Capability: Cloud Development & Migration
Customising your infrastructure in the cloud
For those watching what seems like a proliferation of Police dramas on television, you might be impressed by how easily data is shared between partner organisations: Officers tap into numerous IT systems to retrieve vital information that is key to solving their case.
Sadly, as you would probably expect, the reality is somewhat different.
Data sharing
The Digital Government report from July 2019 highlighted that data sharing is key to ensuring that digital Government can be transformative. It enables departments to work together to produce efficient public services that work for the citizen, thus improving the citizen-Government relationship.
The new National Data Strategy also recognises the importance data has to play in enhancing economic competitiveness and productivity across the UK economy, through new data enabled business models, and the adoption of data driven processes.
Data sharing has long been discussed within Policing. One of the key recommendations of the Bichard child protection inquiry in 2003 was that all forces across the UK should improve how they collect, store and share data.
In 2005 the Information Systems Strategy for the Police Service (ISS4PS) highlighted “The importance of a national approach to information sharing is now uppermost in current strategy for policing as reflected in the National Policing Plan.”
The following year the National Policing Improvement Agency (NPIA) Guidance on the management of Police Information talked of effective Policing relying on the Police Service to communicate and share information with other forces and partner agencies.
Fast forward 15 years and the National Policing Digital Strategy 2020-30 prioritises the need to deepen collaboration with public sector agencies to unlock effectiveness, by developing ‘fluid’ data and insight exchange, within appropriate ethical and legal boundaries.
Collaboration is necessity
No-one can fail to notice the masses of data that is being created today and the fact that it is growing at an unprecedented rate.
Over the last 15 years, Policing has also started to see an explosion in the data that it holds. Allied to this is a growing pressure for them to start to utilise and share this data to their advantage.
Citizens are starting to demand and expect more from the Police service. With resources more stretched than ever, Police are now having to look at new ways of working – becoming smarter in utilizing the information they have available to them and sharing it to obtain greater insight.
No-one can accurately predict how the next 15 years will unfold, but as digital trends rapidly evolve across all areas of our lives, the abundance of data and the vast array of sources from which it emanates will continue to grow.
For a long time, public sector bodies have been locked into the mentality that they need to be autonomous in their operation, harbouring their own data and with the ideas of collaboration and sharing being forced rather than instinctive.
More recently though, policing as with all public sector, has seen austerity and the ever increasing need to save money as a driver towards more collaboration and data sharing.
A by-product of this is the ability to provide a better-quality service and a more rewarding citizen experience. Agencies are provided with a more holistic view of the individuals they are dealing with and their circumstances, allowing them to make better informed decisions.
Given this win, win scenario, it seems like a no-brainer, doesn’t it?
Why’s taking too long?
If the idea of collaboration and sharing of data is clearly beneficial on a number of levels, why have we been discussing it for so long without taking any action?
The biggest obstacle to collaboration and data sharing is arguably a wealth of stand-alone, legacy applications that exist within Police estates.
“Legacy systems are invariably built on outdated architectures with high maintenance costs, inherent inflexibility, redundant features, lack of connectivity and low efficiency. Complex application and process logic is often hard-coded and undocumented.”
Gartner Oct. 2019
“Legacy systems are a significant barrier to effective Government transformation and digitisation.”
Digital Government report, July 2019
Given the autonomous mentality that previously existed, Police applications were never built with collaboration in mind.
This means that these legacy systems don’t easily provide the ability to interact and share their data with other applications – they are siloed, with the data being accessible only by the application to which it relates.
All is not lost however. There are numerous different approaches we can use to help create interoperability and integration for your legacy applications:
- Rehost: redeploy the application component to other infrastructure (physical, virtual or cloud) without modifying its code, features or functions. This allows significant, short-term technology benefits without altering the application code base. Benefits of migrating to the cloud include: Improved application resilience; Disaster Recovery; Scalability; Accessibility.
- Re-platform: migrate to a new runtime platform, making minimal changes to the code, but not the code structure, features or functions. This enables the application to run on modern technology framework while limiting the requirement for a major development project.
- Refactor: restructure and optimize the existing code (although not its external behaviour) to enable data sharing and improve non-functional attributes. Refactoring focuses on breaking up the legacy code base into smaller manageable modules allowing consistent improvements to the application through small, iterative release cycles.
- Re-architect: materially alter the code to shift it to a new application architecture and exploit new and better capabilities. This will leverage and extend the application features while introducing new integration concepts to promote data sharing and deduplication. Where appropriate an Application Programming Interface (API) would be developed to allow data sharing between application/modules over a secure HTTPS protocol.
- Rebuild: redesign or rewrite the application component from scratch while preserving its scope and specifications. When deciding to rebuild an application, consideration should be taken to ensure the architecture is designed in a modular, scalable fashion promoting data sharing and future integrations using a combination of APIs and messaging architecture.
- Replace: eliminate the former application component altogether and replace it, considering new requirements and needs at the same time.
To find out more about how we could help your organisation unlock integration and interoperability, take a look at our Police page.
For the uninitiated reading this, what is the cloud?
Well in its simplest form, the cloud refers to a remote Data Centre, commonly owned and operated by a 3rd party, that is used to host applications and store data that a Force would have previously provided via their own on-premise Data Centre facility.
The cloud is commonly accessed via the internet, meaning any device that has some form of internet connection can access the applications and data that reside there. That device could be a desktop in the station, but it could just as easily be a remote device such as a laptop, mobile or tablet being used out in the field. Given access is via the internet it also means that it makes it far easier to share anything that’s stored in the cloud with other entities should you wish to do so. Ideal if you want to work collaboratively with other agencies and share data.
