National Audit Office issues Cloud 101 guidance for public sector buyers

Profile picture for user ddpreez By Derek du Preez April 29, 2019
Summary:
The National Audit Office (NAO) notes that some of government’s more traditional organisations “lack the capacity and expertise” to move to the cloud.

Airship over clouds 3D illustration © Michael Rosskothen - shutterstock

Late last week the National Audit Office slipped out some guidance for Whitehall departments and other public sector organisations, which can read very much as a ‘Cloud for Dummies’ document for buyers.

The timing of the guidance is interesting, considering that the government has been operating the G-Cloud framework for 7 years, has had a cloud first policy since 2013 (which later became cloud native), and many departments have had digital strategies for a number of years.

However, the broader public sector still needs a lot of education on cloud - what it is, how to get there and how to manage it - and any additional guidance is very much welcome. Documentation such as this not only helps buyers anticipate what may be involved with moving to cloud, but also normalises the technology for those still hesitant.

What’s useful about the NAO’s guidance, is that it sets out specific questions for audit committees to consider when engaging with their management. It breaks this down into three stages:

  • Assessment of cloud services - considering cloud services as part of organisational and digital strategies; the business case process; and due diligence.

  • Implementation of cloud services - covers system configuration; data migration; and service risk and security.

  • Management of cloud services - covers operational considerations; the need for assurance from third parties; and the capability needed to manage live running.

On why this requires attention, the National Audit Office states:

“Government digital policy supports the move to the cloud and the use of cloud services is increasing rapidly in both the public and private sectors. Some more traditional organisations may, however, lack the capacity and expertise to select the right product for their needs, implement it securely and manage it effectively.

“In particular, the cost and effort of moving to cloud solutions and the skill sets required to manage them effectively should not be underestimated – particularly where multiple suppliers are involved.”

Are you asking the right questions?

The document really runs through the basics of cloud, everything from the definitions of IaaS, PaaS and SaaS, to the meanings of public cloud vs private cloud vs community cloud.

However, the more interesting aspect of the guidance is the breakdown of questions offered to audit committees, depending on what stage of the process an organisation is at.

For example, for organisations developing their digital strategies, committees should ask some of the following:

  • What are the priorities for the digital strategy?

  • Is the complexity of legacy system issues really understood?

  • Are private cloud, public cloud, and on-premises options all considered?

Or in terms of the business case, questions offered include:

  • How sensitive are planned costs to scenario testing?

  • What extra skills and capacity will be needed?

  • What time horizon is being considered in the commercial model?

Equally, apart from technical considerations and early-stage understanding of the new technologies/operating models being used, the guidance also takes into consideration questions that should be considered post go live. For example:

  • Have key stakeholders been engaged through a comprehensive change management strategy?

  • Are contingency plans in place to manage implementation issues?

  • What plans are there for technical and user acceptance testing?

  • Is there effective governance to prioritise the removal of any temporary workarounds?

  • Will the organisation retain the necessary technical knowledge post-implementation?

  • Will there be sufficient commercial and legal capacity to challenge value for money and compliance?

My take

Whilst I would hope that most technology buyers in public sector organisations know the fundamentals of cloud, it’s good to never assume anything and the more guidance available the better. Equally, even for established cloud buyers, this document serves as a good reference and refresh for things to consider when making purchasing decisions. And for those operating digital environments, the continued questioning of your environment and way of operating is equally handy. A useful tool that’s worth a thorough read.