How to Tackle Cloud Compliance in the Public Sector
Public sector organisations are adopting cloud as part of their IT infrastructure, especially in their citizen-facing services.
It makes sense. Cloud services are great at Internet-facing service delivery. This approach offloads a significant load of technical weight to the hyperscaler, while offering a high level of security and third-party certification.
But, when we look at all the other supporting services and back-end systems, these organisations then struggle to continue the cloud journey.
Why is this? And how can it be addressed?
What’s slowing things down?
The reasons differ per organisation, but we see some common causes.
Those front-end services that often serve as a flexible interface between the customer and the other systems are easier to deliver in cloud. Whereas the supporting services and backend systems store and process things like classified data and citizen personal information. And these types of information are heavily regulated by authorities, so harder to deliver in cloud.
Coming from a risk-averse background and a solid base in traditional, datacenter-oriented IT, public sector organisations struggle to assess the impact and risk of moving those types of data to the public cloud. And even if they take the first hurdle of assessing the need, the next challenge is actually seeing through a proper cloud migration.
The hidden dangers of lift and shift.
Being risk averse, it’s tempting to treat cloud merely as a more flexible data centre. So many organisations just lift and shift (rehost) their IT infrastructure into cloud – as lift and shift is the easiest way to keep using the same security approach as with the previous datacenter setup.
It’s easier to explain for those responsible for the cloud implementation when they have to report to internal (often siloed) stakeholders or supervising authorities. These parties often struggle to fully understand true cloud or true cloud-native security.
Because of this, they tend to hold back any cloud innovations beyond rehosting. Combined with risk-averse behavior, this slows down cloud migration and innovation, as they see no real advantages beyond (maybe) lower costs.
The problem they face is that the lift and shift approach cannot leverage the flexibility and agility of cloud. Sure, it creates a stable, approved de-facto situation that most people seem to understand. But it removes the opportunity to digitally transform further, bringing the cloud journey to a grinding halt.
So, what should the they do to reboot their cloud journey?
Let’s get to the heart of it – those regulatory challenges.
The thing that makes the public sector one of the most complicated to migrate to cloud is the regulatory landscape. There’s no getting away from it.
The sector needs to comply with all the usual privacy regulations like GDPR, cope with complications like Schrems II when processing privacy data outside the EU, whilst addressing the sentiment of the public not to put all privacy data in the hands of the hyperscalers.
Plus, they need to comply with various data classifications and far stricter rules governing these.
And although times are gradually changing, the majority of the compliance frameworks and standards are still based on traditional IT infrastructure using a datacenter setup, firewalls, DMZ’s and other non-cloud technologies.
Why is it so hard to get right?
Depending on the (internal and external) stakeholders’ and auditors’ knowledge and experience with cloud and the shared responsibility model, this complicates cloud transformation.
The controls in the rules and regulations regularly need to be translated into a cloud context, which can result in fierce discussions due to lack of cloud knowledge.
And the different stakeholders that need to be involved in the cloud journey are often siloed into different teams with their own needs to address.
This results in different viewpoints, which tend to block the cloud journey because of the risk-averse behaviour of those stakeholders.
And cloud is often treated as a special case within the IT service portfolio. This is caused by the way cloud grows into the organisation, starting off with a small initiative, growing to deliver some specific services, but not integrating into the proper IT or business processes.
Especially when implementing compliance, the cloud management processes need to be integrated properly in IT management and the GRC processes.
What are the steps to get started?
Taking this into account, this is what we recommend you do when you want to start or reboot your journey into cloud as public sector organisation:
1. Manage cloud knowledge.
If you want to use cloud, you need to understand cloud. And this is not only applicable to the engineers working on cloud, but also for the compliance, security and risk officers who need to manage and approve compliance, security and risks of cloud usage.
2. Understand shared responsibility.
Managing cloud is all about shared responsibility. The cloud service provider will provide you with a high level of inherent security guardrails to implement your compliance, but they’re useless if they aren’t properly configured and maintained.
And this needs to be done in context of the processes running in cloud and information being processed in cloud, within the boundaries of the compliance, security and risk policies. You need to manage the entire stack in alignment, not as individual layers.
3. Integrate your cloud.
Cloud is not different, cloud is not special, and so cloud must be part of your IT service portfolio. It needs to align with your compliance, security and risk demands, just like your datacenter, your laptops or the offices you are using. So you need to integrate your cloud management processes within your IT management processes, which must align with your business processes.
This requires effort. Cloud asset management is not the same as traditional IT asset management. Cloud security is not the same as traditional IT security. But there’s no way around it – it must be done if you want to make your cloud journey successful.
4. Align your stakeholders.
The topics of compliance, security and risk often fall among different teams, residing in different parts of the organisation, having different concerns. If you bring the different stakeholders together, having the proper understanding of cloud and shared responsibility, you’ll see that those differences will align and reboot your digital cloud journey.
Maybe you need a little help?
If you’re a public sector organisation and you’re struggling with your cloud journey, we can support you. We’re cloud natives, with strong experience working with governments, meaning we know how to translate regulatory requirements into cloud compliance frameworks or technical requirements.
For more details on this article or if you have any questions about your public sector cloud journey, you can contact your local Denmark expert, Thomas Dzougov.
Get in Touch.
Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.