Cloud now more secure than on-premises for UK Defence

The UK government can better manage the security of its non-classified information in the public cloud than in on-premise data centres, according to the head of the nation’s Defence Digital Service.

In a blog post, Richard Crowther noted that Defence is starting to make more use of the cloud for handling information classified as official.

This is the lowest level of classification in the government classification policy, and includes routine business operations and services that are “not subject to a heightened threat profile”.

Crowther said that while some may question whether cloud services can ever be as secure as information stored in data centres on military bases, “in most circumstances we can do a better job of security in the cloud than we can do on-premises”.

Crowther cited three main reasons for holding this belief, the first being that security patches can be applied faster to cloud services compared to the belated patching process for on-premises infrastructure that most organisations struggle with.

“If you’re an organisation that measures time-to-patch in a small number of days, then you’re probably going to be OK, most of the time. But if you measure it in weeks or months, then you’re probably not moving fast enough,” he said.

As a high-profile example, Crowther noted the contrast between typical on-premise patch times and the speed cloud providers had managed to patch against the infamous Spectre vulnerabilities exposed in early 2018 — with organisations such as AWS able to issue patches on the same day the vulnerabilities went public.

Second, Crowther cited the simplicity of rolling out security controls across a huge estate in public cloud environments.

“Do you need a network monitoring tap inserted into every egress point in your system right away? No problem. Need to check all of your internet-exposed servers don’t have console access open to the world? Easy. Need to ensure all of your administrators’ access is recorded in an immutable log and stored indefinitely? You got it.”

While all these measures can be achieved in in-premises environments too, some could represent hours, days or even weeks of effort compared to the moments in the cloud.

Finally, Crowther said the strong focus on identity and authorisation within the major cloud services makes it easier to authorise access and implement separation of duties and privileges.

“Now, using public cloud, we’re able to easily build systems which require multiple people to collaborate to gain privileged access or carry out risky activities — this is a big step forward and means this sort of control can be used more widely,” he said.

While Crowther noted that Defence is able to implement special controls that commercial entities can’t match, such as physical security and personnel security vetting, for sensitive workloads, cloud providers have put significant amounts of work into these aspects. Letting cloud providers do most of the heavy lifting frees up the resources needed to apply the special controls to classified information, he said.

Image credit: ©stock.adobe.com/au/BillionPhotos.com