Ahead of Government Technology Review’s 2011 Cloud Computing Forum, we conducted a round table to assess cloud and how it adds value to government users. Here's a partial transcript of the round table

Peter Sharples
Director,
Virtualisation Service
Automation and
Cloud,
CA Technologies

Simon Sharwood (GTR Editor): Let's kick off by trying to get a definition of the cloud.

Michael Sentonas (Vice President and Chief Technology Officer, Asia Pacific, McAfee): Probably the simplest term for me is basically any computing service or application that's delivered to multiple users, customers, organisations through the internet, in a nutshell.

Carrie Higbie (Director Data Centre Solutions and Services, The Siemon Company): To me a cloud is a means to use spare capacity through applications and compute smarter. One of the important thing about clouds is the ability for your bill to return to zero. So you're not paying for capacity that you don't need.

Craig Baty (Chief Technology Officer, Fujitsu): Being a cloud provider we have a very specific definition. A cloud is a mechanism of providing computing resources that enables pay per use, not just 'hey, you sign up for three years and pay something monthly,' but right down to daily or megawatt use, that should be flexible – elastic and scalable. Elastic means you can use the resources that you want to use up and down, and scalable means you can access extra when you need it. It should be self service. So once you've set something up, you shouldn't need to talk to a human. You should be able to do it electronically and you should be able to access it through internet technologies.

Peter Sharples (Director, Virtualisation Service Automation and Cloud, CA Technologies): We broadly support the NIST framework – from the National Institute of Standards and Technology over in the US. So, basically [cloud means] on demand broad network access, scalable up and down, shared resource pooling and some sort of measure of service which you translate into a financial cost.

Simon Sharwood (SS): Why should government care about the cloud?

Carrie Higbie (CH): Most of the government institutions that I work with have their own IT resources, they each have their own everything, and from a taxpayer's perspective, it's crazy expensive to do that. It's kind of like putting each of your children in their own house. Eventually you realise one has a three bedroom house, they could all live in that house and it'd save you a hell of a lot of money.

There's a lot of wasted resources out there between all these different agencies. Everybody wants the latest toy. Everybody wants to do the latest and greatest thing, but realistically if you look at something like a tax commission for instance, there's a huge hit to download tax forms right before tax day so they have to build the capacity for that and what do they do with that the rest of the year? That can be used somewhere else and if we start making our governments act like a cohesive government from a computing standpoint, clouds start making sense for a lot of those entities.

Carrie Higbie
Director Data Centre
Solutions and Services,
The Siemon Company

Craig Baty (CB): The Gershon Review recommended lots of things, but one of them was the centralising of government resources, the reduction of cost and governments are looking to cloud as one method of doing this. It's not the only method. Cloud's another tool in the arsenal of any IT manager along with managed services or offshoring.

SS: It's interesting to me that we've very quickly gone from a discussion about capital "C" Cloud, and now we're talking about what sounds to me like a private cloud, or perhaps a government cloud. I wonder how an agency like Centrelink that has a lot of application thinks about this. Do they say "We have such hygiene around our stuff that we're not interested in cloud?"

Michael Sentonas (MS): For someone like a Centrelink the opportunity to use somebody who provides the grid capability to scale up and down as they need and pay per use is extremely attractive and it means that Centrelink can get free from managing the IT systems and all the hardware and the software and the licences and the support, and let somebody else do it and focus purely on the application. It also means that people like Centrelink and other departments can start to look at maybe breaking away from a lot of the legacy applications that they've been using for 20 or 30 years now, and that's an attractive reason to go to the cloud because you can start to try to migrate some of those clunky, expensive systems.

CH: That's a major, major transition. Anytime that you've got custom code and custom databases, and that's something else that's a little tricky with a cloud when you talk about public and private clouds being different. In a private cloud you're pretty much tailoring your applications to something that exists or something that is out there, and if you don't like that cloud provider, you can't always just pick up your little ditty bag and go to another cloud provider because they may not be comparable.

So, when we talk about public and private, I think it's two completely different subjects there because there are a lot of applications. There's applications out there that only get hit by another application at year end, but if that's not available at year end then it can have a huge risk down the road. So I think you've got to do a serious risk assessment for any of it.

