Cloud Mythbuster: Data protection and the public sector – What you should know and what you should do
The Finnish government has advised agencies to go cloud-first where possible, but for many, data protection concerns have been blocking progress.
But should those concerns be holding up essential digital service development?
This article is the first in our Cloud Mythbuster series where we look at challenges and uncertainties haunting government agencies on their cloud journeys (and how to solve them).
Here, we look at data protection and cloud – and the steps government agencies can take to bust the myths and drive digitalisation agendas in a secure, compliant way.
Ambiguous legislation – do you need to wait for clarification?
We recently worked with AWS on a survey of cloud adoption in Finland’s public sector. We asked about the biggest obstacles to making better use of data and cloud, and the second most popular answer was ‘ambiguous legislation’.
There’s a lot of uncertainty about data-related compliance requirements. Almost half of respondents said they were waiting for clear instructions and concrete frameworks from the Finnish government – guidance that hasn’t been forthcoming. As a result, agencies feel limited in the progress they can make with cloud.
As one respondent said:
“We’ve been waiting for active steering on things related to information security and data protection so that we have something to grab on to when we map things.” (Government agency)
The way forward
You don’t have to (and shouldn’t) wait for Finnish legislation to be finalised. Here’s why:
- Guidelines exist at the EU level – and cloud providers have agreed frameworks that are compliant. By following these, Finnish public sector organisations can confidently move forward with their cloud journeys
- Existing legislation allows you to work with public cloud providers – plus, agencies are allowed to have services running on an EU level, so there’s no legal barrier holding back cloud progress
- The EU is addressing common areas of concern – such as those related to collaboration with US-based hyperscalers. For example, in March 2022, the US and EU reached an agreement in principle on a new Data Privacy Framework governing how personal data is protected
In fact there are substantial risks associated with letting legislative delays hold the agency back. Those that keep postponing action will find themselves behind on government targets for providing digital services. Plus, you’re unlikely to gain clarification that doesn’t already exist within EU frameworks and best practices.
Public cloud – is it secure enough for storing and maintaining data?
Cloud undoubtedly involves a shift in mindset and to new ways of working (read more about cloud upskilling and cultural change for government agencies here). And it’s part of human behaviour to mistrust change.
However, when it comes to data protection, public cloud is more secure than on-prem infrastructure. Hyperscaler technology puts you in a stronger position to achieve 3 key data objectives:
- Protecting data from cyberattack
- Being able to use data to deliver digital services
- Ensuring compliance
- Being able to implement different levels of security for different people and purposes
In fact, our survey showed that major barriers to achieving these objectives are lack of expertise and resources, perceived complexity of the agency’s operating environment, and outdated tools and processes.
Public cloud capabilities – together with cloud best practices – help overcome these barriers.
The way forward
The key question to ask yourself is: ‘Do we have better technologies and processes to protect servers than public cloud providers do?’
The answer is almost always ‘no’. Because hyperscalers have economies of scale when it comes to developing and deploying the latest capabilities, they’re better able to stay ahead of the curve in the fast-moving cybersecurity space.
Here are key factors to keep in mind in this regard:
- Zero-trust methodology – it’s the most secure methodology, and it’s the default for public cloud, meaning your protection is ‘handled’ from a tech perspective. It’s much harder to implement and maintain this level of security yourself from scratch
- Digital sovereignty – this means you maintain control over digital assets, like data, when they’re in public cloud. AWS Cloud, for example, is sovereign-by-design, meaning there’s continuous investment in capabilities for data residency, granular access restriction, encryption and resilience tailored to your requirements
- In-built compliance – hyperscalers work closely with EU authorities to enhance security and other services based on evolving regulatory requirements. For instance, the Cloud Infrastructure Service Providers Europe Data Protection Code of Conduct (CISPE Code) provides independent verification that public cloud services comply with (and in many cases go beyond) GDPR requirements
Data classification – does everything need to be at a high level?
Another data-related barrier to progress relates to data classification. In many agencies, data is commonly given higher-level classifications than necessary. It’s hard to deliver digital services – a task that requires cloud – if data can’t be touched by those services.
One respondent summed up this dilemma nicely:
“Strict rules related to the processing of personal data can lead to a situation where you don’t dare to give access to data – making access too strict…It’s contradictory to the open use of data.” (State agency)
The way forward
This instinct to over-classify data comes from a good place, but it’s unnecessary. Not all data needs to be categorised as personal data. In fact, many agencies we work with don’t actually have genuine personal data, so this stringent classification approach creates unnecessary difficulties for themselves.
Here’s a 3-step, best-practice approach to solving this problem:
- Step 1: Take a strategic and honest look at data classification – and create a framework that reflects the reality of the agency’s data types
- Step 2: Develop a data security-oriented cloud strategy – that accounts for the classification framework. A partner can help you do this in a way that balances security and digitalisation objectives. You therefore ensure data is maintained and accessible in public cloud in a way that’s secure and compliant – but still usable
- Step 3: Deploy the technical foundation – so you can enforce the strategy. On a practical level, this could involve implementing best-practice security that allows data to move outside of an archive data lake and be used in digital services
This approach is 100% realistic and actionable. As an example, some Finnish government agencies we’re working with are developing cloud-based digital services that will process millions of transactions per year using personal data.
As one survey respondent said:
“In the past, the obstacle was that there were strict guidelines that you couldn’t use cloud with anything that needed to be kept secret. We re-evaluated our data processing guidelines and changed them so confidential material could be stored in secure cloud solutions.” (Government agency)
Download the public sector survey report summary (in Finnish)
We recently worked with AWS on a survey of cloud adoption in Finland’s public sector. See the results from the survey by downloading the report.
Get in Touch.
Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.