Another added benefit is that the cloud hosting provider takes on the responsibility for maintaining the infrastructure on which your data and applications are stored, as well as being responsible for the environment in which it resides.
Cloud services are typically subscription based, which shifts the commercial model from a capital one, where the Force has a large capital outlay relating to procuring and maintaining their own in-house IT provision, to a revenue-based, ‘pay as you go’ model allowing for easier budgeting with no large initial outlay. Cloud technology also provides the ability to ramp services up and down as needed, meaning the Force only pays for what it needs, typically with a lower overall total cost of ownership.
CLOUD FIRST POLICY
Back in 2013 the Government introduced its “Cloud First” policy. Within it was a recommendation to all Public sector organisations that, they should prioritise the use of cloud when considering new IT solutions. The inference being the public cloud rather than a community, hybrid or private deployment model.
Key to this recommendation was that “Departments should always source a cloud provider that fits their needs, rather than selecting a provider based on recommendation.” I’ll come back to this point later.
The Government stated that, “By exploiting innovations in cloud computing we will transform the public sector ICT estate into one that is agile, cost-effective and environmentally sustainable.”
The benefits of having a cloud-based deployment were clearly evidenced in 2017 following the Manchester terrorist bombing. In the aftermath of the incident, the cloud based HOLMES2 (Home Office Large Major Enquiry System) was used to set up a Casualty Bureau, to support with missing persons, the identification of individuals and logging of evidence. Thanks to being hosted in the cloud, within two hours of the attack, 27 forces were able to utilise the casualty bureau to support one another with mutual aid.
Another cloud native system that will undoubtedly benefit all forces is the much criticised and highly controversial LEDS (Law Enforcement Data Service). LEDS is the Home Office’s new “super-database” for Police. It combines the PNC (Police National Computer) and the PND (Police National Database) into one data source. Although massively over budget and behind schedule, no one doubts the benefits it will bring to Policing. Given the amalgamation of the systems there will be reductions in running costs by supporting a single, far more efficient system. Police will have access to a much broader set of information, which should help in speeding up the identification of persons of interest. LEDS is to be hosted on the commodity cloud service within Amazon Web Services (AWS). This will widen the scope beyond policing in terms of organisations able to obtain access, such as the DVLA, Financial Conduct Authority, Highways England, Competition and Markets Authority and the Royal Mail.
Arguably, the cloud-based technology that has had the biggest positive impact of late is Microsoft’s 365 Productivity Services suite, being rolled out to Forces as part of the National Enablement Programme. The national lockdown that was imposed in response to trying to combat the Covid 19 pandemic, added an additional level of complexity to Policing. Whilst most things ground to a halt, criminal activity continued and so did the need to police it. By using the collaboration tools that are offered as part of the productivity suite, Forces were able to continue to operate using a virtual environment, allowing employees to come together whatever and wherever their location.
Given the exhortations of the Government and the evidential benefits of adopting cloud technology, does that mean all Forces have rushed to go ‘all-in’ pushing all their Applications and data into the cloud in haste?
The short answer is no. Despite the numerous benefits to adopting a cloud first approach, as recently as 2 years ago, reports suggested that as many as 75% of all Forces still accessed and managed their data and applications on premise. So, the big question is why?
BARRIERS TO ADOPTION: SECURITY CONCERNS
Understandably, Police by the very nature of the job they do are quite anxious when it comes to re-housing their applications and data. A good percentage of the work is sensitive and needs guaranteed security. As you would imagine, most forces were initially very sceptical that the cloud could offer the same level of security as that provided in their own on-premise data centres. Surely no-one would be as concerned about the security of Police IT than the Police themselves.
When we talk about security in this instance, it usually relates to the need to ensure that everything belonging to the force is protected from a potential data security breach. When you have been responsible for security for so long it is hard to share that responsibility with someone else and have the confidence that they will look after things as well as you do. It is also unnerving when your security is no longer fully reliant on the tangible devices sitting in your data centre, that you can see and touch with a reassurance that everything is ticking along as it should be.
In a traditional on-premise solution, IT teams must manage and maintain security at every single location and for every single application. When it comes to Public Cloud, providers don’t have visibility of where or what the ultimate endpoint is, therefore all security has to be centralised and unified, able to cater for all possibilities. This unified security approach means you may end up with access to more security than you currently have employed on premise.
Let’s just for a moment take a look at cloud security:
- Security is now a shared responsibility with the cloud vendor, meaning there is less of a burden on your IT teams and your finances.
- Updates and patches no longer have to be resourced and scheduled in by the IT team, instead being applied in a timely fashion.
- Cloud security is highly automated, meaning a reduced need for human intervention and less opportunity for errors.
- As security is centralised there are less boundaries in relation to possible end points.
- Cloud security may offer more specialised and robust options that would probably otherwise be unavailable due to cost.
- Although public cloud involves trust of a 3rd party. They are generally experts in their field and are focussed purely on security and nothing else.
- Cloud providers are now compliant with necessary regulation, meaning you can rest assured they are using best practices.
Over the last few years billions of pounds have been invested by Public cloud vendors to provide efficient data security. So much so, that cloud security arguably provides better protection than that offered by a lot of on-premise facilities. Most of the major vendors are compliant with the Home Office’s National Police Information Risk Management Team (NPIRT) requirements, meaning cloud services can now support Police Forces across the UK who require Police-Assured Secure Facilities (PASF) to process and store their data in the cloud.