CB: Carrie brings up a good point. When Fujitsu built our local cloud we did research two and a half years ago about what was required for Australian businesses and governments and small to medium enterprise, and it became very, very clear that a one size fits all approach wasn't appropriate, that there were issues about portability and even licenses. Just because you've licensed Microsoft as a government agency, when you move it to the cloud, who owns the licence? Does Fujitsu own it? Does the government own it? Government tends to stay with things for quite a few years. They don't move day-to-day or month-to-month like an SME says they're going to. So the portability bit isn't as much of an issue, but it could be later.

How do you actually encapsulate that? How do you keep control of the data? How do you make sure they know where the data is, whether it's local or offshore? How do they make the applications portable? And there are technologies. We use VMWare to encapsulate the applications and enable a level of portability. We have products from CA that help us secure it and a number of other organisations. So yeah, you've got to take all of those things into account.

Michael Sentonas
Vice President and
Chief Technology Officer,
Asia Pacific, McAfee

CH: Government contracts in a lot of countries are three to five years. So at the end of that period if the cloud's not performing, if you're having issues or if there's SLA issues and you decide to move to another provider, a lot of the clouds that you move to, you can't go anywhere.

SS: I read a piece the other day about the EDS/HP contract I think with the US Marines where it's so entangled that the Marines kind of find themselves signing up for another five years at a time because they know they can't extract themselves from the contract in five years.

CB: So what cloud providers have done is taken a traditional outsourcing contract and treated cloud like just another outsourcing deal with all the things that entails. You've got to have the spirit of an outsourcing contract, but you've got to actually change the commercial arrangements for a cloud, and lots of people talk about cloud being this big technology change. It isn't. It's existing technologies tailored and modified to provide a solution, but the commercial arrangements were the most difficult thing for us to put together. We've worked for a lot of suppliers, put back-to-back arrangements with each of the people to make sure that when we promise portability, we could actually give it. Then they needed back-to-back arrangements with their suppliers as well. The other thing is how do you pay for it? Say you want to pay your provider for X amount of processing, but they want you to sign a three-year contract for their software. You go "No, let's work with them." So negotiating that component took a lot of effort as well.

I think that government agencies in general aren't quite aware of some of these issues that may occur, but then again do they need to be as aware as a commercial organisation, because they're not going to chop and change? We haven't seen any evidence of a government saying "Yes, we really want to take your pay-as-you-go contract type thing and we want to be able to terminate within a month." They sign a three-year contract and then they want the elasticity and scalability in there, and the variability of payment, but they're really not interested in changing over very quickly.

Peter Sharples (PS): The problem is also the internal procurement cycles government goes through. It could take them a month to sign that paperwork to get that service for a month.

CB: That's right.

PS: One of the largest challenges that we're seeing emerging is this whole concept of pay-per-use is not necessarily something that government is going to want. So the big drop is towards capitalising as much funds as possible. If you look at a public cloud environment, it's OPEX. It's impossible to capitalise some sort of shared infrastructure model. It is just not possible to own those assets. Talk about private and hybrid clouds, it's slightly different. You can capitalise parts of those. Internal private clouds are nearly the whole lot. Hybrid or community clouds, a lead agency could capitalise the core infrastructure, then provide the scalability through internal OPEX between the sub agencies. So tackling that whole financial model is another challenge they'll have.

SS: Why should a business person in government care about the cloud? If I'm told to enact a policy, what can the cloud do for me?

Brad Duce
General Manager,
Australia &
New Zealand,
The Siemon Company

CB: Take for example emergency response. You've got to set up emergency response centres, you've got to set up food distribution centres, you may have limited resources. Where are you going to get the service from? Where are you going to get the systems? As long as you can get internet access, you could go to a cloud that's available there on the spot, you sign up that day and you've got the resources.

Brad Duce (General Manager, Australia & New Zealand, The Siemon Company): To draw out a little bit more on your point, Government should be focusing on building roads, fixing them, repairing them. The same could be said for a lot of different government departments. Whereas what we do see is that they all end up setting up individual IT teams that all go and spend their own amount of money and their own amount
of resources…

CH: Therein lies the big problem with clouds because when you start putting all this stuff together and you start putting government agencies together, all the little fiefdoms go away, or at least to a certain extent and I think that's been a big resistance to some of the cloud applications so far in that people are worried. "Well if I start outsourcing everything to somebody else in a cloud, what's going to happen to my job? I've got a family to feed." There's ways I think it's really going to shift what people do. I don't think it's necessarily going to cost jobs, but it's definitely going to shift jobs.

