What is the cloud?

For the uninitiated reading this, what is the cloud?

Well in its simplest form, the cloud refers to a remote Data Centre, commonly owned and operated by a 3rd party, that is used to host applications and store data that a Force would have previously provided via their own on-premise Data Centre facility.

The cloud is commonly accessed via the internet, meaning any device that has some form of internet connection can access the applications and data that reside there. That device could be a desktop in the station, but it could just as easily be a remote device such as a laptop, mobile or tablet being used out in the field.

Given access is via the internet it also means that it makes it far easier to share anything that’s stored in the cloud with other entities should you wish to do so. Ideal if you want to work collaboratively with other agencies and share data.

Another added benefit is that the cloud hosting provider takes on the responsibility for maintaining the infrastructure on which your data and applications are stored, as well as being responsible for the environment in which it resides.

Cloud services are typically subscription based, which shifts the commercial model from a capital one, where the Force has a large capital outlay relating to procuring and maintaining their own in-house IT provision, to a revenue-based, ‘pay as you go’ model allowing for easier budgeting with no large initial outlay.

Cloud technology also provides the ability to ramp services up and down as needed, meaning the Force only pays for what it needs, typically with a lower overall total cost of ownership.

Cloud First policy

Back in 2013 the Government introduced its “Cloud First” policy. Within it was a recommendation to all Public sector organisations that, they should prioritise the use of cloud when considering new IT solutions. The inference being the public cloud rather than a community, hybrid or private deployment model.

Key to this recommendation was that “Departments should always source a cloud provider that fits their needs, rather than selecting a provider based on recommendation.” I’ll come back to this point later.

The Government stated that, “By exploiting innovations in cloud computing we will transform the public sector ICT estate into one that is agile, cost-effective and environmentally sustainable.”

The benefits of having a cloud-based deployment were clearly evidenced in 2017 following the Manchester terrorist bombing. In the aftermath of the incident, the cloud based HOLMES2 (Home Office Large Major Enquiry System) was used to set up a Casualty Bureau, to support with missing persons, the identification of individuals and logging of evidence. Thanks to being hosted in the cloud, within two hours of the attack, 27 forces were able to utilise the casualty bureau to support one another with mutual aid.

Another cloud native system that will undoubtedly benefit all forces is the much criticised and highly controversial LEDS (Law Enforcement Data Service). LEDS is the Home Office’s new “super-database” for Police. It combines the PNC (Police National Computer) and the PND (Police National Database) into one data source. Although massively over budget and behind schedule, no one doubts the benefits it will bring to Policing. Given the amalgamation of the systems there will be reductions in running costs by supporting a single, far more efficient system.

Police will have access to a much broader set of information, which should help in speeding up the identification of persons of interest. LEDS is to be hosted on the commodity cloud service within Amazon Web Services (AWS). This will widen the scope beyond policing in terms of organisations able to obtain access, such as the DVLA, Financial Conduct Authority, Highways England, Competition and Markets Authority and the Royal Mail.

Arguably, the cloud-based technology that has had the biggest positive impact of late is Microsoft’s 365 Productivity Services suite, being rolled out to Forces as part of the National Enablement Programme. The national lockdown that was imposed in response to trying to combat the Covid 19 pandemic, added an additional level of complexity to Policing.

Whilst most things ground to a halt, criminal activity continued and so did the need to police it. By using the collaboration tools that are offered as part of the productivity suite, Forces were able to continue to operate using a virtual environment, allowing employees to come together whatever and wherever their location.

Given the exhortations of the Government and the evidential benefits of adopting cloud technology, does that mean all Forces have rushed to go ‘all-in’ pushing all their Applications and data into the cloud in haste?

The short answer is no. Despite the numerous benefits to adopting a cloud first approach, as recently as 2 years ago, reports suggested that as many as 75% of all Forces still accessed and managed their data and applications on premise. So, the big question is why?

Barriers to adoption: security concerns

Understandably, Police by the very nature of the job they do are quite anxious when it comes to re-housing their applications and data. A good percentage of the work is sensitive and needs guaranteed security. As you would imagine, most forces were initially very sceptical that the cloud could offer the same level of security as that provided in their own on-premise data centres. Surely no-one would be as concerned about the security of Police IT than the Police themselves.

When we talk about security in this instance, it usually relates to the need to ensure that everything belonging to the force is protected from a potential data security breach. When you have been responsible for security for so long it is hard to share that responsibility with someone else and have the confidence that they will look after things as well as you do. It is also unnerving when your security is no longer fully reliant on the tangible devices sitting in your data centre, that you can see and touch with a reassurance that everything is ticking along as it should be.

