Amazon Web Services’ VP of worldwide public sector, Teresa Carlson, believes that getting government buyers to change how they think about procurement is now a bigger barrier to cloud adoption than security concerns - as the market has matured and buyers feel more confident about the benefits of cloud security.
I got the opportunity to sit down with Carlson at the recent AWS Summit in London, where she explained that the technology industry has historically done such a good job of getting buyers to operate on a Capex model, that getting them to shift to newer models of Opex buying needs some more work.
The UK government has attempted to tackle this with new procurement tools, such as the G-Cloud framework, which sits on the Digital Marketplace online portal, but we still see examples of where buyers are falling into old habits of big, costly, up-front technology purchases.
Carlson also explained how she wants AWS to be seen as a local player for government buyers, rather than a US tech giant, and defended Amazon’s approach to data sovereignty and government requests for its customers’ data - following changes to the US Rule 41.
Carlson said that AWS’ entry into the government market has been driven by the idea that the public sector should be given the same opportunities as the private sector when it comes to creating new innovative services in the cloud. She said:
So we started the public sector business at the end of 2010. It was a new vertical for Amazon and we had grown quite significantly over the years - where we really started with a team of myself and just two others. Now we have customers in over 155 countries and teams on the ground in over 25 countries now. We now have thousands of customers we're working with from government, to not-for-profit to NGOs and education. Our strategy has really been pretty simple. It's paving the way for disruptive innovation and making the world a better place with our customers.
We believe public sector should have the same opportunity to absorb new and innovative technologies at a price point, an innovation level, and with security model that everybody else can take advantage of.
Carlson admitted that government has been the most challenging vertical for AWS, but added that it has found success by helping public sector buyers through a different approach to the design of services - by starting with the needs of the customer. She said:
Our goal was to demonstrate that they could have the ability to try technologies, experiment, fail fast and recover fast, because if you think about it, governments generally have not had the ability to experiment very much. They go out for this big huge procurements and you see a lot of failures in the news with those procurements.
Instead, we've come in and really tried to work with them and educate them on a model that we adhere to, which is the working backwards model. Begin with your customer, begin with the end in mind, work backwards from the customer and then put a small team together where you can try and scale something instead of going out and doing something really big and saying, "I don't like the outcome there."
A different approach
Carlson said that a few years ago, when speaking to government customers, all she used to hear about regarding concerns about the public cloud was whether or not the security was up to the high demands for public sector data. However, that has since changed - partly because people now recognise that they are unlikely going to be able to compete with the investments that the likes of AWS can make in its security, and also because of government security requirements becoming more mature (e.g. FedRamp in the US and the Cloud Security Principles in the UK).
However, the challenge for government customers now is implementing and changing different buying approaches, which have been in place for decades. Carlson said:
When I first started, it was all about security. It was completely about security. Today, it is not. Not that they are not concerned about security, of course they are. But, they now have a regime or mechanisms that they can plug into. They are much more knowledgeable. So, they have educated. They know now how to take a cloud based security compliant model and plug into that.
What they tell me are their big barriers today, if they are slower than they want to be, are two things. They want an acquisition vehicle that is easy for them to plug into. Mainly because their procurement officials are still more knowledgeable doing a CAPEX based systems, than OPEX based systems. So, they are still trying to figure out what is the mechanism if you are doing annual budgets? How do you budget for utility?
We did a really good job in the old world, of telling government: "Oh, you've got to pay a lot up front, for your IT." So, they are so used to having to pay a lot up front. We do a lot of price drops, so they even struggle with how to account for a price drop.
The second thing that they brought up is, they still lack enough skills. They still need more people with the right cloud based skills to help them move faster.
Protecting customer data
Data sovereignty and data protection are obviously high up on the agenda of most government buyers that are looking to make use of cloud services. Recent changes to US Rule 41 mean that the likes of the FBI no longer have to go to a specific jurisdiction to obtain a hacking warrant, but rather a federal judge can approve a single warrant for accessing multiple computers remotely.
There is a lot of confusion on this topic and many arguments for and against the changes. However, AWS believes that regardless of any international laws, it still has the best protections in place for customer data out there, as well as the most flexible control for customers.
We have been really open, since day one, on how we operate. We are probably the most transparent company in terms of how we operate our pricing, our services. We have always been very open about how we manage and run our security operations. If you look, our CSO does a variety of blog posts, and he wrote one maybe six months ago or so, where he talked about our model of what happens when we get a court order for search and seizure, as an example. We use a very rigid and standard process with any of those.
One is, when we are working with our customers, we first of all recommend encryption. We have all types of encryption for our customers where they hold the keys. We can hold them, if they want, or they can hold them. So, we recommend encrypting everything.
If somebody comes to us with a search and seizure, or a warrant for search, and we don't hold the keys. We automatically have to say "well, we can't. You have to go to that customer anyway." If they have not encrypted, we are very stringent with working to fight that court order. We will fight it. We will work with the customer. We will do everything we can to make sure the customer has the information. We work anyway we can, in court, to fight that, or that it's turned over to the customer for what they're doing.
So, we fight very rigorously on behalf of the customer. What's interesting is, we get a lot more of these requests outside the U.S. than we do inside.
Being a local player
Finally, Carlson spoke about the changing nature of AWS’ public sector business. She said that AWS’ commercial business has been around for almost 11 years, much longer than the government vertical, and so believes that there is still plenty of opportunity for growth.
However, one concern for AWS is, that as it spreads its government business globally, it doesn’t want to be perceived as a US giant. Instead it wants to make investments in people, jobs and infrastructure in local areas - and be seen as a local partner for the public sector in their own countries. Carlson said:
With our customers, I sort of feel like we are just getting going with them. But what I would say, if I had to think about the blockers, it's more about us working globally to make sure that people see us as not just a U.S. company. We are putting people, and resources, and infrastructure on the ground. You know what we have done here in the U.K. We have made a huge commitment. Billions of investments, not just in cloud, but in our retail business.
So, we don't want people to see us like we are just this U.S. company. We are creating local jobs, local talent, local businesses. Helping the educational systems. Scaling up computer science. I think that would be a big challenge if people don't see us that way, then we need to evaluate and say how do we do those kind of things better.