A big indicator of shifting attitudes around security, is the recent decision by the Defence Digital Service (DDS), a new group in the Ministry of Defence (MOD), to shift its data for its Readiness Reporting and Deployability Discovery (R2-D2) project to a public cloud.
Phil Jones from ISS (MOD’s Information Systems & Services) stated that Public Cloud is being used by several operations and projects within the MOD to identify how new services and capabilities can be delivered to Defence. Teams are able to access accounts to the Public Cloud offerings provided by Amazon Web Services (AWS) and Microsoft Azure – this provides teams with freedom to evolve their own Services that take advantage of industry leading capabilities.
BARRIERS TO ADOPTION: CULTURE
Culture was cited as being another barrier to adoption. Historically, Forces have been quite parochial in their nature. Very much with a sense of, “This is how we’ve always done things!” or “We’ll wait and watch what everyone else does first before we decide.” This mentality has left forces lagging behind the criminals who they are trying to outwit (Who conversely, have exploited this new technology in advanced and innovative ways, making their criminal activities far more complex and difficult to untangle).
However, police culture is changing thanks to the everyday use of cloud in our personal lives. Barely a day goes by where we don’t perform some kind of interaction with cloud-based technology, passing data back and forth between applications and allowing us to do things on the move using our mobile devices, such as ordering food, making appointments and booking holidays, remember them?! We even trust the cloud to store our most precious memories in the form of photos and videos.
So, if security concerns have now been addressed and cultural views are changing, then what else is slowing mass adoption?
For those of you that read my last blog, you’ll already know the answer. However, for those that didn’t, go and read it! But in the meantime, the answer relates to the fact that a lot of forces maintain a large number of legacy applications, that were never designed for the cloud and don’t easily present themselves to being migrated on to one.
However, the aforementioned blog provides an indication as to how we at CACI can help forces overcome this obstacle.
WHICH CLOUD IS BEST?
If all barriers have been overcome and the decision has been made to adopt the cloud, how do you then go about deciding which cloud is best for you?
Let me try and explain by use of an analogy; when your child reaches a certain age there comes the time you want them to spread their wings and leave the family nest. Do you quickly find the first available cheap premise you can and proceed to move your loved one into it as quickly as possible? Then as each successive child reaches that same stage, find a similar property to the first and do the same again? Maybe you do!
But in all seriousness, most of us would probably seek the services of some form of an Estate or Letting Agent, someone with full knowledge of what’s available in the market that best suits your little treasure’s wants and needs. Relying on the Agent to advise and suggest viable options, before carefully choosing the best property available to them.
Well a similar approach should be applied when adopting a cloud strategy. Do you find the first cheap, hosted environment available and proceed to throw all your applications and data into it? Again, maybe you do, and I know some have to their regret. But the smart option is to seek the services of an experienced, qualified cloud migration partner, someone who has thorough knowledge of the market and an ability to provide the best advice on the optimum solution for your organisation. A partner that will consider your differing workloads and what you need to achieve and design a strategy around a perfect hybrid of available cloud resource.
HERE, NOW AND THE FUTURE
So with the many benefits the cloud brings: accessibility, affordability, removal of a maintenance burden, better levels of security, increased speed of deployment and rapid scalability, as well as the Government pushing its ‘Cloud First’ strategy, is this the end for on-premise data centres?
Gartner predicts that by 2025, 80% of enterprises will have shut down their traditional data centres, versus 10% today. But, is it as clear cut as that?
Traditionally when new applications were requested by the force, IT departments would consider how they could deploy the application using their in-house architecture. This strategy has worked well for many years, whereby the goal was to deliver the application to the Force’s own end users. But as the workforce has now become more agile and the need for collaboration with other agencies grows, it drives the need to change the strategy and ask, ‘how can we deploy this so that we can easily access it from anywhere and share the information stored with others if we need to?’. Decisions now need to be less architecture driven and more about the needs for the services that are being delivered.
Cloud doesn’t have to be an all or nothing proposition – don’t let the one size fits all message fool you. Just because someone recommends a particular cloud service it doesn’t necessarily mean it is suitable for your particular workload. Every Public cloud doesn’t fit every IT function. Planning around objectives and consideration of things like low latency and high bandwidth traffic needs to take place when designing a cloud migration strategy. Hence the need for an experienced, qualified partner who will provide a comprehensive, overall assessment before further engaging with your team on creation of a mobilisation and migration plan.
Cloud computing is no longer the novel concept it once was, it is a well-established, proven mainstream technology with many benefits and as operating models shift and demands increase, Policing should recognise cloud as a more effective method of delivering applications, software and data to those that need it.
It’s now highly regarded as inevitable that in time Gartner’s prediction will come to pass, but whether it is optimistic to think that it will occur within the next 4 years remains to be seen.
FIND OUT MORE ABOUT HOW WE CAN HELP
“POLICING’S FUTURE IS IN THE CLOUDS” is the 2nd in our series of blogs on how tech can help the Police. Read the first blog in the series “Legacy Application Interoperability & Integration in the Police Force” now.
In today’s digital landscape, businesses are transforming to cloud computing to increase efficiency, reduce costs and scale up their operations for the future. While many companies opt for one type of cloud solution, either a full public or private cloud solution, some opt for a hybrid one to meet their business goals.