In a traditional on-premise solution, IT teams must manage and maintain security at every single location and for every single application. When it comes to Public Cloud, providers don’t have visibility of where or what the ultimate endpoint is, therefore all security has to be centralised and unified, able to cater for all possibilities. This unified security approach means you may end up with access to more security than you currently have employed on premise.

Let’s just for a moment take a look at cloud security:

• Security is now a shared responsibility with the cloud vendor, meaning there is less of a burden on your IT teams and your finances.
• Updates and patches no longer have to be resourced and scheduled in by the IT team, instead being applied in a timely fashion.
• Cloud security is highly automated, meaning a reduced need for human intervention and less opportunity for errors.
• As security is centralised there are less boundaries in relation to possible end points.
• Cloud security may offer more specialised and robust options that would probably otherwise be unavailable due to cost.
• Although public cloud involves trust of a 3rd party. They are generally experts in their field and are focussed purely on security and nothing else.
• Cloud providers are now compliant with necessary regulation, meaning you can rest assured they are using best practices.

Over the last few years billions of pounds have been invested by Public cloud vendors to provide efficient data security. So much so, that cloud security arguably provides better protection than that offered by a lot of on-premise facilities.

Most of the major vendors are compliant with the Home Office’s National Police Information Risk Management Team (NPIRT) requirements, meaning cloud services can now support Police Forces across the UK who require Police-Assured Secure Facilities (PASF) to process and store their data in the cloud.

A big indicator of shifting attitudes around security, is the recent decision by the Defence Digital Service (DDS), a new group in the Ministry of Defence (MOD), to shift its data for its Readiness Reporting and Deployability Discovery (R2-D2) project to a public cloud.

Phil Jones from ISS (MOD’s Information Systems & Services) stated that Public Cloud is being used by several operations and projects within the MOD to identify how new services and capabilities can be delivered to Defence. Teams are able to access accounts to the Public Cloud offerings provided by Amazon Web Services (AWS) and Microsoft Azure – this provides teams with freedom to evolve their own Services that take advantage of industry leading capabilities.

Barriers to adoption: culture

Culture was cited as being another barrier to adoption. Historically, Forces have been quite parochial in their nature. Very much with a sense of, “This is how we’ve always done things!” or “We’ll wait and watch what everyone else does first before we decide.” This mentality has left forces lagging behind the criminals who they are trying to outwit (Who conversely, have exploited this new technology in advanced and innovative ways, making their criminal activities far more complex and difficult to untangle).

However, police culture is changing thanks to the everyday use of cloud in our personal lives. Barely a day goes by where we don’t perform some kind of interaction with cloud-based technology, passing data back and forth between applications and allowing us to do things on the move using our mobile devices, such as ordering food, making appointments and booking holidays, remember them?! We even trust the cloud to store our most precious memories in the form of photos and videos.

So, if security concerns have now been addressed and cultural views are changing, then what else is slowing mass adoption?

For those of you that read my last blog, you’ll already know the answer. However, for those that didn’t, go and read it! But in the meantime, the answer relates to the fact that a lot of forces maintain a large number of legacy applications, that were never designed for the cloud and don’t easily present themselves to being migrated on to one.

However, the aforementioned blog provides an indication as to how we at CACI can help forces overcome this obstacle.

Which cloud is the best?

If all barriers have been overcome and the decision has been made to adopt the cloud, how do you then go about deciding which cloud is best for you?

Let me try and explain by use of an analogy; when your child reaches a certain age there comes the time you want them to spread their wings and leave the family nest. Do you quickly find the first available cheap premise you can and proceed to move your loved one into it as quickly as possible? Then as each successive child reaches that same stage, find a similar property to the first and do the same again? Maybe you do!

But in all seriousness, most of us would probably seek the services of some form of an Estate or Letting Agent, someone with full knowledge of what’s available in the market that best suits your little treasure’s wants and needs. Relying on the Agent to advise and suggest viable options, before carefully choosing the best property available to them.

Well a similar approach should be applied when adopting a cloud strategy. Do you find the first cheap, hosted environment available and proceed to throw all your applications and data into it? Again, maybe you do, and I know some have to their regret.

But the smart option is to seek the services of an experienced, qualified cloud migration partner, someone who has thorough knowledge of the market and an ability to provide the best advice on the optimum solution for your organisation. A partner that will consider your differing workloads and what you need to achieve and design a strategy around a perfect hybrid of available cloud resource.

Here, now and the future

So with the many benefits the cloud brings: accessibility, affordability, removal of a maintenance burden, better levels of security, increased speed of deployment and rapid scalability, as well as the Government pushing its ‘Cloud First’ strategy, is this the end for on-premise data centres?

Gartner predicts that by 2025, 80% of enterprises will have shut down their traditional data centres, versus 10% today. But, is it as clear cut as that?

