Last week the Government Digital Service (GDS) issued Technology Code of Practice guidance that well-executed use of public cloud services is appropriate for the vast majority of government information and services. Its guidance, outlining the security benefits of using public cloud, directly addressed one of the public sector’s biggest misconceptions about off-premise IT. However, it could have gone further.
1. Public cloud is secure enough for “vast majority” of public sector
Ever since the government confirmed its cloud first policy in 2013, there have been lingering concerns and misconceptions in many departments that have hindered and hampered their migration to the cloud and in particular to the public cloud. The primary concern has been in relation to security with research by public sector analyst firm Kable finding that nearly a third of public sector IT buyers cited security and data protection concerns as barriers to using cloud.
Indeed, it was this largely inaccurate perception that public cloud is less secure than private cloud that was the main factor holding back cloud adoption. GDS’s recent very clear rebuttal of this central perception and its clear endorsement of public cloud is therefore very welcome.
GDS might well have earned a full three cheers if it had at the same time addressed two other key areas of concern and misconception. These two further issues are:
2. The public cloud market is much larger than just AWS and Azure
A further misconception that could have been addressed is the belief that the public cloud market and the US giants are one and the same. The reality is that the public cloud market is far larger, with a number of local players that are in some cases better placed to serve the UK public sector. The comparative merits of each pubic cloud is for the players to argue and the market to judge, but a few facts should be in plain view. The US giants currently lack the accreditation or specialist public sector focus of some of their UK rivals and do not necessarily have an advantage in terms of performance or price either. The misconception that these US generalists either have the public cloud market all to themselves or that they are better, more secure or cheaper then local payers also needs to be addressed and rebutted strongly.
At a time when many, including diginomica, have questioned the government’s commitment to SMEs, the government needs to do all it can to avoid perceptions that it favours foreign competitors over local SMEs. Indeed, in its guidance the government needs to be clear that its endorsement for public cloud does not equate to an endorsement of the global giants alone.
3. Data residency does not equate to data sovereignty
Acknowledging that it is safe for the vast majority of government information and services to move to the public cloud is not the same as suggesting that it is a good idea for this data to move off shore.
Somewhat confusingly the guidance states: “there are a very small number of situations where it may not be appropriate to use cloud services for specific systems or data. For example, when there are specific legislative requirements around data sovereignty.” In doing so GDS appears to suggest that all public cloud services fail to meet the legislative requirements around data sovereignty, and that non-cloud options would be the only appropriate choice for such workloads.
In reality, however, while the giant US public cloud providers offer a form of partial data residency that does not meet the legislative requirements – there are also UK sovereign public cloud providers that do meet these requirements. This means that even workloads where there are specific legislative requirements around data sovereignty can move to the cloud (along with “vast majority” of other public sector workloads), as long as they are restricted to UK sovereign public cloud providers that have the appropriate government accreditations.
The guidance also fails to highlight the increasing concerns around US regulation and sovereignty. Currently the US giants have inadequate compute and storage capacity in their new UK facilities to serve all the needs of their UK clients. Therefore, a significant number of workloads will need to be processed off shore and a significant proportion of data held there also.
Furthermore, typically under AWS and Azure contracts, data (including meta-data and any customer data needed to perform services) is allowed to go anywhere in the world. And even if clients are offered some form of guaranteed data residency with all compute and storage restricted to their UK facilities, as long as it is being handled or stored by US firms, the data is still subject to the intrusive US regulations – the recent amendment to Rule 41 allows US courts to provide their law enforcement agencies with access to any data held by the US cloud firms anywhere in the world.
If this wasn’t worrying enough, it appears that newly instated President Trump has just signed an executive order that further undermines the protection of international data handled by US companies. The Enhancing Public Safety order, which is meant to focus on illegal immigrants, also states that “privacy policies exclude persons who are not United States citizens”. This appears to contradict the Privacy Shield agreement between the US and Europe, which had been introduced to add some protections to European data being handled by US companies. It was meant to ensure that non-American companies or individuals are not treated as second class. However, Trump’s latest efforts to further American protectionism could have gone some way to undermine data security for UK businesses, which should be of great concern.
The incompatibility of these intrusive US regulations with current UK and European privacy laws is of significant concern and this will only increase with the introduction of GDPR. Misconceptions, fuelled by the US giants, that data sovereignty and intrusive US regulatory powers are of no concern, also need to be addressed. Clarity from GDS on the regulatory and legislative importance of data privacy and sovereignty would really help here, as would clear direction that UK sovereign public cloud providers that have the appropriate government accreditations would be an appropriate option even for workloads with the highest privacy and sovereignty requirements.
So one cheer for GDS for acknowledging the security benefits of using public cloud and addressing the security misconceptions, but two more in store when they also address the additional misconceptions that the US giants are the only public cloud option, when in reality UK firms are often a better, cheaper option, and that data sovereignty and intrusive US regulations aren’t of concern, when in reality they will be of increasing concern as we prepare for GDPR.
One of the main roles for GDS is in ensuring that its guidance provides clarity and addresses misconceptions. Last week’s guidance is to be welcomed, it just needs to go a little further.
Image credit - Images free for commercial use
Disclosure - UKCloud is a diginomica/government premier partner.