Beyond the Data Centre Walls: How Cloud is Democratising Security, Resilience, and Safe AI Innovation
This blog was written by John Sotiropoulos, Head of AI Security, Kainos
For decades, cybersecurity strategies were grounded in physical control. We could point to a server room, show the locks, and feel secure. The migration to cloud upended this, stripping away physical boundaries and forcing a rethink of how we protect systems, data, and operations. Meeting these changes has required an elevation of abstraction - from fixed physical assets to dynamic, software-defined environments. This is an essential shift to deal with emerging challenges and invaluable with the new challenges the rapid adoption of AI brings.
At first, this felt unsettling. Handing over infrastructure to a third party seemed to undermine sovereignty. But over time we’ve learned the cloud doesn’t erode control, it redefines it. By embracing cloud-native capabilities, we can build systems that are secure, compliant, agile, resilient, sovereign -and a safe launchpad for AI innovation.
From Physical Locks to Policy-Driven Security
Security in the cloud is a transformation of control. Physical barriers have been replaced with Zero Trust architectures, Identity and Access Management (IAM), and security policies as code.
But capabilities alone do not guarantee the right security outcomes.
To make this shift effectively, organisations should embed security at design stage, aligning controls with business risks rather than bolting them on later. Using Infrastructure-as-Code (IaC), encryption, key rotation, and monitoring can be integrated into deployment pipelines so that controls are consistent, auditable, and repeatable. This is a necessity in regulated sectors and AI-enabled environments where risks evolve rapidly.
Secure-by-Design: Orchestrating Cloud Security
A secure-by-design framework is an essential approach to deliver risk-based, use-case–driven security - ensuring the right controls for the context while avoiding blind spots and overengineering.
For Digital Health and Care Wales (DHCW), this approach underpinned the delivery of the NHS Wales App. Built on cloud foundations, it gives patients in Wales secure access to health information. By embedding identity, encryption, and monitoring from the outset, security became integral without slowing delivery. Furthermore, for DCHW the adoption of cloud-native DevSecOps ensured tools were integrated within delivery workflows with their outputs actionable, avoiding the false confidence of unused findings.
As the government redefines its national strategy to position digital transformation as a key policy lever, adopting a security-first model is proving essential. It turns the cloud into an enabler for delivering high-assurance digital services at scale across flagship national projects - from secure citizen identity and voting systems to national health and public service platforms.
Security by design is a must-do, not just an aspiration. By building security into the architecture from day one, these projects are ready to meet evolving sovereignty and resilience requirements.
Digital Sovereignty: More Than Where Data Lives
Digital sovereignty is not just about data residency, it’s about who controls access, processing, and usage. Cloud platforms now offer region-specific services, confidential computing, and sovereign offerings that give organisations control without losing scalability.
A prime example is the UK Health Security Agency (UKHSA), which uses secure cloud platforms to analyse health data at national scale. They enable rapid detection and response to outbreaks and pandemics while retaining full control over where and how that data is stored and processed.
This focus on control directly connects to resilience, because true sovereignty ensures systems remain available and secure even under geopolitical, regulatory, and supply chain stress.
With the UK's definition of Critical National Infrastructure extended to cover cloud, these sovereignty-aware, automation-rich architectures underpin not just business continuity, but national strategy and operational security.
Scaling Resilience with Automation and Agentic AI Innovation.
Cloud has redefined resilience. Traditional disaster recovery depended on secondary data centres and manual failover. Now, recovery can be near-instant, automated, and even predictive with observability stacks (metrics, logs, and tracing) enabling anomaly detection before incidents occur.
However, maintaining this level of operational readiness at scale is challenging without addressing both the human expertise gap and increasing security workloads. The combination of security champions and AI-powered agents can help address this.
At Kainos we combine Agentic AI with cloud-native tools for advanced threat detection and AI-assisted orchestration, enabling automated recovery playbooks that shorten response times and reduce human error. Our Cloud Security Agent takes posture management findings and converts them into testable fixes, packaged as IaC (Infrastructure as Code) templates. As threats and risks evolve, so must our approach to resilience.
A Launchpad for Safe AI Adoption
These scalable secure foundations enable controlled AI experimentation, managing risks from emerging adversarial AI threats.
The FCA’s new AI live testing service shows how cloud help evolve AI labs form experiments into versatile sandboxes, ingesting real-time data, applying tests and analytics without breaching operational boundaries. Segmented environments, synthetic datasets, and fine-grained access controls enable rapid innovation with managed risk.
