The Cabinet Office’s “Cloud First” agenda has led to an explosion in the number of public sector organisations embracing public cloud services. But what are the challenges – and how can the risks be mitigated? Gill Hitchcock reports from a recent Civil Service World round table
Two initiatives from the coalition government stand out as catalysts for the adoption of cloud computing by the civil service. The “Cloud First” policy mandates central government to consider using the cloud, and only look to alternatives if they offer better value for money. And then there has been the expansion of G-Cloud, the framework intended to give buyers a choice of suppliers – mostly small and medium-sized technology companies – and to make it cheaper and quicker to buy cloud solutions. But while many departments have benefited from cloud computing, not all transitions have been successful.
With this in mind, Civil Service World, in partnership with cloud consultancy SystemsUp, recently brought together civil servants and technology experts working with the UK public sector for a frank debate about cloud. They discussed how departments and agencies can maximise the advantages of cloud and overcome the obstacles to exploiting its potential.
GDS chief Stephen Foreshew-Cain: "Digital transformation can't be done without talented people across the civil service"
National Archives chief Jeff James: "The shift to digital means nothing will ever be the same again"
Whitepaper: Driving Down IT Costs for the Public Sector
Cloud can support transformation, but what are the justifications within departments for shifting to virtualisation? The participants acknowledged that the Spending Review, the results of which had yet to be announced, would involve major cuts to non-protected departments. This, they agreed, meant service transformation was set to become even more important than it had been during the past five years.
Paul Middlemass, internal audit manager at HM Revenue and Customs, saw opportunities to cut waste, saying that activity in his department peaks at certain times of the year. “For tax systems it is in January and February, and the rest of the time some of our systems are just sitting in offices or buildings ticking over,” he said.
“HMRC sees there are opportunities to make massive savings by putting a lot of our data in the cloud so that we can upscale and downscale capacity much more easily, rather than having hardware standing by.”
Middlemass added that despite concerns about security, the cost savings offered by cloud are so significant that it has become hard to argue against the trend toward adopting this technology.
Peter Burgess, managing director of SystemsUp, agreed, saying: “We’ve seen at a local government level that councils have been squeezed particularly hard and had to take commercial choices, because they haven’t got the money. It’s a big driver for cloud uptake.”
Stewart James, a partner in law firm Ashfords who specialises in providing advice on information legislation, said motivations for adopting cloud may vary from department to department, and even from function to function. “It is important to recognise that there are different players and different platforms and infrastructure,” he said.
“If you think of HMRC’s requirement, essentially it’s the need for processing power. It does not necessarily mean that personal data, or customer data, has to be stored in a cloud environment, but HMRC has to have a way of processing it at points of peak activity. So surely in any consideration of going to the cloud, you have to understand what the requirements were – or are – for those processes, what the problem is that you want to overcome.”
Organisations should never think that everything has to go to the cloud, Burgess said. “With all IT, it’s key to understand the requirements, otherwise it becomes IT for IT’s sake. Actually, it may be as cheap to run services on the premises. The idea is to have a model which allows you to understand why you would push certain workloads into the cloud and others keep locally.”
SystemsUp sales director Robert Papier pointed out: “Not all data are equal. For example, there are a lot of MoD data and systems that are just to do with procurement and part of that would probably not be security sensitive.”
Phil Mooney, a Royal Air Force technician, agreed and argued: “It’s about knowing what you are or are not going to store in the cloud and it’s also making the user aware that particular information is going to be stored in the cloud.”
“If you need to use applications, then the cloud is perfect because you’re going to get the latest commercial-off-the-shelf tools. So it’s a brilliant commodity to use, but the challenge is making it work for yourself or your organisation,” he added.
The discussion then turned to the roadblocks along the route to cloud adoption. Some participants thought the civil service needed a better awareness of what cloud could offer. Among them was Margaret Parhizgar, project delivery lead in the Home Office’s portfolio & project delivery directorate, who said: “I think the debate is still up in the air, to be honest. I think we’ve made certain inroads and there are some departments who are ahead of the game. It’s having an understanding of cloud – there’s an educational element there.”
A second issue was that of legacy systems which were hard to virtualise, as Middlemass described: “Revenue and Customs have lots of legacy systems which cause massive problems, with coding 20 or 30 years old and there is only one person in the country who can decode it.”
While the commercial sector is free to play the market, the public sector is comparatively bogged down by procurement regulations, the event heard. “Every time the public sector needs to change its contracts it has to consider whether it needs to go back to the market through a competitive process,” said James.
