Adoption of multi-tenanted cloud by the public sector - trends and challenges
The benefits of cloud are numerous and familiar to most in the IT sector by now. It is more cost-efficient than having in-house infrastructure, as organisations only pay for what they need and use. It is more flexible, enabling organisations to scale up as and when required, instead of making upfront investments. It enables them to be more innovative, developing and deploying applications faster.
But with increasing popularity of cloud, different models have evolved. There are the so-called public clouds, where large-scale resources are owned and operated by the service provider. Some organisations prefer to deploy resources on-premises, using virtualisation and resource management tools.
Most of the listed benefits of ‘cloud’ are usually applicable to the public clouds.
OpenGov had the opportunity to speak to Mark Ryland, Director, Public Sector Solutions Architecture, at Amazon Web Services (AWS) to learn about the current trends in the adoption of public cloud by governments and the perceived challenges from migrating workloads to the cloud. Mr. Ryland serves as a key interface between the public sector team and the engineering, security, and compliance teams at AWS.
Data centres and private and public clouds
In view of the proliferation of many different cloud models, such as public, private and hybrid clouds, we asked Mr. Ryland as to when can an organisation say that they are genuinely using cloud.
He responded with an industry joke about an organisation with a data centre. One day the sign says ‘data centre’, the next day it says ‘cloud’. He said that cloud is such a strong marketing term that people use it to describe things that are pretty far from cloud.
But in most private clouds built through in-house data centres, chargebacks are not done.
Mr. Ryland explained the criticality of chargebacks, “If you’re not doing chargeback, then you’re not building the incentives to use the infrastructure efficiently. The workload owner is not paying, someone else is paying and very, very few organisations ever achieve chargeback within themselves.”
He expressed his preference for the term ‘multi-tenanted’ cloud for the so-called public clouds. Because they are not public in the sense that anyone can go and access the organisation’s data. Specific permissions are required. It is these large-scale clouds which provide the benefits of efficiency and scale.
“If you want to take some of the lessons of that and apply it to the private environment, that’s fine, but most of the big projects where I’ve seen people try to do that in their own data centers, they generally don’t succeed,” Mr. Ryland said.
Concerns heard from governments
Security compliance is an initial barrier for many governments. A few years ago, there were similar security concerns about virtualisation. But then people developed familiarity with it, everyone started using it, third-party auditors gave their stamp of approval regarding safety. Now people are using it, without even thinking about it as a risk.
Cloud is going through a similar cycle. But Mr. Ryland said that in his experience, if there is deep engagement with customers, and they really understand how the cloud works, then they end up using the platform and realise the benefits very quickly.
Nonetheless, security is a point of friction and it takes time to assuage those concerns.
Another point of friction is acquisition.
Use of a multi-tenanted cloud means shifting of IT expenditure from planned capital investment to variable operating expenses. Government agencies already buy some services with variable costing, like electricity or even certain labour services. But IT procurement has traditionally been done on the basis of fixed price contracts, capital investment, systems that were put in place to save money because of cost overruns.
“If you look back 20-30 years ago, you have costs-plus contracts, people will have massive cost overruns and the government felt that vendors were taking advantage of them. So they placed a regime and said, ‘Look, we’re just going to pay this much and no more.’”
“So, now if I come to you and say I have a variable costing model – I can tell you approximately what it’s going to cost but I can’t tell you exactly, that makes them uncomfortable,” said Mr. Ryland.
But if they look at the overall savings, the agility and the speed, then those concerns are overcome.
To get comfortable with this variable costing model, two things are required: Fee transparency from the cloud providers and the ability on the government’s side to set up a model to monitor usage and adjust according to their requirements.
In fact, if done the right way cloud could provide governments with an unprecedented degree of transparency regarding IT spending. Using dashboards, alerts and alarms, they could discover if some project is going over-budget and take the necessary corrective actions.
In this new operating model, cost is dynamic, trackable and transparent and if governments pay attention, they can use it to cut costs.
Data sovereignty is one other concern we heard. AWS has a very strong notion of regions and they do not replicate data outside of a region. It is done by the customer.
But countries are becoming more sophisticated in understanding what the real threats are from a cybersecurity perspective.
“When it comes to more sensitive data, then it can be more challenging. But even there, many countries, you know, once they've become more sophisticated in their understanding in what the real threats are from a cyber security perspective, it's not about physical location. Nobody has ever done a major cyberbreach by walking into a data centre and stealing a hard disk, it doesn’t happen that way. So if an application is connected to the Internet, you have a whole set of threats that are the same, it doesn’t matter where you are physically located. And it’s building the systems to protect you against the network-based attacks, that’s where you should invest,” Mr. Ryland elaborated.
Governments start with things which are considered less sensitive, that they’re less concerned about, such as public facing websites.
By building the experience and gaining the knowledge of how to operate securely on a cloud, that helps to build up the confidence to use and bring more sensitive workloads to the cloud.
They start thinking this could be useful for workloads like tax collection, that are not public but have big swings and cycles in infrastructure requirements.
Some governments are using the opportunity of cloud migration to in-source, as in cloud applications are being built by their on-staff engineers who would develop the cloud skills. Entire environments are becoming API-driven, software defined where engineers are just now calling APIs (Application programming interfaces) and not building physical things. It's about re-skilling people to do more high value things, which means mostly focusing technical talent on application development and not infrastructure management - because there's no value creation in infrastructure. Application is where value is created.
Mr. Ryland believes that cloud is now the new normal and it benefits a wide range of government workloads. It is progressing towards the point where governments could use multi-tenanted cloud for anything short of top-secret workloads.