Cloud computing: Now as vital as power, transport and fresh water?

Jan. 30, 2018

Cloud computing, search engines, and the services that underpin the internet are to be considered to be part of the UK’s vital infrastructure, alongside clean water and power, under new rules aimed at boosting cybersecurity.

Under the European Union’s Network and Information Systems (NIS) directive, businesses that provide essential services will have to make sure their security is good enough to protect their network and information systems from attack, as well as having to notify the relevant authorities of serious incidents.

The regulations apply to critical national infrastructure—those basic services without which society will gradually grind to a halt.

These include healthcare, airlines, airports and air traffic control, ports, local and national rail networks, and road transport authorities. It also covers the supply and distribution of drinking water; electricity sale, distribution and transmission; oil production, refining and treatment; and gas supply, storage, sales, and distribution.

The most eye-catching feature of the guidance published by the UK government is the threat of fines—up to £17m—for companies that suffer a breach and are shown to have failed to have put effective cybersecurity measures in place. But perhaps more interesting is the recognition that cloud computing and other digital services are now considered essentials too.

That’s because directive also covers a number of digital services, and requires top level domain (TLD) name registries, domain name services (DNS) and internet exchange point (IXP) operators to comply.

Cloud computing services providers, online marketplaces, and search engines will be covered by the NIS directive, although regulation is lighter, as regulation and enforcement can only be applied after an incident, and companies with fewer than 50 staff or an annual turnover of less than €10m are excluded.

A number of responses to a consultation on the directive had said that software as a service should be excluded, but the government responded: “Software-as-a-service providers play an important role in the UK’s economy and it is right that they are held responsible for ensuring the security of their network and information systems.”

The government defines cloud computing services as something that enables access to a scalable and elastic pool of shareable physical or virtual resources, which can include infrastructure as a service, platform as a service, and software as a service. However, this does not include most online gaming, entertainment, or VoIP services, as the resources available to the user are not scalable, but may include services such as email or online storage providers, where the resources are scaleable.

While the NIS directive, due to become part of UK law in May, has emerged from Europe, Brexit is unlikely to derail it. The government said that on exit from the European Union these policy provisions will continue to apply in the UK.

The UK’s National Cyber Security Centre (NCSC) has published detailed guidance on the security measures to help organizations comply.

ZDNet has the full story

Sponsored Recommendations

A Cyber Shield for Healthcare: Exploring HHS's $1.3 Billion Security Initiative

Unlock the Future of Healthcare Cybersecurity with Erik Decker, Co-Chair of the HHS 405(d) workgroup! Don't miss this opportunity to gain invaluable knowledge from a seasoned ...

Enhancing Remote Radiology: How Zero Trust Access Revolutionizes Healthcare Connectivity

This content details how a cloud-enabled zero trust architecture ensures high performance, compliance, and scalability, overcoming the limitations of traditional VPN solutions...

Spotlight on Artificial Intelligence

Unlock the potential of AI in our latest series. Discover how AI is revolutionizing clinical decision support, improving workflow efficiency, and transforming medical documentation...

Beyond the VPN: Zero Trust Access for a Healthcare Hybrid Work Environment

This whitepaper explores how a cloud-enabled zero trust architecture ensures secure, least privileged access to applications, meeting regulatory requirements and enhancing user...