Introduction

The latest development in the Cloud strategy was announced by the Government Digital Service confirming a move from ‘Cloud First’ to ‘Cloud Native’.

This is a key development, building on years of work to develop policy and standards for the delivery of Cloud Services to government, and the evolution of the service provider marketplace.  Key achievements that can be attributed (directly or indirectly) to the involvement of GDS in the Cloud First strategy are the establishment of UK data centres by the large Cloud Service Providers and the delivery of the Cloud Security Principles.

This white paper, prepared for Innopsis and sponsored by The Common Framework, provides a briefing for public sector executives on how to respond to the changing policy environment.   This will cover:

• What is a Cloud service?
• How to use Cloud safely
• Is Cloud Native right for you?

What is a Cloud service?

Before you can be Cloud Native, you need to be clear on what a Cloud service actually is. There is a continuing challenge of terminology when it comes to Cloud services – or rather the inconsistent use of it.  Look for a definition of Cloud, and you will find a plethora of options and XaaS (Something as a Service) being used with gay abandon by marketing professionals.

“Cloud Native is one of those terms that has a lot of different definitions, with the more narrow definition encompassing patterns for application design, deployment and operation. We use the term more broadly to include the flexible adoption of Software as a Service (SaaS) applications, which are often loosely coupled and quite task specific.” – GDS^[1]

A broad definition can help to convey an idea; but we do need to have a definition that is clear enough to explain what Cloud is, and what it isn’t.  The standard proposed by the National Institute of Standards and Technology (NIST) from the US meets this test.  Its definition is referenced in the Cloud Security Principles used by National Cyber Security Centre (NCSC) and GDS.

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

This Cloud model is composed of five essential characteristics, three service models, and four deployment models.” – NIST^[2]

Anyone interested in Cloud services should review this document in its entirety to gain a correct understand of Cloud services, but a high-level overview of the essential characteristics of Cloud services are:

• On-Demand self-service
• Broad network access
• Resource pooling
• Rapid elasticity
• Measured service

Not all Cloud services are what they seem

Once you use these established characteristics, it becomes clear that some Cloud services are not what they seem.  They may simply be existing outsourced services that are rebadged and do not share the essential characteristics described by NIST.  They may also be services that have some of the features of a Cloud service (e.g. broad network access and measured service) but not all.

The reason why this level of detail is important is that you may think you are getting a resilient Cloud service, yet don’t have the resource pooling, self-service and elasticity that is the are the real benefits of Cloud services.

This could result in buying a Cloud service where you must wait for a provisioning task to be conducted governed by an SLA to provide the service you need and that service will suffer downtime for scheduled updates or through general fault conditions – just the same as traditional hosting or outsourcing.

Recent outages at Kirklees Council^[3] show what can happen when a Cloud service is deployed without a continuity plan.  Even though you could argue that the service doesn’t meet the key NIST characteristics, it is a common deployment scenario.  These scenarios provide evidence that you need to understand the detail behind the service to ensure that your requirements are met.

So, let’s apply the NIST definition to the three service models of Cloud services: Software, Platform and Infrastructure:

• Software as a Service

The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user- specific application configuration settings.

Examples of SaaS – Hosted software such as Office365/GSuite (was called Google Apps for Work)

• Platform as a Service

The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

Examples of PaaS – Development environments such as AWS Elastic Beanstalk/Google App Engine 

• Infrastructure as a Service

The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

Examples of IaaS – Virtual machines and networks such as AWS EC2/various VPS or VPC 

You will encounter terms describing Cloud services as being public, private or hybrid Cloud deployments, but unless these Cloud deployments share the common characteristics and service models these terms are meaningless.

A virtuallised private Cloud service that doesn’t share these characteristics/models may meet your security needs, but it may not be suitable for mobile working or have the extensibility or resilience you need.  Conversely, a public Cloud service may well meet the service needs but may store your information in regions that are not suitable for the information its stored in.

The importance of the Cloud supply chain

You will see from the definitions above that any public body preparing to move to Cloud services should be confident that all three layers are fit for purpose – the infrastructure, the platform and the software itself. Each layer should be sufficiently robust, secure and scalable for your needs.

“The challenge is exacerbated when you think about how many higher level services are built.  The ‘supply chain’ for SaaS can get impressively complicated without the provider even realising this is the case. It is common for providers to make use of a range of third party services to build their own service, which will inevitably be cloud services themselves.  

The service you are using may have been built with cyber security in mind, and may be operated by a strong cyber security team. However, the dependencies they’ve taken on third parties can render these protections nugatory.” – NCSC^[4]

This doesn’t just affect Cloud security, but the delivery of the entire service; indeed, cyber security is arguably nothing more than a fashionable term for IT security.  Looking at the recent outage of AWS S3 services in the US^[5], this caused impacts of up to $310m for affected organisations just from an outage of service.

The Cloud supply chain is complex and interdependent.  Major outages at service providers such as Amazon^[6] or Azure^[7] can take services from unrelated organisations out of action.  Always ask any supplier what Cloud infrastructure platform they are hosting their service on and, how they ensure that their obligations are met and what happens if the service is out of action.