The benefits of a hybrid cloud solution are obvious:
Flexibility – You can choose where to run a workload based on the specific needs of each application. Therefore, this enables you to respond quickly to your business’s dynamic changes.
Scalability – This enables you to scale up your business without the need for a massive investment in cloud infrastructure.
Improved security – You can keep sensitive data on a private cloud, but it can be sent to the public cloud used by the application, enhancing security and compliance. Regulated industries find this especially useful.
But what about other complexities and security challenges?
According to CSO Online, “The Cloud Security Alliance (CSA), an organisation that defines standards, certifications and best practices to help ensure a secure cloud computing environment, cited misconfiguration and inadequate change control, as well as limited cloud usage visibility as being among the top three threats to cloud computing in 2020.” How much more so 3 years on!
Here are some concerns about adopting a hybrid cloud solution:
Complex security
When a company uses a hybrid model, the approach to security and management can become complex. Without a proper procedure tracking the use of services, the ability to access data will gradually reduce over time. A complicated system can create many loopholes and security issues which means the probability of a data leakage caused by an error or misconfiguration will increase.
Lack of appropriate skill set
There is also a knowledge gap. Yours will be one of many companies that have seen its cloud initiative proliferate beyond initial expectations. This will cause a drastic shortage of cybersecurity resources. Finding the right personnel to manage the existing environment and develop a new one is challenging.
Network connectivity breaks
What about the foundation of any company’s IT solution – the network? Connectivity between public and private clouds in a hybrid cloud framework is essential. Even one mistake in the overall network architecture could lead to the disruption of cloud services.
Why do banks opt for a hybrid cloud solution?
The hybrid cloud solution has become increasingly popular in the banking industry. A survey from IDC reported that 83% of banks surveyed use public and private cloud platforms. Bank of America has collaborated with IBM Cloud to develop a hybrid cloud solution offering the same level of security and economics as their private cloud with enhanced scalability, and Banco Santander has partnered with Microsoft Azure to extend their cloud capabilities, driving the creation of new cloud applications and developing innovative banking solutions. By adopting a reliable hybrid cloud solution, they can host some applications and workloads on the public cloud while securing sensitive data.
Conclusion
A hybrid cloud solution incorporates the advantages of public and private cloud solutions. Companies can manage costs with more flexibility and quickly scale up their business. Despite concerns about adopting a hybrid cloud solution, an increasing number of banks are trying to overcome these hurdles, developing innovative solutions and enhancing customer experience in the new digital era.
How CACI can help
We have highly skilled specialists with over 25 years of experience delivering a wide range of cloud strategies aligned with our client’s business goals. We are trusted by some of the world’s most successful companies in financial services, telecommunications, utilities and government.
In order to offer the best-fit solution for you, we partner with a group of top-tier technology and service providers rather than being tied to just one. So, if you want impartial, professional advice on hybrid cloud solutions, we’re happy to help.
Notes:
[1] IDC Perspective: Banking on the Cloud: Results from the 2022 CloudPath Survey
[2] Santander partners with Microsoft as a preferred strategic cloud provider to enable the bank’s digital transformation
[3] IBM and Bank of America Advance IBM Cloud for Financial Services, BNP Paribas Joins as Anchor Client in Europe – Jul 22, 2020
Looking to work with an IT outsourcing provider? Finding the right partner to deliver your requirements can be a tricky and time-consuming process. But, done right, a successful outsourcing relationship can bring long-term strategic benefits to your business. We asked our experts to share their top tips on how to find the right IT outsourcing partner.
Evaluate capabilities
Having the right expertise is the obvious and most essential criterion, so defining your requirements and expectations is the best way to start your search.
When it comes to narrowing down your vendor choices, it’s important to consider the maturity of an organisation as well as technical capabilities. “The risk of working with a small, specialised provider is that they may struggle to keep a handle on your project,” warns Brian Robertson, Resource Manager at CACI. Inversely, a larger organisation may have the expertise, but not the personal approach you’re looking for in a partner. “Always look for a provider that demonstrates a desire to get to the root of your business’s challenges and can outline potential solutions,” Brian advises.
Find evidence of experience
Typically, working with an outsourcing provider that has accumulated experience over many years is a safe bet; however, Daniel Oosthuizen, Senior Vice President of CACI Network Services, recommends ensuring that your prospective outsourcing provider has experience that is relevant to your business, “When you bring in an outsourcing partner, you want them to hit the ground running, not spending weeks and months onboarding them into your world.” Daniel adds, “This becomes more apparent if you work in a regulated industry, such as banking or financial services, where it’s essential that your provider can guarantee compliance with regulatory obligations as well as your internal policies.”
So, how can you trust a provider has the experience you’re looking for? Of course the provider’s website, case studies, and testimonials are a good place to start, but Daniel recommends interrogating a vendor’s credentials directly, “A successful outsourcing relationship hinges on trust, so it’s important to get a sense of a vendor’s credibility early on. For example, can they demonstrate an in-depth knowledge of your sector? Can they share any details about whom they currently partner with? And can they confidently talk you through projects they’ve completed that are similar to yours?”
Consider cultural compatibility
“When it comes to building a strong, strategic and successful outsourcing partnership, there’s no greater foundation than mutual respect and understanding,” says Brian. Evaluating a potential provider’s approach and attitudes against your business’s culture and core values is another critical step in your vetting process. As Daniel says, “If you share the same values, it will be much easier to implement a seamless relationship between your business and your outsourcing partner, making day-to-day management, communication and even conflict resolution more effective and efficient”.