SS: Let's talk about the governance models and security in general. What challenges do you see the cloud creates and how can we think about meeting them?

MS: That's probably the number one concern that certain customers that I deal with talk about the security and securing the cloud. If you read a report from Gardner or IDC or Forester, they all sort of say it again, and from a government perspective it becomes a little bit interesting. That's probably why private clouds make a little bit more sense for more government applications.

One of the things that we've been spending a lot of time looking at is – we've not been looking at the Siemons, the Fujitsus, the large providers – it's all the small players that are turning up that really have no regulations. There's no standards and you can use their service, but where's your data being stored, how's it being secured? Things like data loss prevention, they probably have less process and policy than the government department did to start with. So it's a complex challenge I guess that a lot of people need to spend some time on and really look at before they start outsourcing services application and ultimately their data.

SS: Are there any particular approaches to security that you feel are something people really need to pay attention to as they consider a cloud?

MS: Data privacy and securing what data you put in the cloud is the number one thing to look at. Obviously a government's always going to want to know where your data is stored, but how is the data is being stored is probably something that I would be looking at first
and foremost.

CH: He raises an excellent point. You could think of a scenario where some guy feels like he got cheated on his taxes and he works in a cloud environment and he has access to that. I mean there's a whole level of employees that you don't necessarily control. Internationally you had other regulations like the European Union. Private data has to be stored within the country. So with European cloud providers, they're having a real challenge trying to figure out how to guarantee that that data is stored close and never leaves the country because if one site goes down, part of the benefit is that you can pop up bandwidth.

There's no reason why one government entity can't lease space out to another government entity, provided they're all under the same security controls, and I think that the part that's going to take a bit to vet out is what can really go there, what needs to stay in a private cloud, what can be in some hybrid model and the security things around it. Then you add all the different government agencies in every country in the world and they all think they have it figured out best. One uses this security, another one uses another, another one uses another and trying to get those combined on our platform is going to be a challenge.

PS: The holy grail is coming up with a solution that the defence signals directorate (DSD) will be comfortable with. We think about collapsing multiple agencies' data and multiple different levels of security domain data onto a single shared platform. That's really going to be the holy grail of a government cloud because then they can truly share infrastructure with dissimilar agencies, with dissimilar screen profiles. Until DSD is happy with an approach on that, that will be a bottleneck to having true portable hybrid cloud models.

CB: You mentioned countries wanting to keep data in their own country. We have individual states of Australia whose Privacy Commissioners say "We want the cloud to only be in our state" which sort of kind of defeats the purpose of a cloud. You're meant to be able to share it. Then you have some who go "We want it to be in our city," and some go "We only want a cloud for our own department." Well that may as well be a managed service provider with security that you've got access to.

SS: Is data domiciling something that customers are really asking about?

CB: It shouldn't be a barrier, and yes, both governments and financial services organisations have this as one of their hot buttons. It's in like their top three, and it's because of fear of coming foul of regulators whereas what the regulators are trying to do is say "APRA sent out a reminder about cloud and your obligations," and they've said "Don't just treat it as 'Hey it's there and you can put your data there'. You've really got to look at it as if you'd look at an outsourcing arrangement. You've got to look at it from the privacy and the security viewpoint. If you've got information or data that's about Australian citizens that can also potentially impact your business. If that data wasn't available, you should seriously consider where you put it."

CH: If you were using a cloud provider in Egypt right now you would not have access to your data.

CB: There is one thing while you're talking about the data sovereignty. It comes down to consumers' understanding and privacy as well because governments deal with citizens and banks deal with consumers and other people like that. There is a large concern across the world about what's happening with data. Now Fujitsu just did a survey of 6,000 consumers including 500 in Australia. We did focus groups and I was part of them, and we asked them "What about data and the cloud?" The average consumer, person on the street, doesn't know about cloud. So that question didn't even work.

BD: There's a lack of standards. If you look at probably the oldest cloud service provider being Amazon, they've only been around for three and a half years offering that service. So it's very immature, there's a lack of standards and again, I think Craig nailed it, you've got to be careful and think about what you want to put in the cloud. It may make sense to hold some information back. It may make sense to put some out there depending on how it's secured, and people need to have a good look at their service provider. How's the data being secured, regardless of where it is?

