Infrastructure > Cloud

Crisis in confidence: why data sovereignty is vital to cloud adoption

Published 12 December 2016

Toplevel strategy director Jane Roberts warns that worries over how to govern data in the cloud is impacting cloud migration


Government adoption of Cloud services has been strong, with initiatives such as G-Cloud and the ‘cloud first’ mantra helping to drive the message home. But more recently, migration has foundered. Not because of the undisputed benefits of the cloud (no CAPEX, scalability, automatic updates…) but because there is a crisis of confidence over how to govern data in the cloud in the face of incoming legislation and escalating attacks, both of which demand better security assurances.

Legislation such as the UK equivalent of the EU GDPR, expected to come into force in mid-2018, will make it necessary for organisations to get to grips with their data and to know where it is. For many public sector departments this will require a complete overhaul of the information estate and a data audit to determine where their data resides. That’s going to be a complex undertaking given the current hybrid deployments, using on-premise, public, and private cloud.

Then there’s the issue of data sovereignty. There’s currently no compunction for cloud providers to house data on UK soil and this can see data held elsewhere subject to the local jurisdiction. This has been brought to the fore by recent legislation in the form of Rule 41 in the US, which grants the US the right to access data held by US-based providers even if it is stored on foreign soil. The rule was brought in to make it easier for the FBI to carry out data investigations and is unlikely to be applied to data held in the UK. But what it does illustrate is the importance of data sovereignty. If data is not housed in the UK it will first and foremost be answerable to local law.

The rise of ransomware in the public sector is also causing organisations to retrench. The DBIR report recorded a rise of 16 percent compared to 2015 and attacks are rapidly evolving. But in reality the cloud is highly effective at combating this threat. Many organisations backing up their data on a daily basis can find recovery a time-consuming process involving days of downtime. However, using virtual machine technology in the cloud it is possible to rewind to before the incident to recover data. As a form of back-up, the cloud therefore renders ransomware obsolete because data can never be lost.

To calm these fears Microsoft recently launched the UK Azure Cloud which ensures data resides in the UK, stealing a march on AWS which also intends launch UK data centres between now and February. UK Azure claimed a further coup, announcing the addition of The Ministry of Defence as its first customer in September who will be committing to a “full blown leap into the cloud” by connecting current AWS cloud and other cloud services with the new offering to provide a comprehensive cloud infrastructure. 

The move by these giants signifies a step change in how cloud is being used. Firstly, there’s a real demand for data to be stored on home turf. A ‘UK-only’ cloud is a smart move, providing government customers with the assurance of native storage which will make it that much easier post-Brexit to demonstrate data compliance with any forthcoming legislation. Secondly, more and more data previously precluded from being added to the cloud is being migrated across because security controls have improved markedly. And thirdly, we’re seeing a bringing together of disparate cloud offerings into a unified whole. The backing by the MoD is the cherry on the cake and sends a clear message to other government departments: on-premise is not the future.

We’ve heard public sector workers tasked with estate management say they simply don’t want another blade server to manage and that current deployments are unwieldy and cumbersome. Moving to a single infrastructure has to be the only way to manage all of the data that organisations are handling now and into the future; it will simply become unworkable to continue creating data silos. Because in many respects, the cloud is only just beginning to demonstrate what it can do as a tool to improve working processes. It’s been pivotal in enabling mobile working and it’s also now enabling collaborative working, reducing the costs and complexities associated with multiple teams working together.

A clear example of this is case management. Teams need to be able to securely access, change and progress case files held on citizens from applications to ongoing records. This is highly sensitive data and accessing it in the cloud has been problematic in the past. However, the use of multi-factor authentication, data partitioning and cryptography which allows individual keys to be assigned to highly sensitive documents, are now making this a viable method of storing and accessing highly sensitive data that would have been classed as IL3 in the past.

Reserving the cloud for non-sensitive data, continued investment in on-premise, and the assumption that ownership equals security are all now redundant cloud concepts. Moving forward, UK-specific datacenters that can offer government grade assurances for the handling of sensitive data are set to drive a new era in cloud computing. That new era will see public sector organisations benefit from a scalable infrastructure which allows them to store, access and document data sets more accurately, restore operations more quickly and work more efficiently, and demonstrate compliance with existing and emerging data regulations, ultimately allowing us to realise a true form of digital government.  

Jane Roberts is strategy director at Toplevel


We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.