Traditionally when new applications were requested by the force, IT departments would consider how they could deploy the application using their in-house architecture. This strategy has worked well for many years, whereby the goal was to deliver the application to the Force’s own end users.

But as the workforce has now become more agile and the need for collaboration with other agencies grows, it drives the need to change the strategy and ask, ‘how can we deploy this so that we can easily access it from anywhere and share the information stored with others if we need to?’. Decisions now need to be less architecture driven and more about the needs for the services that are being delivered.

Cloud doesn’t have to be an all or nothing proposition – don’t let the one size fits all message fool you. Just because someone recommends a particular cloud service it doesn’t necessarily mean it is suitable for your particular workload.

Every Public cloud doesn’t fit every IT function. Planning around objectives and consideration of things like low latency and high bandwidth traffic needs to take place when designing a cloud migration strategy. Hence the need for an experienced, qualified partner who will provide a comprehensive, overall assessment before further engaging with your team on creation of a mobilisation and migration plan.

Cloud computing is no longer the novel concept it once was, it is a well-established, proven mainstream technology with many benefits and as operating models shift and demands increase, Policing should recognise cloud as a more effective method of delivering applications, software and data to those that need it.

It’s now highly regarded as inevitable that in time Gartner’s prediction will come to pass, but whether it is optimistic to think that it will occur within the next 4 years remains to be seen.

Find out more about how we can help

“Policing’s future is in the cloud” is the 2nd in our series of blogs on how tech can help the Police. Read the first blog in the series “Legacy Application Interoperability & Integration in the Police Force” now.

The introduction of The Telecommunications (Security) Act into UK law late last year marked the arrival of a new era of security for the telecommunications sector, where everyone – from executive to employee – is responsible for protecting the UK’s critical network infrastructure against cyber attacks.

However, embedding a security conscious culture from top to bottom requires significant resource and expertise to steer towards success. With the clock already counting down, telecommunications providers are under pressure to begin their TSR compliance journey whilst ensuring that existing change programmes stay on track.

Here, we consider the key considerations for communications leaders to ensure successful navigation and utilisation of the obstacles and opportunities that lie ahead.

Clear visibility is critical

Protecting your network, applications and data has never been more critical. However, blind spots, missing data, and the risk of dropped packets make management and protection of these challenging, not to mention the scale and complexity of many providers’ hybrid network infrastructure.

Nonetheless, providers must ensure they are able to monitor security across the entirety of their network and can act quickly when issues arise.

Security and service quality will need to be carefully balanced

Whilst enhancing security is the ultimate goal of the Act, this cannot be at the cost of network performance. Outages themselves can put providers in breach of the regulations.

Security scanners are a key line of defence for network security, helping to identify known vulnerabilities which can be exploited if the correct mitigation steps aren’t followed, so ensuring you have a robust vulnerability management process is critical.

Incorporating the right vulnerability scanning tools and following the required change management processes to correctly implement tools will help to secure your network whilst minimising any potential performance impact to your existing infrastructure or service outages.

Auditing abilities are a new superpower

Demonstrating compliance with the new legislation may pose a significant challenge to providers, particularly as they attempt to flow down security standards and audit requirements into the supply chain.

However, implementation of robust auditing processes to identify and eliminate weaknesses and vulnerabilities are a must for keeping providers on the right side of the regulations.

Knowledge is power

With any significant legislature change comes a period of uncertainty as businesses adapt to change, so getting to grips with the new regulation changes ahead of the game is key.

Many providers have already begun the search for talent with the technical skills and experience to deliver their TSR programmes; however, with the jobs market at boiling point, some providers may find utilising external partnerships provides a more practical route to successful delivery as well as a means to upskill and educate internal teams.

You’ll be tested

In 2019, OFCOM took over TBEST – the intelligence-led penetration testing scheme – from DCMS and has been working with select providers on implementation of the scheme.

Whether through TBEST or not, providers will be expected to carry out tests that are as close to ‘real life’ attacks as possible. The difficulty will be in satisfying the requirement that “the manner in which the tests are to be carried out is not made known to the persons involved in identifying and responding to security compromises.”[1] Providers may need to work with an independent vendor to ensure compliant testing.

Costs are still unclear

While the costs for complying with the new regulations are still undermined, an earlier impact assessment of the proposed legislation carried out by the government indicated that initial costs are likely to be hefty: “Feedback from bilateral discussions with Tier 1 operators have indicated that the costs of implementing the NCSC TSR would be significant. The scale of these costs is likely to differ by size of operator and could be of the scale of over £10 million in one off costs.”[2].

