OPINION - The Department of Finance has released a sound strategy document for adoption of cloud computing by Government agencies, which balances out the need to pursue the cost-savings the cloud can deliver against the risks its adoption poses.
The draft plan [PDF] released late Friday acknowledges the inevitability of a transition to the cloud computing model for many applications, whilst maintaining many of the same central controls that govern the Federal Government’s approach to traditional technology outsourcing.
The draft strategy – which I summarised briefly this morning - will see the Government produce governance frameworks for agency adoption, a certification process for approved cloud computing vendors, and finally a whole-of-Government procurement panel and service catalogue.
Most of this work is expected to be complete before the end of this year.
By internet industry standards the timetable isn’t overly aggressive. But by government standards, it is thoroughly appropriate - if not aggressive.
I would argue that on such a timetable, the Federal Government will (for once) not find itself dragging behind the technology adoption of Australia’s largest private sector organisations – but rather assert itself into the rare position of moving in parallel with them.
In fact, the Government’s strategic direction paper should give many CIOs in the private sector some confidence in building their own case for cloud computing adoption. And ideally it might convince local IT companies and telcos to consider building out some computing scale on Australian soil.
The document’s authors appear well-versed in the realities of today’s enterprise computing environment. The draft strategy paper identifies the core benefits of cloud computing and also isn’t overly alarmist when it comes to the risks.
The paper also avoids the cloud-washing definitions used commonly within industry (and embraced by analyst groups wishing to please a multitude of vendors) – sticking instead with a long-held and respected set of definitions conceived by NIST.
The authors recognise that cloud computing is “a new ICT sourcing and delivery model, not a new technology” – and that subsequently the challenges ahead are more likely to be contractual rather than technical.
The document notes, for example, that “the legal/contractual, economic and security aspects of cloud computing are still relatively immature” but encourages agencies to nonetheless dip their toes in the water by migrating unclassified data and applications.
The list of risks for agencies to consider is comprehensive. The paper lists privacy and security risks, vendor lock-in, a reduced ability to customise applications, business continuity risks should internet services be unavailable, legal and technical difficulties around retrieval of information, the risk associated with sharing infrastructure with other unnamed customers, and the need to meet regulatory requirements both at home (such as Australia's Privacy Act) and abroad (such as The U.S. Patriot Act).
It also notes that there is little legal precedent with regards to liability issues in the cloud and that there is a lack of cloud computing options of considerable scale already available in Australia.
They are all very real barriers to adoption, but not impossible to overcome with the right governance framework.
The authors rightly note that there is a cost of inaction. Many business units within agencies are probably already consuming cloud computing services, outside the knowledge of their IT department and wider governance mechanisms. The Government cannot sit back and pretend cloud computing isn’t happening.
Whilst the document and the department’s wider strategy ought to be applauded, policy-makers will no doubt still face some critics within the cloud computing industry around the level of central control Finance wishes to impose on agency adoption.
There is also scant detail available as to how this cloud computing strategy fits with AGIMO's wider goals around data centre consolidation.
Specifically, I expect there will be concerns around whether the Government's controls can move quickly enough to endorse the latest cloud options as they spring up.
The barrier to market for new service providers – especially software developers using platform-as-a-service – is now incredibly low. New cloud services can be written by small, nimble teams in weeks – not months or years.
Canberra’s typical procurement panel processes have been proven to work well to drive down IT costs by using the scale of whole-of-Government buying for a better bargaining position with suppliers.
For cloud computing, such a process could be used to negotiate better terms and conditions in the contracts of service providers for all agencies. (Ideally such a process would be transparent so that it could also provide more favourable terms for private organisations too.)
But will such a process – which usually approves suppliers over multiple year periods - be inclusive of smaller cloud computing providers? And will it be revised regularly enough to keep up to speed with innovation?
That’s the main question I’ll be asking in formal responses to the draft strategy paper. What are yours?