Public cloud benefits outweigh security and data sovereignty risks, says head of Parliament IT

'Cloud first' policy will include Microsoft Office 365 roll out

Security enhancements outweigh potential risks around data sovereignty when it comes to the Houses of Parliament's public cloud strategy.

Following the inception of the G-Cloud programme and the government's 'public cloud first' procurement policy, Houses of Parliament IT staff began shaping plans to expand on existing private cloud infrastructure to implement community, or public, cloud services.

Eighteen months on and the Houses of Parliament is now in the process of moving a number of applications to the public cloud as part of plans to create a 'digital parliament', while making budgetary savings of 23 percent over four years. This includes a deal to migrate to Microsoft Office 365.

The cloud project was subject to a feasibility study, aimed at considering the impact of a number of issues including integration, data migration and security. In addition, there were challenges around the legal requirements of where data is stored, explained Joan Miller, Director of Parliamentary ICT, Houses of Parliament, at the Think G-Cloud event in London.

"The big outstanding element was data sovereignty," said Miller. "We needed to know what was happening to that data in the cloud, and that anything that happened to that data was in our control."

She continued: "We have been looking in a lot of detail at the workings of the Patriot Act in particular, and have had a lot of help from Microsoft in looking at how the Patriot Act in America might involve any services that we put into a cloud."

In addition, reports of the unofficial access to servers through the US National Security Agency's Prism scheme were taken into consideration. However, it was found that there was no reason to reassess plans to move data into the cloud, and overall the security benefits of using the cloud were clear.

"We were thinking we have to go back and check our work [following the Prism reports], and make sure that what we have done to measure the risk is adequate to deal with the knowledge that is public and not so public about the American government's use of data," Miller said. "In fact, we are reassured that everything we thought about is still covered in the work we have already done."

According to Miller much of the data held by the Houses of Parliament is actually relatively low risk. She explained that, other than in certain circumstances, the majority of the data is already destined for the public domain.

"The purpose of parliament is to transparently provide legislation and scrutinise government, so it is not quite as risky as it looks," she said. "We have been measuring our opportunity against our risks, and the risk of moving into a Microsoft cloud for instance is small because of the level of sensitivity of our data, which is IL2 or below mostly."

Miller said that there were a number of security benefits around using public clouds, such as the greater protection afforded against DDOS attacks, as terabytes of Hansard data are opened up to the public for example.

"Our web internet is in the cloud, and that has given us benefits around DDOS attacks, giving us capacity around attacks that we wouldn't otherwise have had on our own network.

She added: "We are putting our electronic archive into the cloud, which gives us some security around disaster recovery, because the services we buy have more instances than we provide on the parliamentary estate on our own services."

Overall, Miller is confident that the use of public cloud can help boost security, and ensure the delivery of services.

"The services we have are secure, they add resilience," she said. "We have small applications that sit in the cloud, and it reduces my worry that the services are going to break.

"Risk should be balanced out with opportunity - don't think everything is going to fail."

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityG-cloudParliamentpublic sectorcloud computinginternetIT Business

More about MicrosoftNational Security AgencyPrism

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matthew Finnegan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts