The head of Defence Digital Services has said it has begun to make more use of public cloud services for information rated as OFFICIAL – and urged other teams in the defence sector to take similar steps.
Rich Crowther has outlined three main reasons for the move in a blogpost, claiming it provides strong security for the unit’s workload than is possible using on-premise systems.
He said it has made some of the leading hyperscale cloud services available for others in defence to use. These come with various guard rails and templates to ensure consistent security controls.
One of the three reasons is that security patches can be applied faster in the public cloud.
“In my experience, few organisations in the UK are likely to have the level of engineering scale and expertise to be able to apply security patches as rapidly as a hyperscale cloud provider, and if we don’t patch as quickly as they do at all levels of the stack, our systems are easier to attack,” Crowther said.
Second is that it is easier to deploy security controls at scale, such as a network monitoring tap at every egress point in a system, or checking that the console access to internet exposed servers is not open outside the organisation. He warned, however, that the downside of this is that any mistakes can also be exaggerated, and it is important to ensure templates and configuration codes are well reviewed.
Authorisation and separation
Thirdly, it is possible to authorise everything and implement separation of duties more easily.
“It’s possible to authorise almost any action and keep an audit trail of the authorisation decisions that were made,” he said. “The decision logic for authorisation can take into account a range of parameters, not just who you are or where you’re connecting from, but whether the resource you’re trying to access has specific attributes attached to it via metadata.”
While advocating the use of public cloud for OFFICIAL information, Crowther said that any rated as SECRET or TOP SECRET has to be patched internally or with close industry partners. But focusing on public cloud for OFFICIAL will give teams more time to spend on more classified systems.
“The MODCloud team provides various guard rails and templates to help ensure some consistent security controls are in place across all accounts,” he said. “My team are successfully using these services to process a wide variety of datasets.”
Crowther’s recommendations come a few weeks after the Ministry of Defence agreed on a deal to make Oracle Cloud Infrastructure services available within its MODCLOUD suite, alongside Microsoft Azure and AWS public cloud offerings.
Image from iStock