The management of the protection, accuracy and access to the service will greatly influence its reliability, and the supply chain supporting Cloud services has never been more important.

How to use Cloud safely

We’ve set out here a summary of the key areas to consider when preparing to go Cloud Native, covering;

• Information Assurance
• Legislative Compliance
• Risk Management
• Supporting Infrastructure.

Information Assurance

When you speak to a Cloud Service Provider, you will often get a myriad of responses ranging from statements of ‘compliance’, audit frameworks (such as CSA Cloud Controls Matrix or SSAE16) or full certification to industry certifications (such as ISO/IEC-27001:2013).

GDS have recently provided an overview of Software as a Service myths^[8] where they state that “a competent SaaS provider has a large budget for security and can invest heavily in mitigating all common risks”.  This is true, but how do you find a competent provider?

It’s crucial to ensure that the scope of the compliance certification/statement matches the service you are buying and that you understand the assurance that is provided by the asserted compliance level.

Fortunately, there is guidance available in the form of the Cloud Security Principles that were developed by NCSC, and the PSN Service Security Standard (PSSS) that has evolved from it.

If you use the PSSS, then you will find that each principle has a minimum level of assertion selected from the plethora of options that the Cloud security principles utilise.  This provides you with a good starting point to test the suitability of different service options.

However, whilst the PSSS requires the basic levels of encryption and location required from its Cloud services, it is less clear on the governance, supply chain assurance and service management aspects.

“While the core principles of risk management are the same for the cloud or on-premise systems, there are substantial differences in the technical and assurance details.  With cloud services, you need to take a shared approach to responsibility.  You should understand how responsibility for security is shared between you and the cloud provider. Where appropriate you should layer security controls on top of those built into the cloud services you are using.” – GDS

Legislative Compliance

“If staff aren’t given adequate tools to deliver in their job, then you run the risk of them going out and finding their own alternatives. If this happens then employers have no visibility or control over what is being used”.  – GDS

The above statement is true, but you also need to make sure that you understand the obligations that relate to the information held within these services.

Current UK legislation, when taken together, requires that UK-based public and private-sector organisations understand:

• the location of the data (how do you know where it is being stored, or if it has been deleted?)
• the format of the information (what is the asset?)
• the disclosure requirements (can you share it, and what are the requirements?)
• the retrieval requirements (the retention period and can you access the information throughout that period?)
• the handling requirements (does it need encryption, where can it be accessed from, what right of audit is there?)

Even something as simple as knowing where the data is stored can be difficult to determine. There has been a lot of press recently surrounding the likes of Microsoft, who are fighting attempts from the US government to access information held within the Irish data centres.  

This is to be applauded, but what if you were told that Outlook for iOS/Android may be caching your emails in the US or at least the Microsoft Cloud?  This is the case at present if you are using an on-premise Exchange server at a version lower than Exchange 2010 Service Pack 3^[9] or a server that isn’t on a commercial version of Office 365^[10].

Even if you are using Exchange 2010 Service Pack 3 or higher, did you know that your emails are being hosted in the Microsoft Cloud without you knowing?  The devil is often in the detail, and you should ensure that the entire architecture is understood.

It’s important to select Cloud services that meet your needs, but also to communicate the obligations placed upon staff/suppliers when they access this information (which can often be deemed to be corporate assets if they are governed by legal, regulatory or contractual obligations).

Manage risks and opportunities

We often talk about risk management, but the approaches to risk management are often fragmented and contradictory.

If we look at the definition of risk management that the UK Government delivered through its Orange Book on Risk Management^[11], we see that “risk is defined as this uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. The risk has to be assessed in respect of the combination of the likelihood of something happening, and the impact which arises if it does actually happen”.

So, we can view risk as being an aggregation of the:

• threats that occur because of the environment that the organisation works in (i.e. the locations, business processes and services that are used to capture, process and store information)
• the impacts that result in failures of protection, accuracy and access relating assets (i.e. the obligations)
• vulnerabilities that allow threats to cause impacts (i.e. the requirements for information and service assurance to mitigate the threats)

Managing the risks in this manner allow us to not only concentrate on the negative impacts, but also achieve positive outcomes from the use of Cloud computing.  Through better understanding of information, we can address a very real issue that is occurring – a recent parliamentary report at the end of 2015^[12] estimated that over 90% of information circulating the internet had been created in the past two years.

Combined with recent estimates^[13] that 54% of data is unknown in terms of its contents (also called dark data), where resources are being wasted in protection and storage, we can not only embrace Cloud computing but also address the amount of unknown information held within our datasets through effective risk management.

“Well-executed use of public cloud services will be appropriate for the vast majority of government information and services. However, each organisation needs to make their own risk-based decision for their specific systems or data.

