Security enhancements outweigh potential risks around data sovereignty when it comes to the Houses of Parliament's public cloud strategy.
Following the inception of the G-Cloud programme and the government’s ‘public cloud first’ procurement policy, Houses of Parliament IT staff began shaping plans to expand on existing private cloud infrastructure to implement community, or public, cloud services.
Eighteen months on and the Houses of Parliament is now in the process of moving a number of applications to the public cloud as part of plans to create a ‘digital parliament’, while making budgetary savings of 23 percent over four years. This includes a deal to migrate to Microsoft Office 365.
The cloud project was subject to a feasibility study, aimed at considering the impact of a number of issues including integration, data migration and security. In addition, there were challenges around the legal requirements of where data is stored, explained Joan Miller, Director of Parliamentary ICT, Houses of Parliament, at the Think G-Cloud event in London.
“The big outstanding element was data sovereignty,” said Miller. “We needed to know what was happening to that data in the cloud, and that anything that happened to that data was in our control.”
She continued: “We have been looking in a lot of detail at the workings of the Patriot Act in particular, and have had a lot of help from Microsoft in looking at how the Patriot Act in America might involve any services that we put into a cloud.”
In addition, reports of the unofficial access to servers through the US National Security Agency's Prism scheme were taken into consideration. However, it was found that there was no reason to reassess plans to move data into the cloud, and overall the security benefits of using the cloud were clear.
“We were thinking we have to go back and check our work [following the Prism reports], and make sure that what we have done to measure the risk is adequate to deal with the knowledge that is public and not so public about the American government’s use of data,” Miller said. “In fact, we are reassured that everything we thought about is still covered in the work we have already done.”
According to Miller much of the data held by the Houses of Parliament is actually relatively low risk. She explained that, other than in certain circumstances, the majority of the data is already destined for the public domain.
“The purpose of parliament is to transparently provide legislation and scrutinise government, so it is not quite as risky as it looks,” she said. “We have been measuring our opportunity against our risks, and the risk of moving into a Microsoft cloud for instance is small because of the level of sensitivity of our data, which is IL2 or below mostly."
Miller said that there were a number of security benefits around using public clouds, such as the greater protection afforded against DDOS attacks, as terabytes of Hansard data are opened up to the public for example.
"Our web internet is in the cloud, and that has given us benefits around DDOS attacks, giving us capacity around attacks that we wouldn’t otherwise have had on our own network.
She added: “We are putting our electronic archive into the cloud, which gives us some security around disaster recovery, because the services we buy have more instances than we provide on the parliamentary estate on our own services.”
Overall, Miller is confident that the use of public cloud can help boost security, and ensure the delivery of services.
“The services we have are secure, they add resilience,” she said. “We have small applications that sit in the cloud, and it reduces my worry that the services are going to break.
“Risk should be balanced out with opportunity – don’t think everything is going to fail.”