While checking a company’s website can give you some insight into your prospective provider’s values, it’s also worth finding out how long they’ve held partnerships with other clients, as that can indicate whether they can maintain partnerships for the long-term.
However, Daniel says, “The best way to test if a provider has partnership potential is to go and meet them. Get a feel for the team atmosphere, how they approach conversations about your challenges, and how their values translate in their outsourcing relationships.” Brian adds, “Your vision and values are what drive your business forward, so it’s essential that these components are aligned with your outsourcing provider to gain maximum value from the relationship.”
Assess process and tools
Once you’ve determined a potential outsourcing provider’s level of experience and expertise, it’s important to gain an understanding of how they will design and deliver a solution to meet your business’s needs. “It’s always worth investigating what tech and tools an outsourcing provider has at their disposal and whether they are limited by manufacturer agreements. For example, at CACI, our vendor-agnostic approach means we’re not tied to a particular manufacturer, giving us the flexibility to find the right solution to meet our clients’ needs,” Daniel explains
Speaking of flexibility, determining the agility of your potential outsourcing provider’s approach should play a role in your selection process. “There’s always potential for things to change, particularly when delivering a transformation project over several years,” says Brian, adding “that’s why it’s so important to find a partner that can easily scale their solutions up or down, ensuring that you’ve always got the support you need to succeed.”
Determine quality standards
Determining the quality of a new outsourcing partner’s work before you’ve worked with them can be difficult, but there are some clues that can indicate whether a vendor’s quality standards are in line with your expectations, says Daniel, “A good outsourcing partner will be committed to adding value at every step of your project, so get details on their method and frequency of capturing feedback, whether the goals they set are realistic and achievable, and how they manage resource allocation on projects.”
Brian also recommends quizzing outsourcing providers about their recruitment and hiring process to ensure that you’ll be gaining access to reliable and skilled experts, “It’s easy for an outsourcing provider to say they have the best people, so it’s important to probe a little deeper. How experienced are their experts? How are they ensuring their talent is keeping up to date? What is their process for vetting new candidates? All these questions will help to gain an insight into an outsourcing provider’s quality bar – and whether it’s up to your standard.”
Assess value for money
For most IT leaders, cost is one of the most decisive factors when engaging any service; however,
when looking for an IT outsourcing partner, it’s critical to consider more than just a provider’s pricing model. “Contractual comprehensiveness and flexibility should always be taken into account,” says, Brian. “A contract that is vague can result in ‘scope creep’ and unexpected costs, while a rigid contract can tie businesses into a partnership that’s not adding value.” He adds, “Ultimately, it comes down to attitude, a good outsourcing provider can quickly become a great business partner when they go the extra mile.”
Daniel agrees and advises that IT leaders take a holistic view when weighing up potential outsourcing partners, “Look beyond your initial project, or resource requirements and consider where your business is heading and whether your shortlisted providers can bring in the skills and services you need. After all, a truly successful outsourcing partnership is one that can be relied on for the long haul.”
Looking for an outsourcing partner to help with your network operations? Contact our expert team today.
Demand for cloud-based offerings has accelerated due to the COVID-19 pandemic, with the importance of flexibility and agility now being realised. Without adapting, businesses risk being left behind, but what are the benefits and how do you know if it’s the right solution for you?
We shared the key advantages of cloud adoption and challenges in cloud security in our previous blogs.
In our final article in this series of blogs, we share the key steps to strengthen your organisations cloud security.
As more businesses adopt cloud technology, primarily to support hybrid working, cybercriminals are focusing their tactics on exploiting vulnerable cloud environments. Last year, a report found that 98% of companies experienced at least one cloud data breach in the past 18 months up from 79% in 2020. Of those surveyed, a shocking 67% reported three or more incidents.
This issue has been exacerbated by soaring global demand for tech talent. According to a recent survey, over 40% of IT decision-makers admitted to their business having a cyber security skills gap.
It’s a vulnerable time for enterprise organisations, and cloud security is the top priority for IT leaders. Here we consider the critical steps you can take now to make your business safer.
1. Understand your shared responsibility model
Defining and establishing the split of security responsibilities between an organisation and its CSP is one of the first steps in creating a successful cloud security strategy. Taking this action will provide more precise direction for your teams and mean that your apps, security, network, and compliance teams all have a say in your security approach. This helps to ensure that your security approach considers all angles.
2. Create a data governance framework
Once you’ve defined responsibilities, it’s time to set the rules. Establishing a clear data governance framework that defines who controls data assets and how data is used will provide a streamlined approach to managing and protecting information. However, setting the rules is one thing; ensuring they’re carefully followed is another – employing content control tools and role-based access controls to enforce this framework will help safeguard company data. Ensure your framework is built on a solid foundation by engaging your senior management early in your policy planning. With their input, influence, and understanding of the importance of cloud security, you’ll be better equipped to ensure compliance across your business.
3. Opt to automate
In an increasingly hostile threat environment, in-house IT teams are under pressure to manage high numbers of security alerts. But it doesn’t have to be this way. Automating security processes such as cybersecurity monitoring, threat intelligence collection, and vendor risk assessments means your team can spend less time analysing every potential threat, reducing admin errors and more time on innovation and growth activities.
4. Assess and address your knowledge gaps
Your users can either provide a strong line of defence or open the door to cyber-attacks. Make sure it’s the former by equipping the staff and stakeholders that access your cloud systems with the knowledge and tools they need to conduct safe practices, for example, by providing training on identifying malware and phishing emails.
