Britain's G-Cloud strategist plays down security concerns

Britain's former cloud computing champion John Suffolk has challenged Australian government chief information officers to justify their concerns about security in the cloud.

John Suffolk, former British Gov CIO.

Speaking at the Technology in Government Summit in Canberra this month, the former government CIO chided his peers for using security as a means of deferring trials of cloud computing.

Suffolk led the development of Britain's G-Cloud, a plan that was published by the Cabinet Office last year and was expected to cut £3.2 billion from the Government's annual spend by 2013-14.

“We should not underestimate cloud computing,” he told delegates in Canberra.

Although security had to be considered before introducing new, government cloud computing services, Suffolk argued that security issues were exaggerated and used as an excuse for avoiding the cloud model.

Major IT suppliers had a vested interest in fuelling such concerns, he speculated, adding that proprietary vendors were "very, very concerned".

"You mean you are not going to give [suppliers] license fees for doing nothing? It’s a big issue. The industry is fundamentally changing," he said.

After leaving the British Cabinet Office in November, Suffolk advised the World Bank High-Level Experts group, helping governments understand how technology could improve the public sector and generate economic growth.

He planned to join Chinese networking and telecommunications vendor, Huawei, as its global cyber security officer (GCSO), commencing 1 October.

Suffolk challenged members of the audience to clarify how having the term “cloud” in front of a government data centre made it any less secure than a physical service.

“Tell me how your security model has changed?” he asked cloud adopters.

He argued cloud computing should not be viewed as a threat for government, but an opportunity,.

“My advice is dip your toe in the water. Try it. Put some services into a cloud-based model -- public or private depending on your security model," he said.

"Begin to migrate your services. Begin to downgrade your legacy [infrastructure] in terms of what goes on it. Because if [a cloud trial] doesn’t work, you will not have invested a whole lot of capital.”

Addressing immaturity and lock-in

Suffolk encouraged agency CIOs to design environments in which applications were seperated from the underlying platform, in order to avoid being locked into particular vendors or immature cloud offerings.

“You can come up with cloud models that separate apps from infrastructure," he said. "It’s like buying electricity but having a choice over what kettles you might plug in.

“If it’s a low risk app do you really care on the basis that it’s pay for use?" he added.

Meanwhile, any agencies planning to adopt the cloud model for a “core critical system” should put the same effort into analysis, design and architecture as they would in a non-cloud world, he said.