G-Cloud vs. cloud
The fundamental question that needs to be asked in government embracing cloud computing is this: does the private sector offer something off the shelf that the government can use? Currently, it doesn’t seem to be a question being asked.
There is absolutely no point in government creating cloud-based infrastructure—either itself or through third parties—to replicate an existing private-sector offering that government can instead use. The only feasible argument for doing this would be if the private sector offering was so inordinately expensive to suggest that a government-built equivalent would be cheaper. Trust me: it won’t be.
But the word “can” above covers a multitude of sins. The offering must be sufficiently robust and scalable to support the needs. And, importantly, its security arrangements must be in line with the needs of its prospective customers. Security will be the biggest factor driving cloud strategy—or else the biggest excuse cited in ensuring that government fails in this area.
The trouble is, government often has an elevated view of its security needs. That may sound odd, given the stories we’ve all heard about people’s confidential data going missing. But hear me out. Currently, we have the Government Secure Intranet (GSi), which is accredited up to RESTRICTED and facilitates work within and between government bodies. The vast majority of infrastructure that hums away within GSi-accredited departments sits within the GSi, and as such it is accredited up to RESTRICTED. But in most departments, only a small proportion of the work it undertakes needs to be accredited up to this level. Yet the departments see the GSi accreditation as a comfort blanket, irrespective of the sensitivity of the content in which they deal.
Naturally, the comfort blanket comes with a significant price tag.
Departments need to take a strategic look at what they do, the extent to which the data with which they deal is (or should be) protectively marked, and the level of that protective marking. And they need to figure out ways in which they can align their requirements to lower protective markings to facilitate the adoption of cloud services. If, for example, less than 1% of a department’s email traffic carries a protective marking, this should drive the department to adopt a client-side encryption plug-in for such emails—as opposed to forcing their entire email infrastructure to be accredited to that level.
What government will quickly realise is that the majority of the commodity services—email, collaboration, room bookings, content management/delivery etc.—are already provided in the cloud and can be embraced tomorrow. This will leave the support of the more bespoke and/or secure applications to be solved by the G-Cloud.