Governments must keep citizens’ data secure. As the cloud has matured and understanding increased, organisations in sectors ranging from defence to international finance recognise that their data is more secure in the cloud than in on-premises data centres.

Organisations typically measure their security in three ways: confidentiality, integrity and availability. These are known in a traditional security risk management context as the CIA Triad:

1. Confidentiality – the data can be viewed only by authorised people
2. Integrity – the data cannot be altered or deleted
3. Availability – it must be accessible when it’s needed

The cloud deals with all three requirements better than on-premises data storage.

“The thing people worry about most is that somebody else can see it, and should not be able to see it, and then do something bad with it – such as delete it,” explains Alex Meek-Holmes. “It’s important at a base level to be able to know what you have in order to secure it.”

Good data classification can help with that: It determines what you have and where it is, and makes sure that it’s properly labelled. It also controls who has access. With the cloud it’s simpler to know what you have and what you need to secure. Once you have visibility it’s simpler to manage and monitor access. For example, AWS Identity and Access Management (IAM) offers granular control of the people and systems that can access cloud resources. Meanwhile, a tool such as AWS CloudTrail monitors and logs activity across the organisation’s infrastructure, which simplifies auditing.

Managing and monitoring can be done on premises, according to Meek-Holmes, but it will increase the burden on the organisation. He explains, “It goes back to configuring things. It can be difficult to deploy new encryption keys to secure your systems; you’re more likely to miss things, particularly if you’re talking about managing the boundaries of your environment. That’s important because there’s no point trying to secure 90 per cent of it and leave 10 percent open.”

Protecting data against threats and intrusions is a central aspect of integrity. Cloud service providers are focussed on securing the data of millions of customers and so they constantly check for threats and intrusions. Richard Price says: “The time between an on-premises environment being breached and that breach being detected and closed out is, on average, nine months.”

Cloud service providers invest billions of dollars in security.. This investment leads to innovations such as the AWS Nitro System, which splits the operations of a computer chip into two so the processes that manage data are separate from those that run the cloud. This secures the data from a range of advanced cyber attacks.

Availability is an aspect of security that may not be the first feature people think about. However, government services need to work 24/7 and you need constant access to data. “If you store data on premises, you sacrifice availability for a perception of control,” explains Meek-Holmes. “There’s a dated view that you have more control because you can see something. In the cloud, data is stored in clusters of data centres, ensuring that it’s still available if there’s a problem with one of them. These are geographically defined because some organisations, such as governments, want to confirm their data is not passed into foreign jurisdictions.”

To illustrate this concept, consider the concept of a Region at AWS. A Region is a cluster of data centres in a physical location. Each group of logical data centres is known as an Availability Zone (AZ). Each AWS Region consists of a minimum of three isolated and physically separate AZs within a geographic area, rather than a single data centre. Each AZ has independent power, cooling and physical security and is connected via redundant, ultra-low-latency networks. This has benefits for high availability and fault tolerance. All traffic between AZs is encrypted. AZs are physically separated by a meaningful distance, many kilometers, from any other AZ, although all are within 100 km (60 miles) of each other.

The customer retains some responsibility for security. In AWS this is known as the shared responsibility model. As the cloud service provider, AWS secures the hardware and software and also ensures that the database and storage are secure. Customers are responsible for configuring their encryption, traffic protection, the applications they run and so on. There are fine-grained tools to control all these features in accordance with your security policies and risk appetite.

Your organisation will still need clear security policies, based on its appetite for risk, and a chief information security officer (CISO). Ideally, there should be somebody at board level who understands cybersecurity. However, Price explains that moving to the cloud significantly improves the quality of security decisions because it improves the quality of information available on which to base such decisions. This ranges from knowledge of threat levels and infrastructure reliability to the capability of your security tools.