The ‘cloud’ has transformed modern digital services – the ability to access resources that exist ‘out in the Internet somewhere’ without needing to have those services or resources physically located or installed on local devices has freed personal and business users alike from the tyranny of application update cycles and the fear of lost data.
The reach of cloud services into many people’s digital lives is startling, when you stop to consider it – who buys CDs anymore when they can be downloaded from iTunes or streamed from Spotify? Who buys DVDs when they can be streamed from Netflix? Who manages backups of their PCs when their data is automatically synced to Dropbox? Who buys and installs productivity software when it can be accessed via a browser in Office 365?
In business settings, Software as a Service (SaaS) providers have replaced many traditional application providers, with ‘in cloud’ deployments trumping ‘on premises’ services in more and more cases.
People have embraced the use of the cloud, often without considering the implications of the switch that they’ve made – when your data and services exist in a virtual, cloudy location, how can you control who has access to it? Do you have any control over where it is physically located or stored? Does that question even make any sense in a cloud-enabled world?
The private sector has been grappling with the adoption of cloud technologies for the past 10 years – gradually at first, with the odd bit of Dropbox being used here and there, but then with increasing confidence as growing numbers of organisations outsource their internal applications and services to Microsoft, Google, Facebook, Slack and others.
But where is the public sector in all of this?
If we’d mentioned the use of the cloud to our government and law enforcement customers even 12 months ago, most of them would have thrown up their hands in horror at the thought of entrusting sensitive or official-sensitive data to anything other than an on-premises solution. But what about now…?
The economics of the cloud are, for a range of use cases, unarguable – cloud services are often less expensive, more flexible and easier to access. In terms of robustness, availability and security, cloud providers (who focus solely on those aspects of their services) are often better equipped to deliver on those features than hard-pressed internal IT teams. The adoption of cloud techniques within government and law enforcement has begun to be a less horrifying prospect for some services and the rates of adoption of cloud services has begun to accelerate.
The term ‘the cloud’ means different things to different people and not all ‘cloud’ offerings work in the same way.
From a consumer point of view, when we talk about the cloud we’re talking about fully outsourced services that are deployed in the provider’s own environment or are deployed in a hosted third party environment – look at the vast numbers of cloud services that run in Amazon’s AWS cloud, for example.
It’s also possible to have ‘private’ clouds – deployments of cloud servers and storage that are deployed fully within an organisation’s data network (the contradictory-sounding ‘on premises cloud’) or to have services that exist as a ring-fenced environment within a hosted cloud network – where resources can only be accessed by the customer organisation.
This can be a bewildering set of options for the unwary, so let’s simplify it. As far as cloud services are concerned, they can be broadly categorised as:
• Totally private clouds – where the entire environment is deployed within the organisation’s data network
• Ring-fenced hosted clouds – where the environment is operated by a third party but is reserved for the customer’s sole use
• Public clouds – where the environment is deployed in the general cloud used for consumer services
• Provider managed clouds – where services are deployed within an environment operated by the service provider
In relation to cloud services made available to law enforcement, the applicability of these different options can be graded on a sliding scale from ‘hell, no!’, through ‘hmm, maybe’ to ‘okay, tell me more’ – and it’s probably fairly obvious where each of the four options above sits on this scale.
Public clouds will probably fall into the ‘hell, no!’ category for most public sector organisations – the possibility of security breaches and data loss present a real and present danger for most information security managers to contemplate.
Totally private clouds and ring-fenced hosted clouds probably fall into the ‘okay, tell me more’ category. Microsoft Azure, Amazon AWS and other providers offer this kind of ring-fenced deployment with varying levels of government security accreditation and the backing of the big beasts of the cloud hosting world has convinced many organisations to take the plunge.
The last option, ‘provider managed clouds’, for many organisations, falls into the ‘hmm, maybe’ category. The idea here is that the cloud service provider offers services and stores customer data in a cloud that they (the provider) operates. This means that the customer is, in effect, entrusting their data to a third party, through whom they gain access to that data and those services. Control of the data effectively passes out of the hands of the customer and into the control of their service provider.
While many organisations will see no problems with this (hence it being in the ‘hmm, maybe’ category), for others it raises big red flags: how secure is the provider’s network? What happens if the provider goes out of business? How difficult will it be to get our data if we want to end our relationship with that provider?
We, as a service and solution provider, offer cloud-based versions of our applications, CSAS and CDAN, but we take a pragmatic approach to the question of ‘what type of cloud to use?’ – our stance is ‘it’s your data, we don’t want it!’.
Consequently, we’re very happy to deploy our services into private clouds and ring-fenced clouds that are owned by our customers. Our customers’ data is therefore stored in networks that they either own or that they control the access to (by contracting with the hosting provider themselves). We’re less happy – to the point where we’d actively advise against it – about deploying services in our own cloud or in clouds that we lease from hosting providers.
The exception to this is our Decypher cloud analysis product that we offer in association with our good friends at Blue Lights Digital. This is deployed within a hosted environment, but we sidestep our qualms about hosting customers’ data by ensuring that there is no data ‘at rest’. Decypher receives uploaded data from users, processes it into the required analytical output, delivers the output back to the customer and then deletes the source data immediately.
Our opinion, which you are perfectly entitled to disagree with, is that any approach in which customers lose control of their data by outsourcing it into environments where a third party is the gatekeeper to the recovery of that data is a recipe for uncomfortable conversations in the future. We’d prefer to keep our customer relationships on a more transparent footing.
The cloud has changed the world and is in the process of changing the policing world, but some of the techniques that are applicable to the public sector potentially require a long hard look before they are adopted by policing and we think our approach offers a sensible route into cloud deployments.
As always, we’re interested to know what you think: firstname.lastname@example.org
Joe Hoy, March 2019