Like It Or Not … Cloud Storage Is Here To Stay … It Just Has To Be Secured

We need to enhance the way the governments and the public sector look after our data, and the move to the Cloud is often part of this. To…
Sunday Post — 20 Aug 2023

Like It Or Not … Cloud Storage Is Here To Stay … It Just Has To Be Secured

I appreciate journalism is there to stimulate debate and identify things that need to be scrutinised. But, good journalism can show two sides of a story, but, at other times, it just goes after one side of a story and can fail to inform the readers.

The Move to The Cloud

We need to enhance the way the governments and the public sector look after our data, and the move to the Cloud is often part of this. To me, just because something is stored in the Cloud doesn’t mean that it is any less secure than using an on-premise approach. Generally, I have found that Cloud-based systems tend to be much more secure than on-premise ones, as Cloud Service Provides generally take encryption and access control seriously.

The devil is in the detail. I may be missing some, but I think the article shows a bit of naivety on how the Cloud actually works and that data can be isolated within regions of the world.

Security has advanced in the Cloud

Recent moves by AWS, for example, mean that encryption is set by default on all files stored within a Cloud storage area. How many on-premise solutions have that as an option? They have also integrated strong authentication of data, such as using multifactor authentication through the usage of hardware tokens and authenticator apps. The logging facilities, too, are exceptional, and you can log, alert and investigate virtually every single event on the usage of data and encryption keys. The Cloud is basically the IT infrastructure we have always needed and is often vastly more secure than an on-premise solution.

Law enforcement has recently been under pressure for poor data handling, and many think that they need to modernise their infrastructures. And, so, I feel a bit sorry for Police Scotland today, and where they just can’t win when it comes to data projection:

If you read this article, it talks about storing biometric data in the Cloud and where encryption has been used. While there are no details on this, the article does say that the data is encrypted. As I have said previously, the devil is in the detail, and just because we are using the Cloud doesn’t mean the data is any less secure.

Let’s build a Scottish system

And, for “Let’s build a Scottish system” — I just don’t understand actually what that actually means, as all it needs is to still use AWS or Azure, but make sure the data is stored in the UK and not allowed to be stored outside the country. It is a fundamental decision that many companies make in their data locations. And, if it is pointing to an “on-premise” solution, it is the kind of argument that might have worked a few decades ago, but forgetting about how difficult it would be to build something that had integrated encryption, HSMs, authentication methods, resilience, data backup, and so on.

If you are worried about Microsoft or AWS getting access to your data, rather than relying on your Cloud Service Provider to encrypt your data, you can encrypt it before it even leaves your premise and keep the keys locally — basically, encrypting at the source.

We need change and improvements

And how can we change the way that governments and the public sector deal with data and processing without moving into the Cloud? I appreciate there’s a spectrum of data protection standards to be applied, but just because data is stored in the Cloud doesn’t mean that it is not secure. It is an easy thing to say, “It’s not stored here”, without looking at the detail. If you store your bike without a padlock outside your own front door, you are just as likely to have it stolen as when you store your bike in someone else’s house in another part of town.

Basically, overall, it all comes down to the safeguards applied, how the data is encrypted, how the encryption keys are managed, and how access control is applied. The key element of security depends on the usage of an HSM — Hardware Security Module — and which is the place where the encryption keys are stored. There are mechanisms — known as an on-premise HSM — that allow for all the encryption keys to actually be stored outside the Cloud. The general case is that our Cloud provider will use envelope encryption to store your data, and where a random encryption key is used to encrypt each of the files. The key is then wrapped with the client’s encryption and stored. It should then not be possible to use the encryption key without the use of the client’s key. In this way, your Cloud provider will not be able to access the key.

Conclusions

As I have said a few times, the devil is in the detail. Why can’t we see the methods used and for there to be openness in this? In this way, experts could review the plans and make sure that we use high levels of security. In fact, you can’t keep anything secret on the Internet. The “Cloud” is here, and on-premise solutions will struggle to get anywhere near the security, resilience and integration required for a 21st Century data infrastructure. With the right encryption and access control in place, it shouldn’t actually matter where your data is stored.

I am a great advocate of privacy, especially with biometric data, but it would be almost impossible to know if Police Scotland has taken the right course in data protection in reading this article. I hope we can be a whole lot more open with the way that data architectures are created in the public sector and make them available for scrutiny. The one thing I do know is that policing needs to modernize its approaches to data handling.