02 Sep 2025
by John Sotiropoulos

Beyond the Data Centre Walls: How Cloud is Democratising Security, Resilience, and Safe AI Innovation

John Sotiropoulos.png

This blog was written by John Sotiropoulos, Head of AI Security, Kainos

For decades, cybersecurity strategies were grounded in physical control. We could point to a server room, show the locks, and feel secure. The migration to cloud upended this, stripping away physical boundaries and forcing a rethink of how we protect systems, data, and operations. Meeting these changes has required an elevation of abstraction - from fixed physical assets to dynamic, software-defined environments. This is an essential shift to deal with emerging challenges and invaluable with the new challenges the rapid adoption of AI brings. 

At first, this felt unsettling. Handing over infrastructure to a third party seemed to undermine sovereignty. But over time we’ve learned the cloud doesn’t erode control, it redefines it. By embracing cloud-native capabilities, we can build systems that are secure, compliant, agile, resilient, sovereign -and a safe launchpad for AI innovation. 

From Physical Locks to Policy-Driven Security 

Security in the cloud is a transformation of control. Physical barriers have been replaced with Zero Trust architectures, Identity and Access Management (IAM), and security policies as code. 

But capabilities alone do not guarantee the right security outcomes.   

To make this shift effectively, organisations should embed security at design stage, aligning controls with business risks rather than bolting them on later. Using Infrastructure-as-Code (IaC), encryption, key rotation, and monitoring can be integrated into deployment pipelines so that controls are consistent, auditable, and repeatable. This is a necessity in regulated sectors and AI-enabled environments where risks evolve rapidly. 

Secure-by-Design: Orchestrating Cloud Security 

A secure-by-design framework is an essential approach to deliver risk-based, use-case–driven security - ensuring the right controls for the context while avoiding blind spots and overengineering. 

For Digital Health and Care Wales (DHCW), this approach underpinned the delivery of the NHS Wales App. Built on cloud foundations, it gives patients in Wales secure access to health information. By embedding identity, encryption, and monitoring from the outset, security became integral without slowing delivery. Furthermore, for DCHW the adoption of cloud-native DevSecOps ensured tools were integrated within delivery workflows with their outputs actionable, avoiding the false confidence of unused findings.  

As the government redefines its national strategy to position digital transformation as a key policy lever, adopting a security-first model is proving essential. It turns the cloud into an enabler for delivering high-assurance digital services at scale across flagship national projects - from secure citizen identity and voting systems to national health and public service platforms.   

Security by design is a must-do, not just an aspiration. By building security into the architecture from day one, these projects are ready to meet evolving sovereignty and resilience requirements.   

Digital Sovereignty: More Than Where Data Lives 

Digital sovereignty is not just about data residency, it’s about who controls access, processing, and usage. Cloud platforms now offer region-specific services, confidential computing, and sovereign offerings that give organisations control without losing scalability. 

A prime example is the UK Health Security Agency (UKHSA), which uses secure cloud platforms to analyse health data at national scale. They enable rapid detection and response to outbreaks and pandemics while retaining full control over where and how that data is stored and processed. 

This focus on control directly connects to resilience, because true sovereignty ensures systems remain available and secure even under geopolitical, regulatory, and supply chain stress. 

With the UK's definition of Critical National Infrastructure extended to cover cloud, these sovereignty-aware, automation-rich architectures underpin not just business continuity, but national strategy and operational security. 

Scaling Resilience with Automation and Agentic AI Innovation. 

Cloud has redefined resilience. Traditional disaster recovery depended on secondary data centres and manual failover. Now, recovery can be near-instant, automated, and even predictive with observability stacks (metrics, logs, and tracing) enabling anomaly detection before incidents occur.   

However, maintaining this level of operational readiness at scale is challenging without addressing both the human expertise gap and increasing security workloads. The combination of security champions and AI-powered agents can help address this.  

At Kainos we combine Agentic AI with cloud-native tools for advanced threat detection and AI-assisted orchestration, enabling automated recovery playbooks that shorten response times and reduce human error. Our Cloud Security Agent takes posture management findings and converts them into testable fixes, packaged as IaC (Infrastructure as Code) templates. As threats and risks evolve, so must our approach to resilience. 

A Launchpad for Safe AI Adoption 

These scalable secure foundations enable controlled AI experimentation, managing risks from emerging adversarial AI threats.  

The FCA’s new AI live testing service shows how cloud help evolve AI labs form experiments into versatile sandboxes, ingesting real-time data, applying tests and analytics without breaching operational boundaries. Segmented environments, synthetic datasets, and fine-grained access controls enable rapid innovation with managed risk. 

The Kainos AI Centre of Excellence uses cloud-native environments to prototype AI for government, healthcare, and finance, with embedded guardrails and compliance checks. This has made it a leading accelerator for adopting the UK’s AI Cybersecurity Code of Practice, now the global ETSI TS 104 223 (“Baseline Cyber Security Requirements for AI Models and Systems”) standard; a standard I have supported by authoring its Implementation Guide, offering a secure-by-design AI guide, leveraging other security guidelines from OWASP, NIST, and NCSC. 

Combining secure-by-design and cloud security has also instilled confidence to explore with addition of AI features in the NHS Wales App to help citizens safely. 

Conclusion 

Cloud has challenged our traditional sense of security but replaced it with a richer, more dynamic model.  Security is now programmable, resilience is automated, sovereignty is agile, and AI innovation is safely accelerated. 

To benefit from it we need to drive it with secure-by-design, grounded - as I have argued before - in facts and risks, not fear – and scale it with AI-augmented innovation.   

In 2025 and beyond, leaders will treat cloud not just as infrastructure, but as a platform for secure, sovereign, and responsible AI adoption -powered by human expertise and AI-assisted capabilities, grounded in risk-based, user-focused, and measurable frameworks. 


Cloud Week 2025

Check out more insights on a range of key topics related to Cloud

Find out more

 

techUK's Technology and Innovation updates

If you’d like to start receiving information about relevant events, news and initiatives, please subscribe here and join the Technology and Innovation contact preference.

Sign-up here

For more information please contact: 

Chris Hazell

Chris Hazell

Programme Manager - Cloud, Tech and Innovation, techUK

Sue Daley OBE

Sue Daley OBE

Director, Technology and Innovation

Laura Foster

Laura Foster

Associate Director - Technology and Innovation, techUK

Authors

John Sotiropoulos

John Sotiropoulos

Head of AI Security, Kainos Software

John Sotiropoulos is a Senior Security Architect at Kainos, helping secure large-scale projects. Prior to Kainos, he provided technical and product leadership to successful start-ups like Metastorm and Alfresco. His interests include privacy, cloud security, and securing AI. An active OWASP contributor, he's on the Core Experts Team for the OWASP Top 10 for LLM applications and is working on a forthcoming book on Adversarial AI.