Restricted Data in the Cloud

with António Gameiro Marques

Rear Admiral António Gameiro Marques is the Director General of the Portuguese National Security Authority, which includes the National Cybersecurity Center.

Episode 30: Restricted data in the cloud

Public Sector Future

Episode summary

In this episode, host Olivia Neal speaks to Rear Admiral António Gameiro Marques, Director General of Portugal’s National Security Authority. We learn about Portugal’s approach to security in the cloud and their development of controls and approaches for protecting restricted data.

Download the episode transcript

Listen to this episode on any of these podcast platforms:

Spotify

Apple Podcasts

Google Podcasts

Deezer

Libsyn

Lessons from Portugal’s Director General of the National Security Authority

Rear Admiral António Gameiro Marques is the Director General of Portugal’s National Security Authority, which includes the National Cybersecurity Center.

Portugal’s approach

As Director General, Marques takes care of the life cycle of restricted information for the Portuguese administration. In the discussion, where Marques refers to ‘classified’ information and data, this refers to what is often called ‘restricted’ in other contexts.

“I personally sit in a relatively wide-angle view, because my organization sits on the boards in the committees that deal with cybersecurity and information security in general, in the EU and also in NATO. So, we can complement the views of both entities by grabbing what is more valuable from each one and then combining them together. And I have a very clear example on that.”

He continued, “On the classified information side, we have to certify IT systems to process, store, transmit, receive classified information. And this is done today according to NATO rules, NATO controls. On the other side, the EU is developing schemes to certify under the cybersecurity scope, not only services, but also items. the common criteria has been done already. Now they are working in cloud. They will work on 5G, on IoT, and so forth, and the goal is for citizens of the European Union to be able to know what is the level of trust that the system or the service connectable to the internet can give to them by three levels.”

A long journey

Technology, architecture, and cybersecurity are quickly evolving in Europe and while Portugal is leading the way in some of those areas, they’ve been working on it for a long time.

“We started the journey with Microsoft, in June of 2019 by experimenting with the certification of some cloud services of Azure, to learn how to do it, based on the NATO controls, and we did it with Microsoft and we did it through the lab connected to one of the universities of this country, for the three entities to learn how to do it.”

Marques compared their journey to exploring a jungle:

“We were literally exploring things, like we were in a jungle. And then sometimes we had to come back to the drawing board to see, well, this is not the correct way of doing this, but we learned a lot. And by the end of the period, we had some services, quite a great number of Azure services, accredited to store classified information up to national restricted.”

“We were not very ambitious as far as the level is concerned. We were more ambitious in the process and in the controls we would use to do it. And then we stopped and the three entities evolved. So us, Microsoft and – and the lab connected to the Porto University that worked with us, we got together. We identified what went well, what went wrong for us to in the following iteration to be more prepared.”

Marques’ team is already in their second iteration and are using lessons learned to embed a smoother process.

A pyramid of data

As the European Union develops its cybersecurity certification scheme, Marques is using the work with Microsoft and Porto University to be ahead of the game.

“How is this connected to the EU cybersecurity scheme certification? Well, the way we are thinking about it is – is the following. When the EU defines this – the cybersecurity certification schemes, for instance, for cloud, we will do it, up to the highest level. And then for classified information, we will only require the over and above.”

He explained further, “Imagine a pyramid where the top is the classified information, so we’ll do the top notch for cybersecurity certification and the delta for classified information, but the good thing is that, instead of waiting for that to happen from the EU, we are already doing it.”

Lessons for other countries

Marques mentioned the three entities: the University lab, the technology provider, and his own department. By bringing all of these entities together, he’s been able to gain a solid understanding of which IT systems could be used to process which types of data. This is an important lesson for any country trying to evolve, but Marques urges others to do a lot of research before starting the journey.

“In order to compile all the documentation and all the controls, we should have in place on top of the table to start that process of certification. And we went to the EU, we went to NIST we went to NATO, and after a month or a month-and-a-half or so, we came up with a set of controls, that afterwards, through the process, with Microsoft, with the lab, were changed or moved or reiterated.”

“And now we are in the stage where we are already able to write documentation about it, so doctrine says that when you reach the stage, when you are able to explicit what you have done in a logical and structured and understandable way, it means that you’ve done -– you’ve done already a good and solid path, which -– which means that now we -– we are in the situation where we could show to others what we have written, what we have put in the document for others to criticize in order for the document to become a better document in iteration. And that is what we’re doing.”

The plan is to have a document with input from the cybersecurity community, openly available for comment and feedback.

“One part of the organization, the classified information part, produced the document based on the knowledge they have developed through the process of the certification they have done so far. And now I’ve given that document to the cybersecurity community and told them, ‘Hey, give me your contributions, your inputs.’ And then our intention is to open that document through other communities.”

This would be something that other countries could access and use if they’d like, to serve as inspiration.

“So now the document is written in Portuguese, but it’s going to be translated for it to be more widely available, and for everybody to – that is willing to do something positive, with respect to it, can access it.”

Using cloud in government

Marques prefers to think honestly, when it comes to using cloud: “We have to be intellectually honest with ourselves and do this thinking, do this reflection, you know, these deep thoughts, instead of being dogmatic and saying, no, I wouldn’t want any of my data in the cloud where I cannot see where it is.”

“We developed a framework whereby questions and answers, one can have a leader, a decision maker can have a very pragmatic idea of if he or she should use cloud and what type of cloud for the specific types of data that they have.”

There’s always a balance

Marques says his preference would be to focus on the systems and data that are unique to his organization, and for other systems.

“Well, let’s put it in the cloud. It’s less money for me for maintenance. I don’t have to change the hardware every five years or seven years. And I can concentrate my human resources on the things that make us unique and are the reason for us to exist in the government of Portugal.”

Where inspiration comes from

Marques studied in the U.S. in the 1980’s before working in the UK’s Royal Navy in the 1990s and looks back on what he learned during each decade abroad.

“A lot of the doctrine NATO has come from the British standards. I think the doctrine that generally is produced in UK, including cybersecurity, is very good for inspiration, at least for my inspiration. The Dutch, I’ve lived in the Netherlands for one year and a half and I also like the way they approach things.”

He keeps his mind open for new inspiration and advice “Nature has given us two ears and just one mouth. So, we should hear more than we talk. And I learned a lot just by listening to others. And it’s also an attitude because I’m eager to learn new things.”

Advice for the future

When asked what he most wanted to get across to anyone listening, Marques had this to offer: “I think invest in people, invest in the knowledge of people, of your technicians, of your workers, of your personnel, because that’s the best investment you can possibly do. It will probably not get a return in the near, near future, but will – but it will get the return for the society, for them and for the organizations they’re working.”

As well as considering the people in his own team, Marques’ vision of investing in people has been delivered more broadly, focused raising cybersecurity capabilities across the whole of Portugal

“And that’s the reason why we are starting quite an ambitious, advanced cybersecurity education program here in this country that will be delivered through the Polytechnic Institutes and universities of this country, based on the cybersecurity framework that we have developed. And the courses will give opportunities of new people to do new things and we, above all, we will enable society to be more capable, as far as cybersecurity is concerned, and to sustain the everyday attacks that are suffered throughout the world.” 

To find out more:

Learn more about the National Security Authority of Portugal