UK government seeks views on cloud, datacenter security

Consultation asks for contributions from industry to better understand digital threats

The UK government has kicked off a consultation to collate feedback on strengthening the security and resilience of local datacenters and cloud services to protect against outages and national security threats.

Companies that run, purchase or rent any element of a datacenter are being asked to detail the types of customers they serve.

Announced by the Department for Digital, Culture, Media and Sport (DCMS) late last week, the move is perhaps a recognition that the UK may need to beef up measures to safeguard key infrastructure against cyber threats and other disruptions.

Julia Lopez, minister of state for Media, Data, and Digital Infrastructure, said that datacenters and cloud platforms are a vital part of Britain's national infrastructure as they help deliver essential services such as banking and energy.

"We legislated to better protect our telecoms networks and the internet-connected devices in our homes from cyber attacks and we are now looking at new ways to boost the security of our data infrastructure to prevent sensitive data ending up in the wrong hands," Lopez said in a statement.

The consultation will seek views and contributions from the industry – namely datacenter operators and their customers, cloud providers, equipment suppliers, and cyber security experts – to help the government understand the potential risks that data storage and processing services is facing.

This includes detailing what measures they have in place, and what steps they are already taking to address any vulnerabilities.

It will also seek feedback on putting in place processes seen in other regulated sectors, such as incident management plans, having to notify a regulator when an incident impacts their services, or a requirement for someone at board or committee level to be held accountable for security and resilience of the infrastructure.

The consultation will run from now until July 24, following which the government will review the feedback provided and publish a response.

Based on the evidence collected, DCMS said it will then decide whether any additional government support or management is required to minimize the risks to data storage and processing infrastructure.

It isn't clear what form such support might take, but DCMS stated that any new protections would build on existing safeguards for data infrastructure, including the Networks and Information Systems (NIS) Regulations 2018 which cover cloud computing services.

Philip Dawson, VP Analyst at Gartner Research, said the consultation was important, but needs to look beyond the resilience of just datacenters and cloud services.

"With more people working from home, you're seeing a big expansion in the edge of the network, and you need to address the resiliency of all that as well," he told us.

The government noted that the uptake of cloud services is growing, especially among smaller businesses, and that as the UK's reliance on digital services grows, shielding the infrastructure that powers them against disruption would protect the wider economy.

The move was welcomed by the CEO of trade association TechUK, Julian David, who said the technology sector already plays an important role in strengthening resilience across the UK economy.

"One particular focus will be how these proposals will align with wider efforts to strengthen resilience across sectors as well as the wider ambitions outlined in the UK's National Cyber Strategy," David added.

However, sometimes you don't need a cyber attack to take down services, with outages of cloud services provided by AWS and Azure within the last year due to problems with the infrastructure itself rather than any malicious cause.

We also reported earlier this year how a Swiss datacenter operated by financial messaging service SWIFT was getting increased physical security because of fears about sabotage following the exclusion of Russian banks from the network. ®

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Oracle shrinks on-prem cloud offering in both size and cost
    Now we can squeeze required boxes into a smaller datacenter footprint, says Big Red

    Oracle has slimmed down its on-prem fully managed cloud offer to a smaller datacenter footprint for a sixth of the budget.

    Snappily dubbed OCI Dedicated Region Cloud@Customer, the service was launched in 2020 and promised to run a private cloud inside a customer's datacenter, or one run by a third party. Paid for "as-a-service," the concept promised customers the flexibility of moving workloads seamlessly between the on-prem system and Oracle's public cloud for a $6 million annual fee and a minimum commitment of three years.

    Big Red has now slashed the fee for a scaled-down version of its on-prem cloud to $1 million a year for a minimum period of four years.

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Having trouble finding power supplies or server racks? You're not the only one
    Hyperscalers hog the good stuff

    Power and thermal management equipment essential to building datacenters is in short supply, with delays of months on shipments – a situation that's likely to persist well into 2023, Dell'Oro Group reports.

    The analyst firm's latest datacenter physical infrastructure report – which tracks an array of basic but essential components such as uninterruptible power supplies (UPS), thermal management systems, IT racks, and power distribution units – found that manufacturers' shipments accounted for just one to two percent of datacenter physical infrastructure revenue growth during the first quarter.

    "Unit shipments, for the most part, were flat to low single-digit growth," Dell'Oro analyst Lucas Beran told The Register.

    Continue reading
  • Zero Trust: What does it actually mean – and why would you want it?
    'Narrow and specific access rights after authentication' wasn't catchy enough

    Systems Approach Since publishing our article and video on APIs, I’ve talked with a few people on the API topic, and one aspect that keeps coming up is the importance of security for APIs.

    In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns.

    Zero trust has been on my radar for almost a decade, as it was part of the environment that enabled network virtualization to take off. We’ve told that story briefly in our SDN book – the rise of microsegmentation as a widespread use-case was arguably the critical step that took network virtualization from a niche technology to the mainstream.

    Continue reading

Biting the hand that feeds IT © 1998–2022