He pointed to an advantage of G-Cloud – which now regularly adds new suppliers available to government purchasers – but cited G-Cloud’s low threshold of £175,000 as a barrier. Parhizgar also pointed out that a route to using cloud could in some cases be also blocked by incumbent suppliers: “They can constrain various elements of their services so they know they have got you over a barrel,” she said.
“Unless you have people in-house who are really knowledgeable about systems architecture, data systems, analytics etc – people who can actually challenge – you can be reliant on suppliers’ assurance that everything is fine. And often there can be an element of unknown in what they’re retaining, so that next time around you’re almost mandated to extend their contract.”
For military technician Mooney, security was paramount among all cloud transition considerations. “My concern about the cloud is obviously what it is going to be used for within the MoD,” he said. “Is it going to be used for storing data or applications – and will these be accessible and secure?
“Where are these stored, where are the data centres, how are they protected?” he asked. “And then when that data is finished with, what assurance do we have that information has been removed securely?”
The recent data breach at communications giant TalkTalk has heightened public awareness of the potential for serious security lapses, Parhizgar said. Michelle Chuvas, central government manager for UK-based encryption vendor Egress, held the view that “it all comes down to what data are you sharing and why, and what measures do you need to put in place to secure that information; knowing where the data centres are and with what level of security.”
However, Middlemass reassured the group that cloud computing could offer significant security advantages over in-house data centres: “We have had servers in specific buildings where, if there had been a fire or other incidents, there would have been a serious problem,” he said.
The physical location of a data centre was a key issue for the MoD, said Mooney, because data stored outside the UK fell under the laws of that country. He gave an example: “If we have a cloud data centre in the US, the US government has access. And because of terrorism laws, the American government would have access to all the information in that data centre, even if it’s not a US company that stored the data. And that is the sort of issue that I think we need to be looking at.”
James pointed out that while Mooney was correct, and that the Patriot Act did give the US government the right to access information, there were “protocols and processes in place to give protection”.
The discussion turned to whether requirements for cloud storage filtered through to departmental strategies. Is HMRC, for example, essentially moving existing functions to the cloud to achieve cost savings, or is cloud a way of transforming its operations? A key concern for Mooney was whether the cloud would help or hinder the Ministry of Defence in aligning its IT systems with those of the other departments it works with, such as the Foreign and Commonwealth Office.
“It’s all of that really,” Middlemass said. “I completely accept the issue about making discrete changes and a risk that they aren’t congruent and don’t work together to achieve the overall strategy. But I think that given the size of our department and the number of processes, it’s really difficult to have an overall strategy.”
There was agreement among participants that strategy had to be led by the executive before being implemented by the procurement team and IT department. Richard Ingram, technical director of SystemsUp, spoke about the importance of taking a long view: “You almost have to look 10 years out, remove yourself from the existing environment, and get that vision for the future. Then you can look at what applications are needed for each department and work that into a road map for services. It’s a services roadmap, not an applications roadmap.”
Parhizgar concurred with the point about taking a longer term approach, and argued: “You have to end quick fix situations and actually say – right from the top – ‘this is our strategy, this is what we’re trying to achieve’. GOV.UK is a good example; we should be learning from initiatives like that in so many respects.”
She cautioned, however, that “one size does not fit all, which is the other problem. It is no easy task to get all the different systems onto one, given the different levels of need.”
Ingram maintained that it is important for departments to adopt an iterative approach to cloud. He argued: “What is achievable this year will change next year when technology changes, and that is part of the drive to leverage cloud, to outsource the commodity tools and just buy them in as a custom service for your user base.”
With such challenges and large departmental structures, some worries were voiced that the public sector is too unwieldy to successfully adopt cloud at the rate necessary to drive transformation.
Parhizgar thought that the speed of learning from public sector experiences of cloud needs to improve. “Sometimes government bodies can be very slow to learn from each other,” she said. “It is improving, but we need to be ahead of the game”
James was more optimistic, however, saying that there were instances when the public sector was further ahead than the private sector. “There are two areas in the country where technology advances fastest. One is the public sector and the other is the financial sector. The financial sector, because they can afford to do it, and the public sector because it has to do things that commerce will never do.”
He was also certain that austerity and financial cuts will drive greater innovation in the public sector: “The public sector has some very bright minds who are very good at finding solutions and working them out. Some of that will spin off into private commerce as well, which will be great.”