The cloud is here to stay. It’s no longer a buzzword or the new tech kid on the block. Cloud technologies are used by organisations and individuals alike, providing scalable on-demand computing on a global scale. As a result, governments across the world are deploying cloud services at scale, and the capabilities are at the heart of most digital transformation journeys. In the UK, the Government published the Cloud First Policy nearly 11 years ago. Since then, we have seen the publication of the National Cyber Security Centre (NCSC) Cloud Security Principles and the 5 Cloud Essential Characteristics by National Institute for Standards & Technology (NIST). More recently, the Scottish Government developed the Scottish Cloud Platform to provide the Scottish public-sector-simplified access to cloud technologies.
Why Are We Using the Cloud? What Are the Challenges?
The ultimate aim of the cloud platform is to accelerate the adoption of cloud technology. However, many organisations are reticent about deploying cloud due to the perceived difficulties in migrating services or applications to the cloud. And, they are not convinced of the advantages that cloud presents.
Cloud solutions provide many benefits; they can be regionally based, infinitely scalable and consequently can be descaled when cost pressures require a reduction in spending. Within the public sector, many of the challenges with cloud adoption relate to the cost of entry, the ability to train or hire staff with the relevant cloud skills, and ensuring that the cloud services deliver value for money. Furthermore, organisations are faced with the challenge of managing large legacy applications, which run at the heart of many public services. They need to be rebuilt using cloud-native services to maximise the benefits and savings introduced with cloud computing.
The Scottish Cloud Platform Service
To help lower the cost of entry, the Scottish Government developed a Cloud Platform Service (CPS) to give the Scottish Public Sector simplified access to cloud technologies (initially Azure and AWS). The aim is to accelerate the adoption of cloud computing, enabling public sector entities to speed up development, access discounts and prevent duplication of effort. This would effectively provide a one-stop-shop to access cloud platforms. Most notably, a central contract with the Cloud Service Providers should deliver cost savings and reduce the admin overheads for identity management and procurement within an environment that is approved by the Scottish Government.
Cybersecurity — A Shared Responsibility
However, while becoming a member of the Scottish Cloud Platform will bring several benefits, organisations will still be responsible for their risk and security management.
Being part of the cloud platform club does not mean that security will be addressed, or that the cloud service provider will be undertaking all the necessary security on behalf of the user. The well-known shared responsibility model holds true – the customer is responsible for security in the cloud, and the Cloud Service Provider is responsible for the security of the cloud. The challenges around data confidentiality, availability and integrity remain in the jurisdiction of the organisation deploying the cloud platform. Organisations need to consider these challenges when rebuilding legacy applications. Failure to do so is one of the main reasons why cloud migration projects fail or just don’t deliver the outcomes that were expected. This cybersecurity responsibility is not only shared with the CSP, but building secure applications from the start needs to be a common objective of the development, cloud engineering and cybersecurity teams. This requires a cultural and organisational shift toward DevSecOps, which goes well beyond tooling.
Furthermore, given that the most common vulnerabilities in the cloud relate to misconfigurations or a misunderstanding of the cloud security controls, it is essential that organisations understand their security responsibilities and how to secure their cloud environments. An organisation's failure to understand their shared responsibility will have a significant impact on their cloud deployment and overall security posture.
The Palo Alto Networks Approach
Understanding the shared responsibility model is the first step. Organisations also need to understand what cyber solutions they need for their particular use case. If they are building applications in Azure and AWS, they need to understand how to secure these throughout their entire lifecycle – from the coding phase, building, deploying and finally running the application. Failure to plan for this will create friction between the different teams involved. It will introduce delays and impact the successful delivery of these applications.
On the contrary, problems will be addressed earlier in the development cycle and reduce the cost and mean time to resolution if developers and cloud infrastructure teams are co-owners of the security of the application and infrastructure being built. This issue becomes even more complex when the development of these applications is outsourced to a third party. It is imperative to set SLAs around security risks in the applications delivered and have a defined method to measure if these objectives are being met.
Prisma Cloud from Palo Alto Networks will allow organisations moving their workloads to the Scottish Cloud Platform Service or building new cloud-native applications to have full visibility. It will also help to set guardrails and automate the resolution of security issues at all stages of the development lifecycle and once the application is live and running.
It is clear that cloud provides a range of benefits to the public sector and the development of the Scottish Cloud Platform is a welcome step in helping organisations to deploy cloud technologies. However, it is crucial to maintain a steely eyed focus on security, given the myriad of cyber risks and threat actors targeting governments. A CSP will not do this for organisations, and a lack of focus will put data, applications and services at risk. Contact Palo Alto Networks public sector team to make sure your organisation’s data and services are secure, no matter what cloud platform you choose to deploy, and across multiple platforms from a single source of visibility, control and protection.