G-Cloud passes £200 million milestone as suppliers get to mark their own security homework

Profile picture for user slauchlan By Stuart Lauchlan July 29, 2014
£200 million plus of business has now gone through the G-Cloud framework, but will changes to security accreditation policy put fresh burdens on buyers and their trust?

Screen Shot 2014-07-30 at 11.50.20
Tony Singleton

While the inevitable critics will produce their by now customary assertion that it’s all still a drop in the ocean, the UK government’s G-Cloud program passed a significant psychological milestone this week when sales topped the £200 million mark.

Actually it’s £217,455,674.39 to be precise, with 53% of that going to SMBs and 47% to large enterprise suppliers.

But there’s still an ongoing issue with awareness of the program, particularly outside of central government where there is a Public Cloud First mandate acting as a stick, while the rest of government is being lured by carrots.

G-Cloud and digital commercial programme director Tony Singleton acknowledges on his Government Digital Service (GDS) blog that there is a lot to do to raise the program’s profile:

I was asked what I saw as the biggest challenge over the next 12 months. This is, without a doubt, getting the message further across both central government and the wider public sector about the truly transformational benefits that Cloud First can deliver. It is now up to us to show that the Digital Marketplace [now home to G-Cloud’s Cloudstore] can make it clearer, simpler and faster to do this.

Central government makes up 80% of total sales. In contrast, less than 6% of total sales to date come from local government.

The Home Office continues to be the biggest cloud advocate with total spend of £31,612,554, followed by the Ministry of Justice on £19, 153,321.

The London Borough of Hounslow has been the biggest local government spender to date on £2,675,166, whereas other local authority bodies have barely scratched the surface. For example, East Hampshire District Council has to date spent £225 on SaaS.

There are successful exemplars at local government level, Singleton adds:

The Royal Borough of Windsor and Maidenhead will be the first UK local authority to move to an entirely cloud-based infrastructure, and spent just £100,000 setting it up. They are using a number of solutions including those bought through the G-Cloud. This support from local authorities goes to show that G-Cloud really is for everyone.

Spending on what?

It’s also the case that the overwhelming majority of spend to date - £172,293 - has gone on Specialist Cloud Services (SCS), with SaaS trailing far behind on £28,710 and IaaS on £14,269. Meanwhile PaaS comes in last with a mere £2,182.

The SCS interest is indicative of government’s on-going focus on the Agile development approach, with the supplier that’s done best to date being Agile specialist BJSS Ltd which has to date picked up £13,061,696 worth of business via the G-Cloud program.

Screen Shot 2014-07-30 at 10.22.52
G-Cloud totals - source: govspend.org.uk

The services focus has also kept some of the so-called ‘oligopoly’ of traditional public sector providers in the frame, with IBM, for example, scoring £6,267,771 from G-Cloud through services, while Capgemini has won £2,223,671 of business and Steria £1,803,915. Research firm Gartner’s also done well here, scoring £1,507,296 of consulting business.

Screen Shot 2014-07-30 at 10.06.11
Source: govspend.org.uk

In contrast, it’s SMBs that have picked up the baton in the IaaS category with Skyscape Cloud Services leading the way on £3,538,625 and the likes of Eduserv doing well on £2,004,897, although the decidedly enterprise level ComputaCenter manages to come in second place with £2,278,163.

It’s the same SMB success story when it comes to SaaS, with the likes of Qinetic Commerce Decisions on £3,197,855 and Huddle on £2,237,635 ahead of SaaS market leaders Salesforce.com which has won £1,101,393 to date through the G-Cloud framework, while Microsoft has yet to break the half million mark with £439,304 of business to date.

Security matters

Meanwhile in another significant development this week suppliers on the G-Cloud framework will no longer need to obtain Pan Government Accreditation (PGA) - except for cloud services that connect to the Public Services Network (PSN) - and that G-Cloud will also stop accepting new accreditation submissions.

This is a knock-on effect of the introduction of the Government Security Classification Policy (GSCP), which came into effect on 2 April, replacing the previous Government Protective Marking Scheme (GPMS). This saw a move away from seven security levels to just three - Top Secret, Secret & Official.

G-Cloud suppliers will now be required to self-assert their services, and the burden will be placed on the buyer to take responsibility for assessing and selecting the most appropriate cloud services which meet their individual security requirements.

On the plus side, this means that suppliers no longer face the time consuming and expensive process of winning PGA accreditation, which should be good news for the SMB community in particular.

But on the other hand, the ‘marking your own homework’ approach has been questioned by some as being open to abuse and creating a ‘buyer beware’ environment.

John Godwin, head of compliance and information assurance at Skyscape Cloud Services, argues:

There is a real possibility that the new approach has the potential to confuse: public sector buyers now have to make their own decisions as to what controls will deliver the most appropriate protection for their data, and they are likely to find this process of assessing, comparing and selecting from multiple suppliers more difficult in the absence of a single trusted, credible and rigorous assessment system.

Equally, from the point of view of reputable and security conscious suppliers, these changes present a new challenge of demonstrating how their security credentials accurately protect their services and their customers’ data in a potentially confused marketplace.

Perhaps most concerning of all is the risk that suppliers may be able to make unsubstantiated claims (whether inadvertently or intentionally) regarding the level of assurance they are able to deliver to their customers. This has the potential to increase the risks of security breaches occurring, which could in turn undermine customer confidence in trusting their data to the cloud.

Related Stories:

The worrying cloud building around the G-Cloud (diginomica.com)

Video exclusive: the man behind the G-Cloud, Chris Chant (diginomica.com)

UK gov introduces simpler security classifications – 90% of data now cloud friendly (diginomica.com)

Meanwhile Peter Groucutt, managing director of cloud SME Databarracks, argues that there needs to be more stability around the G-Cloud to encourage take-up:

Keeping pace is understandably challenging

We’ve gone from being controlled by the Government Procurement Service (GPS) (now the Crown Commercial Service) to the Government Digital Service (GDS) and now we’re swapping the CloudStore for the Digital Marketplace – not to mention the changes to the security classification.

He adds that this is having a knock-on effect that contributes to poor local government adoption rates:

While central government has the resources to adapt to these changes, local authorities do not and as a result it has painted an unfair image that they are unwilling to embrace cloud services.

The concern we have as a G-Cloud supplier is that in light of the continuing uncertainty, local authorities will opt for what they perceive to be the safe option by continuing to procure expensive, inflexible IT solutions from their existing large suppliers.

My take

A significant milestone certainly, but the indifference from local government remains deeply troubling.

It’s clear from what exemplars there are at local authority level that cloud can deliver significant benefits to cash-strapped organizations.

But the difference is at least in part down to the shabby nature of so much of UK regional infrastructure, where at times a 3G phone signal is still something the locals can only aspire to, never mind decent broadband connectivity.

As for the security policy change, I look forward to seeing what guidance comes out of GDS on this to make buyers feel comfortable and secure in their minds about what they’re buying.

The ‘pre-accredited’ nature of the Cloudstore was one of its biggest selling points in terms of overcoming mistrust and suspicion. Letting the suppliers mark their own homework inevitably stirs some of that back up again.