How to enjoy the benefits of cloud technologies without the pitfalls
Frontier technologies such as artificial intelligence (AI), machine learning (ML), quantum, and high-performance computing are radically altering the national security landscape.
Organisations need to understand and harness these shifts if they are to master this disruption, enable effective change and deliver better outcomes.
In this new series from Shephard Studio, we explore what happens when technology challenges us to develop new ways of doing things.
In examining today’s technological landscape, we also consider Japanese cultural practices and concepts from which innovators can draw inspiration.
Nemawashi is an informal process of quietly laying the foundation for a proposed change or project.
As governments and militaries grapple with a data-rich modern world, cloud computing offers crucial advantages.
However, implementing a successful cloud strategy can be challenging, introducing vulnerabilities – organisations must tread carefully, particularly those in the business of national security.
The rise of cloud technology is closely linked to evolutions seen across various sectors, notably the explosion of data from a wide range of sources.
Joanne Benbrook, Senior Solution Architect at Fujitsu Defence and National Security, highlighted the various sensors that personnel and equipment now possess, along with information held in enterprise systems or applications, social media streams and other internet-based resources.
‘You’re going to want to host that in a “data lake”,’ Benbrook explains. ‘To do that, you need cloud systems and technologies,’ not just to aggregate the data but to synthesise and exploit it.
But this isn’t easy. Brad LaPorte is an advisor at Lionfish Tech Advisors. As a former US Army officer attached to US Army Pacific, he has a unique insight into not just the US approach to cloud technologies but the wider Five Eyes network.
Cybersecurity, in general, is challenging, he notes, with governments facing well-funded attackers who can be larger in size and sophistication and are ‘constantly ahead of the curve’. There are numerous other challenges, including the difficulty of implementing hybrid architectures. When it comes to working with allies, there is also a data control and data privacy challenge.
‘There’s also connectivity. So where are the data centres going to be held? How is the networking, the routing firewalls going to work? How are you going to monitor that network from a health perspective?’ LaPorte explains.
Despite the challenges, cloud offers significant benefits. LaPorte points to the speed of delivery, collecting data from assets such as UAVs and body cameras, increasing communication and delivering actionable insights.
However, while it can place great power in the hands of the military and intelligence services, it introduces vulnerabilities.
‘When we moved from on-premise to cloud, effectively we took down the castle walls and replaced them with hundreds of thousands of smaller castle walls that we have to constantly monitor… that’s easier said than done.’
So how can organisations seize the advantages of the cloud, while mitigating its vulnerabilities? Part of the solution is to implement a defence-in-depth strategy across the entire architecture, LaPorte argues.
From a software development lifecycle perspective, ‘we’re trying to reduce the number of vulnerabilities in our code itself, and increase the quality of the code’.
Charles Denyer is an expert in national security and cybersecurity. When advising companies on how to mitigate potential vulnerabilities of the cloud, he outlines a three-pronged approach.
First is the human element and the need for regular rigorous security awareness training so employees understand what the challenges are in cyberspace.
Secondly, the need to invest in robust security tools, including firewalls and monitoring/detection tools, and thirdly to continuously monitor your environment.
‘Whether you're a small start-up in the healthcare industry, whether you're a 50,000 plus multinational organisation working in the defence industry, the application is the same: train your employees, have the best security tools and solutions in place and build a culture of continuous monitoring that adopts these processes,’ Denyer explains.
Organisations must also implement segmentation. If there’s a breach in the environment, it must be self-contained; if an adversary accesses one container, they should not be able to move from there into other containers.
‘If someone’s breaking into my home and they go through my master bedroom, I want there to be a lock there so they can’t move laterally throughout my house.’
When cloud technologies first became available some 15 years ago, hardly anyone used it for live production services, says Sarah Collins. She is a Lead Solution Architect at Fujitsu Defence and National Security.
‘It was very much a playpen,’ Collins says. ‘Now it has become second nature – governments have digital strategies that mandate a cloud-first approach.’
The Covid-19 pandemic further accelerated this process.
The increasing uptake of edge, distributed, and satellite cloud services mean services at remote locations must be treated with the same stringency as other cloud capabilities.
‘I’m in the defence and national security business, so everything is about security,’ Collins explains. ‘We need to be cognisant that cloud is there to be consumed and services are available across the cloud to anyone with internet access.
‘Therefore, customers with regulatory requirements need to be careful where things are being run from. It’s very easy to create a virtual machine in the wrong region, so providers can establish guardrails to help consumers use cloud safely.’
As well as the security dimension, there is also ‘responsibility’, she says – essentially understanding who is accountable when things go wrong. This is linked to the people factor, with a need for qualified personnel to operate the technology, whether in-house or externally.
Collins also highlights the need to authenticate and protect a user’s identity in the cloud. ‘One of the greatest threats to cloud security is the human element. Using passwords to authenticate is becoming increasingly unreliable. Multifactor authentication has yet to be widely adopted.’
Access control and data security is a crucial focus, particularly when the cloud provider has access to the client’s data. ‘You are reliant on the cloud provider to have implemented the security controls they claim,’ Collins explains.
It’s clear that the commercial sector is essential to grasp the opportunities cloud presents and mitigate its challenges.
LaPorte has built a market map of the different segments of the cloud industry, with more than 20 in the cloud security space, including Cloud-Native Application Protection Platforms (CNAPP) and Cloud Security Posture Management (CSPM).
‘The private and commercial sectors can innovate faster because they’re not bogged down by bureaucracy and the infrastructure that is the federal government entities. This also helps from a defence-in-depth perspective, because if you use multiple different vendors, you then have a heterogeneous security approach.’
Cloud is opening new horizons, making the world move ‘very, very fast’, in the words of Sarah Collins.
‘Every year, I go to cloud provider events where they launch a vast and bewildering array of new technologies to solve problems, problems I sometimes didn’t realise I had,’ she says.
Nemawashi, from ne meaning “root”, and mawasu meaning “to turn something”, means an informal process of quietly laying the foundation for some proposed change or project.
Nemawashi in business is preparing people’s minds to accept an idea. It is consensus building.
See the full series