For more advanced users of your cloud systems, take the time to review capability and experience gaps and consider where upskilling or outsourcing is required to keep your cloud environments safe.
5. Consider adopting a zero-trust model
Based on the principle of ‘Never Trust, Always Verify’, a zero-trust approach removes the assumption of trust from the security architecture by requiring authentication for every action, user, and device. Adopting a zero-trust model means always assuming that there’s a breach and securing all access to systems using multi-factor authentication and least privilege.
In addition to improving resilience and security posture, a zero-trust approach can also benefit businesses by enhancing user experiences via Single Sign-On (SSO) enablement, allowing better collaboration between organisations, and increased visibility of your user devices and services. However, not all organisations can accommodate a zero-trust approach. Incompatibility with legacy systems, cost, disruption, and vendor-lock-in must be balanced with the security advantages of zero-trust adoption.
6. Perform an in-depth cloud security assessment
Ultimately, the best way to bolster your cloud security is to perform a thorough cloud security audit. Having a clear view of your cloud environments, users, security capabilities, and inadequacies will allow you to take the best course of action to protect your business.
7. Bolster your defences
The most crucial principle of cloud security is that it’s an ongoing process and continuous monitoring is key to keeping your cloud secure. However, in an ever-evolving threat environment, IT and infosec professionals are under increasing pressure to stay ahead of cybercriminals’ sophisticated tactics.
A robust threat monitoring solution can help ease this pressure and bolster your security defence. Threat monitoring works by continuously collecting, collating, and evaluating security data from your network sensors, appliances, and endpoint agents to identify patterns indicative of threats. Threat alerts are more accurate with threat monitoring analysing data alongside contextual factors such as IP addresses and URLs. Additionally, traditionally hard-to-detect threats such as unauthorised internal accounts can be identified.
Businesses can employ myriad options for threat monitoring, from data protection platforms with threat monitoring capabilities to a dedicated threat monitoring solution. However, while implementing threat monitoring is a crucial and necessary step to securing your cloud environments, IT leaders must recognise that a robust security program comprises a multi-layered approach utilising technology, tools, people, and processes.
Get your cloud security assessment checklist and the best cloud security strategies in our comprehensive guide to cloud security.
Demand for cloud-based offerings has accelerated due to the COVID-19 pandemic, with the importance of flexibility and agility now being realised. Without adapting, businesses risk being left behind, but what are the benefits and how do you know if it’s the right solution for you?
We shared the key advantages of cloud adoption in our previous blog. This time around, we identify the biggest challenges of cloud security.
Cloud adoption has become increasingly important in the last two years, as businesses responded to the Covid-19 pandemic. Yet, a 2020 survey reported that cloud security was the biggest challenge to cloud adoption for 83% of businesses. [1]
As cybercriminals increasingly target cloud environments, the pressure is on for IT leaders to protect their businesses. Here, we explore the most pressing threats to cloud security you should take note of.
1. Limited visibility
The traditionally used tools for gaining complete network visibility are ineffective for cloud environments as cloud-based resources are located outside the corporate network and run on infrastructure the company doesn’t own. Further, most organisations lack a complete view of their cloud footprint. You can’t protect what you can’t see, so having a handle on the entirety of your cloud estate is crucial.
2. Lack of cloud security architecture and strategy
The rush to migrate data and systems to the cloud meant that organisations were operational before thoroughly assessing and mitigating the new threats they’d been exposed to. The result is that robust security systems and strategies are not in place to protect infrastructure.
3. Unclear accountability
Pre-cloud, security was firmly in the hands of security teams. But in public and hybrid cloud settings, responsibility for cloud security is split between cloud service providers and users, with responsibility for security tasks differing depending on the cloud service model and provider. Without a standard shared responsibility model, addressing vulnerabilities effectively is challenging as businesses struggle to grapple with their responsibilities.
In a recent survey of IT leaders, 84% of UK respondents admitted that their organisation struggles to draw a clear line between their responsibility for cloud security and their cloud service provider’s responsibility for security. [2]
4. Misconfigured cloud services
Misconfiguration of cloud services can cause data to be publicly exposed, manipulated, or even deleted. It occurs when a user or admin fails to set up a cloud platform’s security setting properly. For example, keeping default security and access management settings for sensitive data, giving unauthorised individuals access, or leaving confidential data accessible without authorisation are all common misconfigurations. Human error is always a risk, but it can be easily mitigated with the right processes.
5. Data loss
Data loss is one of the most complex risks to predict, so taking steps to protect against it is vital. The most common types of data loss are:
Data alteration – when data is changed and cannot be reverted to the previous state.
Storage outage – access to data is lost due to issues with your cloud service provider.
Loss of authorisation – when information is inaccessible due to a lack of encryption keys or other credentials.
Data deletion – data is accidentally or purposefully erased, and no backups are available to restore information.
While regular back-ups will help avoid data loss, backing up large amounts of company data can be costly and complicated. Nonetheless, 304.7 million ransomware attacks were conducted globally in the first half of 2021, a 151% increase from the previous year.[3] With ransomware attacks surging, businesses can ill afford to avoid the need for regular data backups.
6. Malware
Malware can take many forms, including DoS (denial of service) attacks, hyperjacking, hypervisor infections, and exploiting live migration. Left undetected, malware can rapidly spread through your system and open doors to even more serious threats. That’s why multiple security layers are required to protect your environment.
