You may have heard Simon Hansford*, UK CEO of the firm that likes to say it’s the ‘power behind public sector technology’, UKCloud, at Think Digital for Government in February. There, Hansford had an on-stage debate with event MC Stuart Lauchlan of our content partner diginomica about a number of key issues facing the sector.
However, one of the most important that was mentioned but needed more emphasis than was possible on the day is security. We went back to UKCloud to find out more of its views on this vital issue, and had an interesting dialogue with its Cloud Strategist, ex-IBMer Bill Mew. Here is an edited version of what he told us is worrying him most right now:
Hi, Bill, and thanks for agreeing to talk to ThinkDigitalPartners.com. What’s on your mind right now when it comes to security in the public sector?
A lot’s coming together rather quickly, and it’s making not just me but anyone interested in data and data movement worried. We all know that Safe Harbour, which since 2000 had been a very stable way to ensure trans-Atlantic information movement was compliant with European Data Protection Regulation, came apart a year or so ago, when the European Court of Justice decided that there were too many concerns from the EU side to keep it going in the light of the Snowden revelations about US spying activities.
That resulted a successor framework, the EU-US Privacy Shield… but that hasn’t ever really gotten off the ground to anything like the same extent Safe Harbour did. There’s still a lot of suspicion and scepticism about what the US is really doing with data.
That was a year ago like I said, but things have come thick and fast since. We’ve had Executive Orders out of the Trump White House around border security that have raised hackles; there was the ‘Rule 41’ move that has granted the FBI a lot more surveillance powers; there’s been the so-called ‘Philadelphia Ruling’, too, that may force Google to turn over email data stored on non-US servers to the authorities over there – there’s even the issues from Brussels’ dislike of our ‘Snooper’s Charter’, of course, our Investigatory Powers Act.
That’s a lot of context, and it’s important we need to know about it, Bill, so thanks. But what are the woods for the trees here? What is your message to the UJ public sector ICT buyer and seller out of all this?
What I’m saying – and what your readers need to start thinking about, too – is the current uncertainty over not just US-Europe data sharing conventions, but the UK-Europe aspect of that as well, which will obviously make probably even more complicated by Brexit.
Add to this the fact that whereas once it was enough to simply ensure that your data was stored in the UK, you now also need to also ensure that whoever is holding or processing your data is beyond the reach of intrusive extra-territorial laws. Plus, the Googles, the Amazons – the big US cloud giants – are facing a lot of tough questions from their home authorities about data and its security.
You might also like
As a result, we are going to have to, as an industry, face a period of uncertainty over data-sharing arrangements until all this settles down again – if it does. Global data portability as we now know it could well be under threat.
Really net this out: I’m a public sector IT professional. What is the call to action here?
In light of GDPR and the current threats to data sharing conventions a level of caution is recommended when it comes to data right now. Public Sector organisations should not ever need to move their data off shore, but when moving to the cloud they need to ensure that it remains in the UK and is beyond the reach of intrusive extra-territorial measures.
With global suppliers offering no guarantees that your data will always remain in the UK and also being subject to these intrusive US laws, you need to act with caution. None of us want the UK to end up as some kind of data island, but we have to take pragmatic steps to protect the privacy of our service users here.
The most sensible action around data right now if you are a public sector cloud user is to only really contract with a 100% UK-based supplier – which isn’t an ad for UKCloud, there are many great suppliers to consider… but it is a plea to be super-cautious and to keep things data-wise as close to home as you can now. It’s the safest, wisest path.
Wow, ok Bill, scary but fascinating stuff. Thanks for sharing your insights with us today.
Bill is Cloud Strategist at UKCloud; connect with him and UKCloud on social media @BillMew @UKCloudltd
UKCloud is Think Digital’s Official Security Partner,andis about to start a new monthly Security Blog here; more news on that very soon.
*Go here for our special two-part October 2016 interview with Simon Hansford.