There are a very small number of situations where it may not be appropriate to use cloud services for specific systems or data. For example, when there are specific legislative requirements around data sovereignty.” – GDS

Get the Right Infrastructure

Another strand of the Cloud Native strategy is the statement from GDS on the Internet being ok for most government traffic^[14] .  The implementation of effective encryption may address information security requirements over the Internet, but there are other factors that need to be considered when deciding what infrastructure is needed^[15]. You need to know: 

• what business services your users depend on
• what network services they rely on to access them

and document your needs across different networks for:

• bandwidth
• availability
• resilience
• class of service (CoS)
• quality of service (QoS)
• price

In short, the challenges are to define what the service requirements are within an increasingly Cloud-based supply chain and diverse connectivity methods. 

Ask the right questions

It’s therefore recommended to ask the following questions to make risk-based decisions and comparisons between Cloud Service Providers:

• what responsibility the Cloud Service Provider takes for delivery of each of the Cloud Security Principles
• what suppliers it relies upon for delivery of the principles
• where the boundary of responsibility sits between you and the CSP (i.e. what is left for you to control in the Cloud service?)
• how you can export your data from the service and move it to another service
• what evidence can be provided that data is deleted at the end of the service
• if obsolescence is considered in their architecture
• what exclusions apply to the service being provided
• how they ensure that their SLAs are met by their supply chain
• what are their Recovery Time Objectives (how quickly they will restore service), Recovery Point Objectives (how much data they can afford to lose whilst still providing service) and Maximum Tolerable Period of Disruption (how much downtime can they endure before affecting the business)?

Is Cloud Native right for you?

So, with platform and infrastructure defined, is it now time to go native in the Cloud?  

Cloud services designed in accordance with the NIST guidelines and conformant with the Cloud Security Principles are mature enough to work natively for a back-office server environment but you need to determine:

• the information being processed (including the legal, regulatory and contractual requirements associated with it)
• the responsibilities that you expect the supplier to undertake, including where the boundary of responsibility resides
• the availability needs of the platform and infrastructure
• the service continuity required to support the availability needs
• if the supply chain supports the availability requirements

However, Cloud Native is not a scenario that is currently possible for most office environments. It is possible (and arguably desirable) to have virtual desktop environments or collaboration platforms to control the flow of information on BYOD endpoints, but this is rarely undertaken throughout organisations at present.  Until we evolve organisational culture in terms of information governance and risk management, we will not fully adopt mobile working architectures that enable Cloud Native to become the norm.

The recent press coverage of 500,000 medical records being accidentally sent to storage^[16] show the impact to public services of insufficient information governance and risks management.  This example shows why the cyber strategy is not sufficient by itself to address the challenges of delivering digital government.  However, the network principles and Cloud Security Principles have the potential to address the challenges – if we provide more clarity on definitions of characteristics of Cloud services and the current legal requirements for information management.

“It is increasingly clear that some behaviours which are unacceptable offline are being tolerated or even encouraged online – sometimes with devastating consequences” – DCMS

This challenge isn’t new^[17], and public sector leaders need to understand what information they control, how it is used, and what its value is to the organisation.  The technology to go Cloud Native is ready now, but users and organisations aren’t.  There has been too much focus on the technology and not enough on the culture and activities that govern it.  Unless they address information governance risks, going Cloud Native is likely to be a step too far.

---

^[1] https://governmenttechnology.blog.gov.uk/2017/02/03/clarifying-our-cloud-first-commitment/

^[2] http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf

^[3]http://www.theregister.co.uk/2016/12/30/yorkshire_council_hit_with_prolonged_web_outage/

^[4] https://www.ncsc.gov.uk/blog-post/debunking-cloud-security-myths

^[5] https://www.theregister.co.uk/2017/03/02/aws_s3_meltdown/

^[6] https://www.theregister.co.uk/2015/09/20/aws_database_outage/

^[7] http://www.zdnet.com/article/global-dns-outage-hits-microsoft-azure-customers/

^[8] https://governmenttechnology.blog.gov.uk/2017/02/22/software-as-a-service-the-4-biggest-myths/

^[9] https://www.petri.com/outlook-ios-android-dumping-aws-q3

^[10] https://blogs.office.com/2016/09/26/outlook-for-ios-and-android-is-now-fully-powered-by-the-microsoft-cloud/

^[11]https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/220647/orange_book.pdf

^[12] https://www.publications.parliament.uk/pa/cm201516/cmselect/cmsctech/468/468.pdf

^[13] http://www.computerweekly.com/news/4500256309/Lack-of-data-classification-very-costly-to-firms-says-survey?utm_medium=EM&asrc=EM_EDA_49210577&utm_campaign=20151029_BT%20revenue%20up%202%25%20on%20broadband%20and%20BT%20Sport%20Europe_&utm_source=EDA

^[14] https://governmenttechnology.blog.gov.uk/2017/01/20/the-internet-is-ok/

^[15] http://www.computerweekly.com/opinion/Is-OK-OK-Delivering-the-next-government-network-platform

^[16] https://www.theguardian.com/society/2017/feb/27/nhs-data-loss-173-instances-of-likely-patient-harm-identified

^[17] http://www.computerweekly.com/news/1280095679/Infosec-2011-Compliance-the-biggest-security-juggernaut-says-security-expert