Congratulations to John Godwin, Director of Compliance & IA at UKCloud who is techUK's Cloud Security Champion for the month of July.
The purpose of techUK’s Cloud Security Champion campaign is to celebrate the work of UK cloud security specialists in helping build a culture of trust and confidence in cloud computing and showcase how they are supporting organisations to adopt, deploy and use cloud services securely. This is also an opportunity to learn from those working in cloud security about the current threat landscape and examples of the strides being made in enhancing security.
A new techUK 'Cloud Security Champion’ will be chosen every month, so if you would like to nominate a friend or colleague to be the next Champion please drop us a line.
Read the full interview below:
What is your current role and responsibilities?
I’m Director of Compliance and Information Assurance at UKCloud. I’m responsible for all matters relating to information security and data protection, ensuring that UKCloud operates in a secure, assured manner which meets the accreditation, certification and contractual requirements of our UK public sector customers.
Whilst every day is different, my role encompasses supporting the UKCloud community in many areas. This includes the delivery of risk management activities, implementing security controls and assessing how UKCloud needs to adapt to changing requirements (including new customer-specific requirements), addressing recently discovered technical vulnerabilities or changes to UKCloud’s technology stack. I also support customers and partners with the achievement of their own GRC objectives, helping them to understand and integrate with UKCloud’s own position.
What do you most enjoy about your work?
There are always new challenges to be confronted, understood and addressed. Working within UKCloud, I am surrounded by experienced and enthusiastic colleagues in a multitude of disciplines: it’s always great to see that combining our skills continues to deliver positive results for the UK public sector’s digital transformation agenda.
Why is cloud important to UK’s economic growth and what does the future hold for adoption and maturity of cloud in the UK?
The COVID-19 pandemic has highlighted that cloud, done well, can deliver a range of benefits from lower consumption costs, embracing innovation from the latest technologies, and providing greater collaboration and associated efficiency from being better connected. With an emerging “new normal” challenging the traditional workplace, cloud is very much at the fore of developing future working practices.
How have you supported the organisations secure adoption and implementation of cloud services over the years?
UKCloud was established to be a secure, trusted provider of cloud services, so we have always strived to achieve the most robust of security. In the early days of cloud, that included regular consultations with the National Cyber Security Centre and ensuring that technical validations provided independent assurance of cloud security. Enhancing its existing ISO27001 information security certification, UKCloud was the first UK organisation to additionally achieve ISO27017 certification for its robust management of cloud security.
Would you agree that the conversation about cloud security has shifted and cloud users increasingly recognise the security benefits of cloud services?
Those who have seen me speak at techUK events and elsewhere will be aware that I believe this remains a joined-up responsibility. Cloud service providers need to willingly provide comprehensive information about the security, operation and locations of their cloud services. On the other side, potential cloud service customers need to obtain and assess this information from possible suppliers, and thoroughly assess it against their own security requirements and risk appetite.
What are the key security concerns affecting greater cloud adoption and how can these issues be addressed?
Some organisations remain resistant to cloud because they do not understand how to use cloud services securely, or because they have fears of “losing control” of the physical infrastructure or application source code to a third-party. Much of this can be addressed by having a clear understanding of the respective responsibilities of the cloud provider and the customer, and ensuring regular interactions (service reporting and reviews) to provide the visibility, assurance and evidence that a secure cloud service is being delivered.
What steps should organisations take to adapt their cloud security posture to the rapidly changing online environment?
A willingness to compare cloud hosting and SaaS offerings against traditional procurement options will demonstrate that there are clear benefits from cost reductions, increased scalability and enhanced resilience. As customers in many sectors move from physical to online interactions, they will appreciate that the scale and flexibility of a well-managed cloud service will provide a better customer experience and increased protection for their valuable and sensitive data.
What would you suggest is the one thing all companies should do to improve their cloud security?
Pre-cloud, IT services were almost exclusively the responsibility of the IT Department, and as such security could be managed, monitored and assessed in-house. The use of cloud services takes that outside of the organisation’s boundaries and requires the coordination of a team to ensure security elements are being maintained. That includes, as a minimum, commercial representation, compliance expertise, data protection specialists and service monitoring analysts.
What advice would you give to someone considering a career in cloud security?
As the cloud industry expands at an unprecedented rate, we remain challenged to locate suitably qualified and experienced professionals to ensure this expansion is both secure and sustainable. There are many vacancies available but remember to research and progress through credible training programmes to make yourself a closer match to the interviewer’s perfect candidate.
If you would like to learn more about techUK's Cloud Security Champion please reach out to laura.foster@techUK.org