7. Insider threats
While images of disgruntled employees may spring to mind, malicious intent is not the most common cause of insider threat security incidents. According to a report published in 2021, 56% of incidents were caused by negligent employees. [4]
Worryingly, the frequency of insider-led incidents is on the rise. The number of threats has jumped by 44% since 2020.[5] It’s also getting more expensive to tackle insider threat issues. Costs have risen from $11.45 million in 2020 to $15.38 million in 2022, a 34% increase. [6]
8. Compliance concerns
While some industries are more regulated, you’ll likely need to know where your data is stored, who has access to it, how it’s being processed, and what you’re doing to protect it. This can become more complicated in the cloud. Further, your cloud provider may be required to hold specific compliance credentials.
Failure to follow the regulations can result in substantial legal, financial and reputational repercussions. Therefore, it’s critical to handle your regulatory requirements, ensure good governance is in place, and keep your business compliant.
9. API Vulnerabilities
Cloud applications typically interact via APIs (application programming interfaces). However, insecure external APIs can provide a gateway, allowing threat actors to launch DoS attacks and code injections to access company data.
In 2020, Gartner predicted API attacks would become the most frequent attack vector by 2022. With a reported 681% growth of API attack traffic in 2021,[7] this prediction has already become a reality. Addressing API vulnerabilities will therefore be a chief priority for IT leaders in 2022 and beyond.
Check out our comprehensive guide to cloud security for more
Notes:
[1] 64 Significant Cloud Computing Statistics for 2022: Usage, Adoption & Challenges
[2] Majority of UK firms say cyber threats are outpacing cloud security
[3] Ransomware attacks in 2021 have already surpassed last year
[4] – [6] Insider Threats Are (Still) on the Rise: 2022 Ponemon Report
[7] Attacks abusing programming APIs grew over 600% in 2021
Demand for cloud-based offerings has accelerated due to the COVID-19 pandemic, with the importance of flexibility and agility now being realised. Without adapting, businesses risk being left behind, but what are the benefits and how do you know if it’s the right solution for you?
In the first blog of our Cloud Security series, we explore the key advantages of cloud adoption.
1. Flexibility
Cloud infrastructure is the key to operational agility, allowing you to scale up or down to suit your bandwidth needs. The pay-as-you-go model offered by most cloud service providers (CSPs) also means that you pay for usage rather than a set monthly fee.
2. Reduced cost
Kind to your cash flow, cloud computing cuts out the high hardware cost. Not to mention the cost-savings of reduced resources, lower energy consumption, and fewer delays.
3. Disaster Recovery
From natural disasters to power outages and software bugs, if your data is backed up in the cloud, it is at a reduced risk of system failure as the servers are typically far from your office locations. You can recover data anywhere to minimise downtime by logging into the internet’s cloud storage portal.
4. Accessibility
We’ve all heard that the office is dead. Workers want the ability to work anytime, anywhere. With cloud (and an internet connection), they can.
5. Greater collaboration
Cloud infrastructure makes collaboration a simple process. The cloud can drastically improve workplace productivity, from online video calls to sharing files and co-authoring documents in real-time. These cloud-native applications are designed to make our lives more efficient through greater collaboration.
6. Strategic value
Ultimately, businesses that have adopted the cloud typically experience greater cost efficiencies, faster speed to market, and enhanced service levels. Adopting the cloud not only reimagines business models and builds resilience but also enables organisations to be agile and innovative, for example, adopt to DevOps methodologies which can prove to be an essential element for businesses looking to get ahead of their competitors.
But what about security? A 2020 survey reported that cloud security was the biggest challenge to cloud adoption for 83% of the business.[1] While the pandemic accelerated cloud adoption, rushed application and the resulting lacklustre security have only intensified security concerns as cybercriminals increasingly target cloud environments.
Check out our comprehensive guide to cloud security for more information.
Note:
[1] 64 Significant Cloud Computing Statistics for 2022: Usage, Adoption & Challenges
From entering new markets to growing market share, mergers and acquisitions (M&As) can bring big business benefits. However, making the decision to acquire or merge is the easy part of the process. What comes next is likely to bring disruption and difficulty. In research reported by the Harvard Business Review, the failure rate of acquisitions is astonishingly high – between 70 and 90 per cent – with integration issues often highlighted as the most likely cause.
While the impact of M&A affects every element of an organisation, the blending of technical assets and resulting patchwork of IT systems can present significant technical challenges for IT leaders. Here, we explore the most common problems and how to navigate them to achieve a smooth and successful IT transition.
Get the full picture
Mapping the route of your IT transition is crucial to keeping your team focused throughout the process. But you need to be clear about your starting point. That’s why conducting a census of the entire IT infrastructure – from hardware and software to network systems, as well as enterprise and corporate platforms – should be the first step in your IT transition.
Gather requirements & identify gaps
Knowing what you’ve got is the first step, knowing what you haven’t is the next. Technology underpins every element of your business, so you should examine each corporate function and business unit through an IT lens. What services impact each function? How will an integration impact them? What opportunities are there to optimise? Finding the answers to these questions will help you to identify and address your most glaring gaps.
Seize opportunities to modernise
M&A provide the opportunity for IT leaders to re-evaluate and update their environments, so it’s important to look at where you can modernise rather than merge. This will ensure you gain maximum value from the process. For example, shifting to cloud infrastructure can enable your in-house team to focus on performance optimisation whilst also achieving cost savings and enhanced security. Similarly, automating routine or manual tasks using AI or machine learning can ease the burden on overwhelmed IT teams.
