08 July 2022

The UK government has begun a consultation on data storage and processing to strengthen the security and resilience of local data centres and cloud services.

Companies that run, purchase or rent any element of a data centre have been asked to detail the types of customers they serve.

The Department for Digital, Culture, Media and Sport (DCMS) is seeking views from data centre operators and their customers, cloud providers, equipment suppliers and cyber security experts – to help the government understand the potential risks that data storage and processing services is facing.

This includes detailing what measures are in place and what steps they are already taking to address any vulnerabilities.

“We legislated to better protect our telecoms networks and the internet-connected devices in our homes from cyberattacks and we are now looking at new ways to boost the security of our data infrastructure to prevent sensitive data ending up in the wrong hands,” said Julia Lopez, minister of state for media, data and digital infrastructure.
It also seeks feedback on putting in place processes seen in other regulated sectors – these include incident management plans, having to notify a regulator when an incident impacts their services, or a requirement for someone at board or committee level to be held accountable for security and resilience of the infrastructure.

Based on the evidence collected, DCMS said it will then decide whether any additional government support or management is required to minimise the risks to data storage and processing infrastructure.

Jon Anthony, founder Adappt.ai and the Hub.ai told Networking+ that “in the world of cloud data security, every dependency is an opportunity for a back door”. He added: “Even in the vaunted world of Open Source, compiled code, back doors are hidden in plain sight. The only true solution is a standards-led approach. Personally, the most effective hardening technique I have seen is the automation of hacking tools such as Kali Linux and Metasploit to perform high volume combination exploit testing.”

Jason Sabin, CTO with DigiCert, added: “The UK government is doing the right thing seeking counsel from security experts. Protecting data centers and cloud assets is complicated and includes stringent physical and network security, continuous monitoring and compliance with industry regulations. Achieving digital trust through proven means like PKI is essential to secure data centres and the cloud assets.”

The DCMS stated that any new protections would build on existing safeguards for data infrastructure, including the Networks and Information Systems (NIS) Regulations 2018 which cover cloud computing services.

Nigel Thorpe, technical director at SecureAge, said a focus on maintaining and improving the cyber-resilience of data centres and cloud services is clearly very important. “However, we must not lose sight of the fact that it is often the endpoint which is the weakest link,” he said. “It is the point at which the least cyber-security aware people operate, and, until we all install the modern equivalent of the old ‘dumb terminal’ on our desks, potentially sensitive information is frequently downloaded to the local PC.”

Martin Walsham, director of cyber security, AMR CyberSecurity, added: “Recent complex attacks such as the widely publicised Solar Winds hack demonstrate how supply chain and IT providers are both vulnerable and actively targeted by well-resourced and capable adversaries.”

The consultation will run until July 24.