CH: Now that cloud's got to be such a buzz word, you've got all these little fly-by-night people coming up there that are trying to do the smaller cloud providers that don't necessarily have all that, and all it takes is one overzealous IT person that doesn't really understand the technology to buy into something that's not really good and then there's an issue. So I think that if I, having run large data centres in the past and running large applications in the past, was going to look at cloud provider, unfortunately with governments in most countries in a lot of cases, contracts come down to lowest cost. You might find a small state entity or small local government that says "Well this is my lowest cost provider, I'm going to use them," and then find out later that it's nothing that you thought that it was.

So I think that's one thing that's really lacking right now and it would be great if some of the better cloud providers stepped up and tried to push some standards on "This is what a cloud has to deliver for a no risk application, a moderate risk application or a high risk application."

The better providers that are doing this well have a lot to offer. I think the biggest threat in clouds come from these guys that are just throwing it up because they see it as a quick way to make a buck.

PS: I think the government will cover that with their panel contracting arrangements. So there'll be criteria that the cloud providers need to meet to get onto that panel. CA's been working with this for a while overseas with the Carnegie Mellon Institute to develop the service management index. So basically it's a way for customers to rank cloud providers on both subjective and objective evidence. So on things like cost and service levels and those sorts of things, but also the subjective things like customer experience, security and those sorts of things and how they rate them. 

We pulled this data together and we produce it. It's publicly available at cloudcommons.com. Our customers can go on and actually rate disparate cloud providers and actually make more of a value for money assessment, rather than just a lowest cost assessment. So for example, if you have a rogue cloud provider out there that's offering a really good cost of service, but they're getting really poor detrimental ratings from their existing customers, you can take that into consideration in making that decision. So it's just part of our investment in that cloud strategy globally in terms of cloud adoption.

SS: This raises a question for me around whether you should ask for custom SLAs from a cloud provider.

PS: My thoughts are that the larger providers, it may not be possible to do that. So particularly the large global providers, to negotiate a custom SLA, even for someone as large as the Australian Federal Government, probably won't have the market pull to actually negotiate and dictate those terms, which is why I think the Australian government should look locally for their cloud strategy.

CB: We're counted as a global provider, but Fujitsu Australia is relatively autonomous in development of solutions, and we've invested here with support from head office to capitalise on the Federal Government and local business needs, and we do have the flexibility to tailor cloud for large organisations because we built it ourselves. Head office doesn't tell us. But it's a commercial decision that has to be made.

SS: What other issues do you see that government needs to consider with the cloud?

BD: I think they've going to stop creating so much red tape for themselves before they'll enter into it. That's what I was saying about trying to dip their toe in the water. Whether it means they need to work out what they believe is a safe thing to put on first and dip their toe in the water and try it, but it seems to me that there's just so much opposition and so much apprehension and so many little dots and ticks in the box that they're trying to create before they're comfortable to go there that it's just delaying the process. Really I think we all know the best way that things evolve is by experience. Yes, it's a fairly immature situation at the moment, but it matures a lot quicker when you actually have some data and you're actually testing these in the real world as opposed to hypothetically trying.

MS: Yeah look, I'd agree with that. There's pockets of private clouds that have been appearing for quite some time now, but it's been pretty slow in adoption. There's just so many technologies. Whether you look at applications that they're using inside the government, whether it's moving things like commodity services like email into the cloud, there's so many areas that they could be moving into the cloud very, very quickly that it's just possibly a little bit slower than it should be.

I absolutely agree. If they start moving, they'll find a lot of economies of scale, there'll be savings, there'll be issues and they will be addressed in time, but it's something that arguably needs to be looked at because of all of the benefits from the cost saving, from the skills benefit that have been mentioned.

PS: I agree with those points. I think it's the velocity with which government wants to move. So I think it's great that AGIMO's put a stake in the ground with the draft paper they've released.

I don't think government will get the result they want unless they engage industry because it's going to be a delicate balancing act between what they need and what's available, and I think having the two parties openly discussing that, they'll be able to come to some sort of workable solution somewhere in the middle with cloud computing.

