ScotCloud 2017 brought industry leaders from across the UK into a single forum to discuss the most pressing issues surrounding Cloud-based tech. Speakers came from a wide variety of sectors from Construction to Cyber Security.
Overwhelmingly, calls were made for collaboration to ensure the development of Cloud infrastructure, which has become essential to delivering private and public services alike. Speakers argued that cooperation was also required in other areas of Cloud computing like security, a core concern in light of recent high-profile attacks such as that faced by the NHS in May. GDPR was also a dominant topic of discussion as the new legislation surrounding data protection poses a specific set of challenges to Cloud-based services.
Keeping the UK at the forefront of Cloud adoption
Sue Daley from techUK spoke about the organisations 2020 Vision and the crucial role of Cloud technology as an enabler, she said: “Cloud computing is fundamental to our digital, economic and social future in the UK. The next wave of our digital revolution and evolution – whether it be the Internet of Things, Smart Cities, driverless cars, Machine Learning, Big Data – will be enabled by Cloud computing.”
Released last year, the Cloud 2020 Vision outlines a strategy to keep the UK at the forefront of Cloud adoption, focusing on six key policies designed to enable the development of the Cloud ecosystem across the country. These policies centre on key aspects such as trust, security, interoperability, regulation and infrastructure. There is also a concerted aim to ensure effective Cloud adoption by the public sector, opening up this £16 billion market to the innumerable efficiency and cost savings that it will bring.
Daley’s presentation at ScotCloud 2017 brought to light the true permeation of Cloud across the UK, and spoke of the wider significance to industry and the economy:
“If you look at the UK Government’s Industrial Strategy it talks about the digitisation of every sector of every company across the UK – well that is going to be enabled by cloud computing. We are here to help develop the market, we are here to help Cloud computing providers thrive and grow in the UK. And we are here to also help organisations not just in the tech sector but across finance, retail, construction and manufacturing to realise the benefits that Cloud computing can offer.”
Security and the Cloud
Building on Sue’s introduction, Sian John, Chief Strategist for Symantec stressed the extend to which Cloud and digital technologies permeate everyday life:
“The digital world is enhancing or replacing much of the physical world that’s out there. There’s almost no service you can think of now that doesn’t have some digital element, even small businesses.”
“You would never even think of going into a hotel now without going onto the Internet to book it. I almost struggle to think of a business that isn’t affected by that need to be ‘always on’. And the smaller you are, the more benefit there is for using a Cloud service rather than sticking a server under your counter in your shop and then expecting to be able to secure and manage that.”
Whilst acknowledging the clear benefits of Cloud services, Sian warned that such widespread use carried an element of risk, particularly given the poor awareness surrounding the number of services organisations actually employ:
“A major issue now is the amount of Cloud services businesses think they’re using compared to the one’s they’re actually using – there is a massive difference. In a report we compared the amount of Cloud services [businesses] thought they had, which on average was about 30, and the average amount of Cloud services they were actually using, which was tens of times more than that. Because of all the people in different departments that had just gone and got a service, but not really thought about the data and policies and engagement that goes on with that.”
Sian also noted that users of Cloud services had ‘sleep-walked’ their way into mishandling data privacy, another hot-topic for security that will be shaken by the General Data Protection Regulations coming next year. Sian warned that fragmentation between businesses and IT was often to blame for Cloud breaches in the past. She said: “Data privacy and security are often shoved off into different areas of business. Data privacy is quite often seen as the legal department’s problem and security is seen as the IT department’s problem, whereas all the benefits of the Cloud are the business’ problem.”
She elaborated on the damaging effects this can have for consumers: “People have given up their privacy and shared their data, and assumed the organisation is going to protect it. And the more high-profile you are, the more anger they’ll have when you lose it.”
Sian proposed that a standard, universally-accepted set of regulations on protection and breaches could build the trust needed for businesses to adopt Cloud services more readily. She said: “We need to think about developing and enforcing policies, auditing and monitoring what is going on across different environments, looking at standardisation and building controls within virtual machines. These are approaches that can happen across different Cloud services but it’s important to think of it in that policy-way instead of individual technologies and products.”
“And that comes to things like gaining control of the Cloud to think about visibility – how do you know what is stored where? You are safeguarding your data, ensuring that everything is protected from malware and threats – and also automating as much as possible so that things can happen without having to go through human beings, otherwise you lose a lot of the benefits of Cloud services.”
Changes surrounding GDPR
One of the key topics at ScotCloud 2017 was the General Data Protection Regulation (GDPR) which comes into force next May has become one of the most pressing challenges for organisations across the business landscape. New regulations will see severe penalties of up to 4% of global turnover or €20 million if a business mishandles an EU-based consumer’s personal data.
Professor Lilian Edwards, a leading academic in Internet Law, explained that the over-riding purpose of the new fines was to make company executives sit up and take note: “It is meant to concentrate the minds of CEOs not just CTOs, and make even the megaliths like Microsoft, Google and Amazon think twice about their strategies in Europe.”
Prof Edwards explained the core changes brought under GDPR, emphasising the significance of the shift to define both data ‘processors’ and data ‘controllers’ as jointly liable for personal data. Cloud service companies will generally fall into one, if not both of these camps, meaning that companies across the spectrum will become liable for all personal data they handle. This, Edwards states, will create a plethora of complications for Cloud service companies:
“They’ve got to show compliance with their security obligation, and show a record of all their categories of processing activities – who they are processing for, what they’re processing when – that’s a lot of paperwork for an SME.”
“There is an exemption if you have a staff of under 250, but also if you’re not processing sensitive personal data. But again that has a technical meaning too, which includes health data most notably, also any data that relates to sexuality, sex or race, political opinions – that’s a lot of data too.”
The significance of the changes to breach reporting were also discussed; Edwards notes that while most people are aware of the new reporting process, there seems to have been less publicity around how this will extend to Cloud providers in the event of a breach:
“The one thing that probably anyone knew about the GDPR before they came is the new mandatory security breach notification process. This has been in for telecom providers for a long time, but it is now being introduced for all data controllers – they have to notify security breaches within 72 hours, which is tight. Data processors are also subject to this obligation, but the data processor only has to notify without undue delay to the data controller. And that has not had much publicity.
“These are obligations on the data controller, but that data controller might be a Cloud service, or even if isn’t, the obligations are going to have to be passed down to the Cloud provider. And I wonder if that work has been done because there has been less publicity about it.”