Clearing the fog from the cloud: A GTR roundtable (part 1)
The inexorable march of the cloud into Australian enterprises and government bodies continues unabated, with the common parlance now revolving around when – rather than if – government bodies will make the move to the cloud.
Yet with this trend now firmly embedded in governmental forward planning, there are still issues to be addressed – security, for one, and issues around data governance, data sovereignty, backup, accessibility, and more. Throw in issues around the emerging new mobility and you’ve got a recipe for reinventing government.
This GTR roundtable brings together three experts from different aspects of the cloud debate: a cloud infrastructure provider, telco, and security provider – to discuss what’s driving cloud into the government space and what government agencies need to be aware of to make the most of it.
Participants include Adam Biviano, technical marketing and alliances manager with Trend Micro Australia; Jack Dan, national general manager for government with Telstra Enterprise and Government; and Dave Hanrahan, general manager for cloud services with Dimension Data.
GTR: Is the cloud ready for government – and is government ready for the cloud?
HANRAHAN: After three months of pushing into this market, we’re all of a sudden seeing lots of activity in the government space. AGIMO’s coming to market with the second tranche of cloud whitepapers has stirred up a lot of interest with federal government departments, while we’ve seen our first state government starting to deploy quite substantial workloads into our public cloud.
Generally it’s the less mature organisations, and those struggling to keep up, who are looking to move first to the cloud. It’s an upside because it offers clearly defined service levels and provisioning times – and that’s something a lot of them have not been able to do today. Those who are trying cloud are pleasantly surprised: they’re starting to look at what they can’t put in the cloud, as opposed to six to nine months ago when it was the opposite.
DAN: On the supply side, the government can now take advantage of a mature market. While cloud computing has been one of the most-hyped things in recent times, the track record on the private sector, and the number of organisations we see achieving good business outcomes from the cloud, demonstrate that the cloud is ready to be used by the government.
On the government side, we’ve recently seen a very thorough consultation process in terms of getting the right approach from AGIMO. The DCaaS [data centre as a service] procurement, which is currently underway, offers agencies the opportunity to put their toes in the water.
BIVIANO: Departments work for taxpayers and they’re accountable to taxpayers. Because the cloud offers a lot of avenues to save money, they have a responsibility to take advantage of it – and a responsibility to make sure they don’t increase taxpayer risk. It’s a tug of war but certainly not one that can’t be won.
GTR: Does the cloud model rightly deserve extra scrutiny, or are government bodies being overly cautious about it?
DAN: We’ve seen a tremendous amount of work being done by the government as part of getting things right in cloud computing. We’ve seen best practice guides provided by AGIMO, security guidance issued by DSD, significant work at state government levels – and it’s all pointing towards a prudent approach towards cloud computing. As a taxpayer, it is pleasing to see that level of rigour applies to the process.
Also, the offers across the marketplace vary from provider to provider. I think that’s because while cloud computing has been talked about for a while, it is still a sort of new market segment. New markets always attract a diverse range of entrants – you have established niche players but everyone is eager to capitalise on the opportunities.
Thus, it’s no surprise that some solutions are more established than others, and some seem to be reliant on the premise that [functional] gaps will not be identified by customers. But I am quite confident that government as a whole is a very mature market, and that the level of scrutiny they usually apply will identify those gaps and make the process of selection easier.
BIVIANO: I think the work AGIMO are doing is great; they’re working on ways to help departments understand the questions to ask to start with. The answers aren’t always going to be ‘yes’ – but departments don’t necessarily have to walk away from the cloud provider; they can just back away from that risk profile. This means they can manage and work around the risk that can’t be covered.
For example, you might have a scenario where a cloud provider can’t offer a certain level of encryption, or firewalling. As long as you understand where those gaps are and what they provide, you’re able to produce a counter measure. Being able to ask those questions is what’s going to give you the answer.
HANRAHAN: Our Dimension Data Cloud Services client [Australian Centre for Advanced Computing and Communications] evaluated their risk in the cloud versus their internal risk, and while they didn’t make any statements that said the cloud was more secure compared to what they did today, they took the typical government risk-averse position and said that the cloud was no less risky than what they are doing today.
We’re seeing a lot of evaluation driven from the bottom up by service providers trying to find a place for it, or from the top down which seems to be all about the risk. And I think we’re falling into that trap of being too risk-averse. There’s so much focus on risk and its management that people are missing the opportunity: there’s a substantial number of workloads, that every government department operates, that don’t fit the high-risk classification and could make a significant difference to costs.
Trying that one-size-fits-all analysis of the cloud is very broad-brush, and it means a lot of the available opportunity gets overlooked because we’re taking an all-encompassing view. In both of those, organisations are missing the key question around cloud services: do they better support our agencies than what we do today?
GTR: How much of an issue is cloud security, and how can government agencies remediate it?
BIVIANO: Customers are starting to get where they need to put cloud security into the context of their traditional security models, and how the two security models are really just iterations of each other. Where cloud used to be a relative unknown for organisations and government departments, it’s becoming something they can quantify. And, as it becomes something they can quantify, they put specific needs onto the cloud vendors. That’s the sign of the maturing market.
You need to centralise a security policy: if you have a centralised approach to what information can be stored and how it’s protected, you generally can have secure, consistent access across platforms. But how you implement them depends on how different technologies fit into different places.
As a vendor, we like to work with as many industry groups as we possibly can. We’ve got a great wealth of information from customers as to what their security needs are, and it’s a matter of providing the technology and guidance for helping customers move to the cloud, and understand its risks.
The diversity of security models is enormous. Because cloud providers are going to have security high on their radars as one of their core focuses, they will have invested significant dollars in terms of security technology, policies and procedures. As long as they can articulate clearly what they’ve done to clients, clients can get a degree of comfort as to what those capabilities are going to be.
HANRAHAN: In general, the security of cloud services is a high priority – but treated by the security teams within the customer as just another model. The challenge for government, particularly, is the concepts around data classification and how I manage data that’s in- confidence or above. It becomes about the data types that they have, and where they can sit. But when we start to work around real projects, the security of the cloud is being evaluated as just another model – and are typically finding that it fits within the system security framework that has already been dealt out.
DAN: I’d like to think the fact that the government is now moving into a procurement mode means they are quite satisfied that they have the answers to their security questions. The government already has in place very mature security and risk management frameworks, and those frameworks have been contributing very significantly to risk consideration processes.
Overall, the cloud has started to enter the mainstream – which means people have started to have answers to the questions that have troubled them before. In the last couple of years questions around jurisdictional control, ownership, availability, security and data sovereignty have been answered – and the government is much more comfortable considering cloud computing than they were a couple of years ago. – David Braue
Part 2 of this GTR roundtable will run tomorrow.
The Victorian Government's shared services agency Cenitex and VMware are working to develop...
Google Cloud Platform has secured certification from the Australian Cyber Security Centre (ACSC)...
In our annual Leaders in Technology series, we ask the experts what the year ahead holds. Today...