Culture may challenge change

Technology will, of course, be at the forefront of communications leaders’ minds, yet the cultural changes required to successfully embed a security-first mindset are of equal importance and must be considered in equal measure. Change is never easy, particularly when there is a fixed deadline in place; however, delivery that is well-designed and meticulously planned is key.

Ultimately, the onus will be on leaders to craft a clear vision – achieving network security that is intrinsic by design – as well as mapping out the road to get there.

Looking for more information about TSR? Download The impact and opportunities of the Telecoms Security Requirements report.

[1] The Electronic Communications (Security Measures) Regulations 2021 [draft] 

[2] The Telecommunications Security Bill 2020: The Telecoms Security legislation 

As more organisations take advantage of AI, machine learning, and the internet of things (IoT) technology, ensuring network devices and infrastructure are supported, maintained, secured and up to date will be critical. Not least in financial services, where in 2019, US regulators fined Capital One $80 million for a breach of its data.

A well-structured and achievable life cycle management strategy is essential for all organisations so choosing the right LCM partner can make a huge difference to your operations and free your IT teams to focus on more impactful and innovative activities.

Based on our experience of running multiple large scale LCM programmes within enterprise clients, we have put together 5 core competencies which you should look for when choosing your LCM partner.

Hallmark #1 – They’re quick to react and can deliver at scale

Large infrastructure refresh projects are, by their very nature, time consuming. But while it’s important to do a good job, this shouldn’t come at the expense of project schedules or budgets.

That’s why it’s important to look for an LCM partner that doesn’t just have the right skills, but can also effectively communicate at any level and demonstrate sound planning with outcome-based objectives. In addition, they should also show a proven track record of successful project delivery – at scale, and in a way that adapts to changing requirements.

With the right resources and management, it’s possible to deliver both speed and scale.

Hallmark #2 – They take complete process ownership

Fast-paced, dynamic environments need strong leadership and experienced people to take control. Without them, projects can quickly run over time and budget, and even create more problems than they set out to address.

Your supplier should have the confidence to liaise with not just you, but other suppliers along the chain. They should always be looking at things from a holistic perspective and looking towards creative, collaborative, progressive solutions rather than playing the blame game if there are delays.

An LCM vendor that’s willing to take complete control of your process is usually easy to spot, as they’ll have a track record of going above and beyond their basic requirements. It’s something any trustworthy vendor will be keen to demonstrate from the off.

Hallmark #3 – They work in partnership to achieve a shared goal

Rather than a transactional customer-supplier relationship, the best LCM vendors take a collaborative approach that considers the entire project lifecycle. This way, your vendor can better spot time and cost-saving opportunities, and identify and mitigate risks before they impact your operations.

By treating an environment as an end-to-end ecosystem – including working effectively with all your relevant suppliers – your LCM vendor can decide on the best way to replace your infrastructure, while causing the least disruption.

It’s an approach that’s paid dividends for one of our Investment Banking clients. By providing a bridge between the bank’s IT engineers and its physical infrastructure suppliers, we were able to save them £100,000 just by swapping out a single component type.

Hallmark #4 – They focus on communication (but know when to take the initiative)

The biggest roadblock to effective project management is poor vendor communication with you and your suppliers, which can lead to longer project cycles and wasted resources.

It’s a simple concept, but one that far too many LCM vendors get wrong – especially in the Enterprise arena.

By choosing an LCM partner that focuses on multi-stakeholder communication, you can be safe in the knowledge that critical project decisions are being made based on accurate data and facts – supported by previous experience – and communicated to you in a way that keeps you in complete control.

On the flip side, your time is precious, and you don’t always want to be consulted at every stage. So, it’s also important that you trust that your partner has the skills, experience and confidence to make decisions on your behalf where appropriate, and only come to you when necessary.

Hallmark #5 – They have significant, demonstrable experience

The key attributes of a great LCM partner are nothing without the right experience. An experienced vendor will be familiar with your goals and able to see your project from a different perspective – offering valuable advice based on their past client successes.

Simply, experience is the driver that can save you time and money, and even help give your devices and infrastructure the longevity to stay reliable and secure well into the future.

LCM should be a partnership, not just a vendor relationship

Technical failure in financial services organisations is simply out of the question. So for many, it can be all too tempting to throw money and resources at a solution.

But the truth is, LCM requires a more nuanced approach, supported by open communication, end-to-end project management, and skilled IT engineers capable of making the right decisions – no matter the size or scope of the project.

At CACI, we pride ourselves on having the agility to help our clients react quickly, supported by the scale to reliably complete projects on time and within budget.

What’s more, our skilled project managers and engineers have decades of experience delivering LCM for some of the world’s biggest financial institutions, so you can be safe in the knowledge your needs are being taken care of.

To find out more about our collaborative approach to life cycle management, take a look at our network services capabilities.