CB: I think there's an issue we touched on earlier about budgetary matters. The government has basically two types of funding, CAPEX and OPEX. Cloud's OPEX. But one of the reasons Gershon wants to change things is to reduce the overall CAPEX. So if you centralise data centres you should be able to do that, but if you move something into a cloud, how do you move the CAPEX budget to an OPEX budget to pay for the cloud? I see that as a tactical barrier, just the way things are accounted because if you don't spend your CAPEX, you don't get it again next year, generally, and there's no mechanism accounting-wise to transfer that $100 to CAPEX, $50 to OPEX, so you only spend that amount on providing a cloud service.

So there's this issue in turnaround. Maybe there needs to be a new category. OPEX that got moved to be cloud. It could be called "Cloudex" or something like that, and it's not a window.

CH: I've been in a lot of these discussions with governments all over the globe and I think a big hurdle is education. I mean the internet is a great thing, but it can also be a horrible thing, and any time that there's an outage, it's extremely public, it's covered in the press and if you look at just the whole term of cloud, the first two years that cloud technology was out there, nobody knew what the hell it meant. It was something different to everybody that used it and until somebody heard a practical application of how it worked, they really didn't get it. Sitting as the CIO or a networking professional, when I hear cloud and moving my stuff away, I see myself losing control. That's just human nature. You feel like you're losing control, and I think that's been part of the opposition. But the stuff that's already public facing is such an easy, easy target.

If you take that around all the municipalities that you've got and all the different governments, and we have the same thing here in the US as you guys. We have states and all our state laws are different. Everybody has their own little fiefdom and they want to control it. I think that if people realised that they can use the cloud for the technology that it provides because it's a great resource, it's a great tool, or it makes sense. Control what you need to control and then as clouds mature, technology matures, government applications mature, then you can start looking at other things. But unfortunately in government and in the private sector, there's a tonne of custom code and custom application, and that's going to be hard to port realistically unless you're willing to just give it up to another application.

SS: How do you each think you can help government in the cloud?

MS: As a vendor we look at cloud three ways. So we look at offering our security technologies from the cloud. So an example of low hanging fruit: email, web security. There's a lot of areas of security that in today's day and age could easily be put into the cloud very cheaply, very quickly and very maturely. So we offer a lot of security technologies from the cloud. We offer security from the cloud. So we actually leverage the cloud ourselves to provide the best protection we can for our customers.

BD: From our perspective as a structured cabling manufacturer, for us essentially we're talking about a data centre and we're talking about information that needs to be transferred around. So what happens is these are designed to be supercomputing centres. So they've got to have a lot of capacity, a lot of connection to the outside world and the ability to talk within the cloud reliably and quickly. I guess that's why we're so interested in it from a cabling perspective is because infrastructure as a service is a nice term but it ain't going to work too well if your devices can't talk to each other.

So we know that we have a considerably important job to do to make sure that cloud works well. You would think it's strange for a structured cabling company to be so interested in the concept of cloud and what that means for their business, but it's something that we're very interested in and we try to educate particularly on it.

CB: I've already mentioned that we've constructed our own cloud here. The thing I haven't mentioned is multiple redundant backup, automatic failover, two major sites in western Sydney that are 35 kilometers apart that are tier three data centres. We already provide DSD level security to organisations like Defence and other high secrecy requirement agencies. It's live, it's ready, it's working, we've got customers and we're ready to talk to govt now.

PS: A number of things. CA is obviously a very broad company. One of the biggest and most things is around the insurance of cloud services. So CA is a unique company in that we have the technology to stretch from the mainframe to distributed systems to a cloud environment, and give our customers that end-to-end view of service performance. So you can baseline before and after, in situ with the cloud, or a combination of both and know how the service is performing in delivering to the end user which is the Australian citizen.

With secure clouds in a slightly different context to our counterparts at McAfee, primarily around authentication. So we're the default centre for Visa and MasterCard online authentication, and also in terms of data access and security. We also automate clouds. So if you have a combination of x86 environments together with proprietary systems such as we've just got UCS for example, we've got the technology to automate the provisioning of those, pick them up and burst that capability to a cloud such as Fujitsu's. So if we want to build an internal private cloud with the scalability, we do that. And finally provide the capability to fully virtualise applications through some really cool technology you'll hear a lot about called Applogic. It allows you to fully virtualise a complete application including all networking components into a single virtualised image. We can pick up, move, version, scale up, scale down as required. It is really cool technology. You'll hear a lot more about that this year from CA.

SS: Thank you all for coming and for being present today.