In my experience as the chief operating officer (COO) for the UK Government’s Digital Service (GDS), I saw first-hand how approaches to security in the cloud can affect digital services delivery. I worked at the GDS when the government set out on a significant transformation program to improve public services for citizens and businesses—a transformation that saved the government billions of pounds. During my time in the GDS, and now in my work with government leaders, I’ve learned important lessons about transforming services securely in the cloud. Here are some key takeaways:
Don’t build bespoke technology when you can use what works
When governments begin their digital transformations in the cloud, they sometimes still think about security in terms of legacy IT modalities. This legacy approach can push them towards building bespoke IT solutions, which can impede service delivery.
When the GDS launched its digital transformation program, the government planned to use cloud to support this transformation strategy. But we didn’t think too explicitly about security in the beginning. We had a robust accreditation regime and we credited cloud as part of that system. We chose a smaller cloud provider that could meet these many bespoke security standards. It wasn’t until a few years later that we realized this approach wasn’t quite working.
One of the services that had been transformed as part of the program was a service that helped register citizens to vote. In 2016, on the eve of the voting registration deadline, political leaders referred audiences to the website after a live TV debate. As thousands of British citizens accessed the service at once, the website promptly crashed.
The reason the site wasn’t able scale to meet demand was actually connected to security. Because we used a small cloud provider that could meet our bespoke accreditation regime, we weren’t leveraging the full capabilities of hyperscale cloud. This became one of my first lessons in security and transformation: use what works. Don’t use bespoke technology. Recognize international best practices and accept technology the way it is sold—your requirements are not as special as they might seem.
Reassess government security classifications for the modern era
Another key lesson that emerged from the GDS transformation program was rethinking how we considered security classifications for data and technology.
Before the transformation, the UK government used a data classification system that was based on Cold War era documents—well before the digital era. This system had seven levels, from Unclassified to Top Secret. Separately, the UK government also had a system to classify technology, which assessed what data could be stored where. These data and technology classification systems were not the same, but were frequently conflated. Meeting these complex accreditation standards required developing bespoke systems, either on premise or with a private cloud. However, this blocked many of the benefits of using modern cloud technology.
To transform our legacy approach, we simplified the data classification process. We moved from seven levels to three—Official, Secret, and Top Secret—and reclassified 90% of our data at the Official level. We also removed the rigid approach to technology classification levels. We encouraged departments and public sector organizations to take a more holistic, contextualized approach to risk. We recognized that internationally recognized standards of security best practices, like those championed by the UK National Cyber Security Centre (NCSC) and utilized by commercial entities like financial institutions, are good enough for 90% of our information. These decisions were an important enabler for reform and opened the path for agencies to use cloud the way it was intended.
Reframe your mental model about government security in the cloud
Many UK cybersecurity leaders are going public about their support for public cloud. The UK Space Agency’s chief engineer and former head of the UK Defence Digital Service (DDS) Richard Crowther, explains why in a Ministry of Defence blog post about speculative execution vulnerabilities. Crowther argues that the government can actually do a better job of managing security for Official data in the cloud than on-premises for three key reasons: 1) security patches can be applied faster in the cloud; 2) it’s simpler to deploy security controls at scale; and 3) you can authorize and audit almost everything.
But some leaders still balk at considering cloud for government data. “There can sometimes be an emotional nervousness about using the cloud, in addition to more technical security concerns,” says Ian McCormack, deputy director of the NCSC government team, in the AWS Institute film, Be Secure in the Cloud. “One way we have tried to help people overcome this is by explaining how we chose to use which cloud services ourselves.” In their blog post, “The elephant in the data centre,” the NCSC guides decision makers through how to make a fair comparison between legacy on-premises systems and cloud-based alternatives. Read more about the NCSC’s overall approach to security on their website.
Don’t do it all yourself. You can’t.
An important thing I’ve learned from the cybersecurity community is that openly sharing security best practices helps make the whole community more secure. It may seem counterintuitive that the NCSC supports openness in the security technology community, but they do it because it raises standards for all. The NCSC knows how to leverage what is available so they can use their resources and expertise where they can make a unique difference.
Another way to find and use what has worked for other organizations—at no cost—is to use open source standards and code. You can learn more about this in the short film Use What Works, and find no-cost standards and code curated for governments at Open Government Solutions on AWS.
by Alex Meek-Holmes
Learn more from the AWS Institute
Liam Maxwell, director of government transformation at AWS, and Ben Aung, chief risk officer at Sage and former director of government security in the UK Cabinet Office, explain this in more detail in the AWS Institute film, Enabling Digital Transformation for the UK Government and blog.
Learn more about public sector digital transformation at the AWS Institute.
1st December 2022
1st December 2022
27th January 2023
7th February 2023
27th March 2023
9th March 2023
28th February 2023