UK government seeks views on cloud, datacenter security
Consultation asks for contributions from industry to better understand digital threats
The UK government has kicked off a consultation to collate feedback on strengthening the security and resilience of local datacenters and cloud services to protect against outages and national security threats.
Companies that run, purchase or rent any element of a datacenter are being asked to detail the types of customers they serve.
Announced by the Department for Digital, Culture, Media and Sport (DCMS) late last week, the move is perhaps a recognition that the UK may need to beef up measures to safeguard key infrastructure against cyber threats and other disruptions.
Julia Lopez, minister of state for Media, Data, and Digital Infrastructure, said that datacenters and cloud platforms are a vital part of Britain's national infrastructure as they help deliver essential services such as banking and energy.
"We legislated to better protect our telecoms networks and the internet-connected devices in our homes from cyber attacks and we are now looking at new ways to boost the security of our data infrastructure to prevent sensitive data ending up in the wrong hands," Lopez said in a statement.
The consultation will seek views and contributions from the industry – namely datacenter operators and their customers, cloud providers, equipment suppliers, and cyber security experts – to help the government understand the potential risks that data storage and processing services is facing.
This includes detailing what measures they have in place, and what steps they are already taking to address any vulnerabilities.
It will also seek feedback on putting in place processes seen in other regulated sectors, such as incident management plans, having to notify a regulator when an incident impacts their services, or a requirement for someone at board or committee level to be held accountable for security and resilience of the infrastructure.
The consultation will run from now until July 24, following which the government will review the feedback provided and publish a response.
Based on the evidence collected, DCMS said it will then decide whether any additional government support or management is required to minimize the risks to data storage and processing infrastructure.
It isn't clear what form such support might take, but DCMS stated that any new protections would build on existing safeguards for data infrastructure, including the Networks and Information Systems (NIS) Regulations 2018 which cover cloud computing services.
Philip Dawson, VP Analyst at Gartner Research, said the consultation was important, but needs to look beyond the resilience of just datacenters and cloud services.
- GitHub saved plaintext passwords of npm users in log files, post mortem reveals
- This Windows malware uses PowerShell to inject malicious extension into Chrome
- Let's play everyone's favorite game: REvil? Or Not REvil?
- China offering ten nations help to run their cyber-defenses and networks
"With more people working from home, you're seeing a big expansion in the edge of the network, and you need to address the resiliency of all that as well," he told us.
The government noted that the uptake of cloud services is growing, especially among smaller businesses, and that as the UK's reliance on digital services grows, shielding the infrastructure that powers them against disruption would protect the wider economy.
The move was welcomed by the CEO of trade association TechUK, Julian David, who said the technology sector already plays an important role in strengthening resilience across the UK economy.
"One particular focus will be how these proposals will align with wider efforts to strengthen resilience across sectors as well as the wider ambitions outlined in the UK's National Cyber Strategy," David added.
However, sometimes you don't need a cyber attack to take down services, with outages of cloud services provided by AWS and Azure within the last year due to problems with the infrastructure itself rather than any malicious cause.
We also reported earlier this year how a Swiss datacenter operated by financial messaging service SWIFT was getting increased physical security because of fears about sabotage following the exclusion of Russian banks from the network. ®