Implement strong governance
If you’re fusing two IT departments, you need to embed good governance early on. Start by assessing your current GRC (Governance, Risk and Compliance) maturity. A holistic view will enable you to target gaps effectively and ensure greater transparency of your processes. In addition to bringing certainty and consistency across your team, taking this crucial step will also help you to tackle any compliance and security shortfalls that may result from merging with the acquired business.
Clean up your data
Managing data migration can be a complex process during a merger and acquisition. It’s likely that data will be scattered across various systems, services, and applications. Duplicate data may also be an issue. This makes it difficult to gain an updated single customer view, limiting your ability to track sales and marketing effectiveness. The lack of visibility can also have a negative impact on customer experience. For example, having two disparate CRM systems may result in two sales representatives contacting a single customer, causing frustration and portraying your organisation as disorganised. There’s also a significant financial and reputational risk if data from the merged business isn’t managed securely. With all this in mind, it’s clear that developing an effective strategy and management process should be a key step in planning your IT transition.
Lead with communication
Change can be scary, and uncertainty is the enemy of productivity. That’s why communication is key to a successful merger and acquisition. Ensuring a frequent flow of information can help to combat this. However, IT leaders should also be mindful of creating opportunities for employees to share ideas and concerns.
If you are merging two IT departments, it is important to understand the cultural differences of the two businesses and where issues may arise. This will help you to develop an effective strategy for bringing the two teams together. While championing collaboration and knowledge sharing will go a long way to helping you achieve the goal of the M&A process – a better, stronger, more cohesive business.
How we can help
From assessing your existing IT infrastructure to cloud migration, data management and driving efficiencies through automation, we can support you at every step of your IT transition.
Transitioning your IT following M&A? Contact our expert team today.
The introduction of The Telecommunications (Security) Act into UK law late last year marked the arrival of a new era of security for the telecommunications sector, where everyone – from executive to employee – is responsible for protecting the UK’s critical network infrastructure against cyber attacks.
However, embedding a security conscious culture from top to bottom requires significant resource and expertise to steer towards success. With the clock already counting down, telecommunications providers are under pressure to begin their TSR compliance journey whilst ensuring that existing change programmes stay on track. Here, we consider the key considerations for communications leaders to ensure successful navigation and utilisation of the obstacles and opportunities that lie ahead.
Clear visibility is critical
Protecting your network, applications and data has never been more critical. However, blind spots, missing data, and the risk of dropped packets make management and protection of these challenging, not to mention the scale and complexity of many providers’ hybrid network infrastructure. Nonetheless, providers must ensure they are able to monitor security across the entirety of their network and can act quickly when issues arise.
Security and service quality will need to be carefully balanced
Whilst enhancing security is the ultimate goal of the Act, this cannot be at the cost of network performance. Outages themselves can put providers in breach of the regulations.
Security scanners are a key line of defence for network security, helping to identify known vulnerabilities which can be exploited if the correct mitigation steps aren’t followed, so ensuring you have a robust vulnerability management process is critical. Incorporating the right vulnerability scanning tools and following the required change management processes to correctly implement tools will help to secure your network whilst minimising any potential performance impact to your existing infrastructure or service outages.
Auditing abilities are a new superpower
Demonstrating compliance with the new legislation may pose a significant challenge to providers, particularly as they attempt to flow down security standards and audit requirements into the supply chain. However, implementation of robust auditing processes to identify and eliminate weaknesses and vulnerabilities are a must for keeping providers on the right side of the regulations.
Knowledge is power
With any significant legislature change comes a period of uncertainty as businesses adapt to change, so getting to grips with the new regulation changes ahead of the game is key. Many providers have already begun the search for talent with the technical skills and experience to deliver their TSR programmes; however, with the jobs market at boiling point, some providers may find utilising external partnerships provides a more practical route to successful delivery as well as a means to upskill and educate internal teams.
You’ll be tested
In 2019, OFCOM took over TBEST – the intelligence-led penetration testing scheme – from DCMS and has been working with select providers on implementation of the scheme. Whether through TBEST or not, providers will be expected to carry out tests that are as close to ‘real life’ attacks as possible. The difficulty will be in satisfying the requirement that “the manner in which the tests are to be carried out is not made known to the persons involved in identifying and responding to security compromises.”[1] Providers may need to work with an independent vendor to ensure compliant testing.
Costs are still unclear
While the costs for complying with the new regulations are still undermined, an earlier impact assessment of the proposed legislation carried out by the government indicated that initial costs are likely to be hefty: “Feedback from bilateral discussions with Tier 1 operators have indicated that the costs of implementing the NCSC TSR would be significant. The scale of these costs is likely to differ by size of operator and could be of the scale of over £10 million in one off costs.”[2].
Culture may challenge change
Technology will, of course, be at the forefront of communications leaders’ minds, yet the cultural changes required to successfully embed a security-first mindset are of equal importance and must be considered in equal measure. Change is never easy, particularly when there is a fixed deadline in place; however, delivery that is well-designed and meticulously planned is key. Ultimately, the onus will be on leaders to craft a clear vision – achieving network security that is intrinsic by design – as well as mapping out the road to get there.
Looking for more information about TSR? Download The impact and opportunities of the Telecoms Security Requirements report.
[1] The Electronic Communications (Security Measures) Regulations 2021 [draft]
[2] The Telecommunications Security Bill 2020: The Telecoms Security legislation