The Kainos AI Centre of Excellence uses cloud-native environments to prototype AI for government, healthcare, and finance, with embedded guardrails and compliance checks. This has made it a leading accelerator for adopting the UK’s AI Cybersecurity Code of Practice, now the global ETSI TS 104 223 (“Baseline Cyber Security Requirements for AI Models and Systems”) standard; a standard I have supported by authoring its Implementation Guide, offering a secure-by-design AI guide, leveraging other security guidelines from OWASP, NIST, and NCSC.
Combining secure-by-design and cloud security has also instilled confidence to explore with addition of AI features in the NHS Wales App to help citizens safely.
Conclusion
Cloud has challenged our traditional sense of security but replaced it with a richer, more dynamic model. Security is now programmable, resilience is automated, sovereignty is agile, and AI innovation is safely accelerated.
To benefit from it we need to drive it with secure-by-design, grounded - as I have argued before - in facts and risks, not fear – and scale it with AI-augmented innovation.
In 2025 and beyond, leaders will treat cloud not just as infrastructure, but as a platform for secure, sovereign, and responsible AI adoption -powered by human expertise and AI-assisted capabilities, grounded in risk-based, user-focused, and measurable frameworks.
For more information please contact:
Chris Hazell
Sue Daley OBE
Sue Daley OBE
Sue leads techUK's Technology and Innovation work.
This includes work programmes on cloud, data protection, data analytics, AI, digital ethics, Digital Identity and Internet of Things as well as emerging and transformative technologies and innovation policy.
In 2025, Sue was honoured with an Order of the British Empire (OBE) for services to the Technology Industry in the New Year Honours List.
She has been recognised as one of the most influential people in UK tech by Computer Weekly's UKtech50 Longlist and in 2021 was inducted into the Computer Weekly Most Influential Women in UK Tech Hall of Fame.
A key influencer in driving forward the data agenda in the UK, Sue was co-chair of the UK government's National Data Strategy Forum until July 2024. As well as being recognised in the UK's Big Data 100 and the Global Top 100 Data Visionaries for 2020 Sue has also been shortlisted for the Milton Keynes Women Leaders Awards and was a judge for the Loebner Prize in AI. In addition to being a regular industry speaker on issues including AI ethics, data protection and cyber security, Sue was recently a judge for the UK Tech 50 and is a regular judge of the annual UK Cloud Awards.
Prior to joining techUK in January 2015 Sue was responsible for Symantec's Government Relations in the UK and Ireland. She has spoken at events including the UK-China Internet Forum in Beijing, UN IGF and European RSA on issues ranging from data usage and privacy, cloud computing and online child safety. Before joining Symantec, Sue was senior policy advisor at the Confederation of British Industry (CBI). Sue has an BA degree on History and American Studies from Leeds University and a Masters Degree on International Relations and Diplomacy from the University of Birmingham. Sue is a keen sportswoman and in 2016 achieved a lifelong ambition to swim the English Channel.
- Email:
- [email protected]
- Phone:
- 020 7331 2055
- Twitter:
- @ChannelSwimSue,@ChannelSwimSue
Laura Foster
Laura Foster
Laura is techUK’s Associate Director for Technology and Innovation.
She supports the application and expansion of emerging technologies, including Quantum Computing, High-Performance Computing, AR/VR/XR and Edge technologies, across the UK. As part of this, she works alongside techUK members and UK Government to champion long-term and sustainable innovation policy that will ensure the UK is a pioneer in science and technology
Before joining techUK, Laura worked internationally as a conference researcher and producer covering enterprise adoption of emerging technologies. This included being part of the strategic team at London Tech Week.
Laura has a degree in History (BA Hons) from Durham University, focussing on regional social history. Outside of work she loves reading, travelling and supporting rugby team St. Helens, where she is from.
- Email:
- [email protected]
- LinkedIn:
- www.linkedin.com/in/lauraalicefoster
Authors
John Sotiropoulos
John Sotiropoulos is a Senior Security Architect at Kainos, helping secure large-scale projects. Prior to Kainos, he provided technical and product leadership to successful start-ups like Metastorm and Alfresco. His interests include privacy, cloud security, and securing AI. An active OWASP contributor, he's on the Core Experts Team for the OWASP Top 10 for LLM applications and is working on a forthcoming book on Adversarial AI.
