, has transformed the way people book their transport.
Daykin also stresses that although cloud remains a fairly new delivery model, it is actually ‘easier to implement more structured and more standardised controls across a cloud infrastructure’. Therefore, it is appropriate to take an assured risk based model to ensure you understand what information needs to be protected and be absolutely assured that the security can be managed equally, if not sometimes even more securely, than historically it has been.
Andy Burston is a former UK police officer who is contributing to this discussion for the UK division of the Information Systems Security Association. He agrees with this and comments that, as companies ‘solely driven by budget’ will ultimately jeapordise the availability of services and information that underpins successful policing, the choice of cloud provider becomes even more critical. Burton advises organisations and forces to look for a cloud provider who can provide assurance and visibility that ‘serves more than the needs of an IT or security analyst’, as satisfying the reporting requirements of the senior risk owner is now absolutely essential, no longer ‘an optional nice to have’.
Many existing systems and data can move to cloud with minimal change to structure, format or usability, so be wary of assuming that cloud transition must also be ‘an opportunity to embark upon other programmes of business change and digital transformation’.
Moore’s Law predicts the processing power of computers to double every two years. Returning to the views of Paul Parker, this means that the strength and capability of cloud and communications technology will continue to increase. Daykin reports that trying to transform legacy processes to the cloud can often result in ‘getting bogged down and stuck, trying to do something it wasn’t designed to do’. Therefore, it is only right to recognise that we ‘reimagine’ and have the process and the system architecture to support that.
While it is undeniably important to deploy a system that is end‑to‑end and scalable, it is perhaps more significant to be running on a platform that recognises the privacy and security of sensitive information. Parker alludes to a recent example of this, referencing the recent announcement of the Amazon AWS Secret Region, which can operate workloads up to the Top Secret U.S. security classification level. On a more local and recognisable level, we only have to look at the collation and use of data in police evidence files. Hosting such information digitally means that it can be accessed from outside of the physical space in which it used to be held, posing a problem to cloud adoption for some the more traditional police forces and security companies.
But there is no reason as to why the wider accessibility issue shouldn’t be relayed as a positive. Using a cloud-based system, managing data encryption and multiple layered security, can provide police forces with a more expansive storage offering at a relatively lower cost. Furthermore, cloud technology can be used to manage and restrict access, permissions and usage. Parker says that cloud adoption will lead to police IT becoming ‘physically smaller and tactically more reliable’, but it will equally allow it to be more expansive in storage.
As mentioned previously, UK police forces are likely to be working on smaller budgets for the next few years. While switching operations is a cost that some may shy away from, as Daykin points out, ‘the consolation to cloud is that so you can free up some of the money that will need to be spent on sustaining legacy systems and reinvest that’. Sustaining large legacy systems and aggressively transforming to cloud can actually allow for money to be reinvesting in cloud technology.
The move to the cloud should not be finanically-led, but culturally, where the benefits far outweigh the obstacles.
Andy Burston, ISSA UK
Andy Burston is a former UK police officer with operational experience of intelligence-driven policing and counter terror operations. Andy works as a security information risk advisor and architect, helping stakeholders to solve complex problems across information systems and processes, thereby reducing their exposure to risk. He has also managed the protection of IT that is critical to the success of UK policing and national security objectives.
Final thoughts: “Business processes that are perceived by some to be inefficient, subsequently prove to be born out of necessity such as legal constraints (custody and identity applications are a favourite!). Wider consultation at no cost other than time and effort will significantly de‑risk and inform plans to outsource hosting of services and data to computers beyond your immediate control… in other words the cloud.”
Simon Daykin, Leidos
Simon Daykin is chief technology officer for Leidos UK’s Civil, Defence and Health business units, providing strategic business technology leadership for UK customers. Motivated by the benefits technology can bring, Simon is passionate about supporting digital transformations through strategy, design and delivery to solve some of the most challenging problems in today’s world. Before joining Leidos, Simon served as chief architect of NATS and CTO of Logicalis.
Final thoughts: “If I were to outline three main benefits of moving to the cloud, it would be incremental and scalable capability improvements; the opportunity to gain access to much bigger forms of data – voice, image, text, video in easier and larger ways; and the ability to scale and respond to ever changing situations on the ground, through embedding agile platforms and processes to grow systems and capabilities. However, it’s not just technology, it’s the people and the confidence and skills changes that we need to take people through to get it right. I don’t see security as a blocker, but we need to manage peoples expectations to help them understand the benefits and risks. There is a possible risk in just reimagining it all and avoiding fossilising their existing ways of doing things.”
Paul Parker, Solar Winds
Paul Parker brings over 22 years of IT infrastructure experience, having worked with multiple miltary, intelligence, civilian and commercial organisations. Paul has received multiple military and civilian awards for service, support and innovation, having served as vice president of engineering for the federal division of Inflobox, an IT automation and security firm, as well as holding positions at CS2, Ward Solutions, Eagle Alliance and Dynamics Research Corporation.
Final thoughts: “Turning our thoughts to the forces at the front line and their IT needs, the technology deployed in forces at home and abroad is extremely varied but vital to mission success, which creates immediate correlation between cloud technology and the solutions it offers in terms of flexibility, scalability and the minimal physical infrastructure it requires. Despite the advantages that forces stand to gain through using cloud-based services and systems, a number of obstacles still need to be overcome before cloud on the front line can really come into its own.”