Andrea Di MaioWhen I discuss about potential cloud deployments with government clients and many vendors, the center of gravity tends to be “private clouds” or “community/government clouds”. Depending on who’s who – an agency with a large IT department, an IT shared service provider, a smaller agency or local authority, or a vendor to either – the big elephant in the room is whether a private or (at most) a government cloud exist in order to even consider cloud as a plausible sourcing option.
Behind the scenes and the official statements, though, there is a lot that is happening or has happened already, with government agencies using off premises solutions, even before cloud became so prominent. From HR applications to firefighter training systems and land registries, I keep finding many examples where government clients do have pretty important, albeit self-contained, applications in a public cloud. In some cases these applications do not manage any personal identifiable information, in other cases data is encrypted or anonym zed (by using on-premises correspondence tables between identifiers and personal data), and in few cases personal data is simply stored off-premises, in a different jurisdiction (and even country) by a third party.
The last case is less infrequent than I thought with an Australian state client who recently inquired about what to do with an HR service they had been using for quite some time, after their privacy commissioner clearly stated that personal data should stay not only in the country but in the state.
It seems to me that there are quite a few cases where people use a don’t ask don’t tell approach to cloud. The lack of clear directives or the uncertain interpretation of norms conceived in a less technology-intensive context has created opportunities for cloud deployment. As clarity increases, such initiatives are likely to become more difficult and I have already come across at least one case where a department is starting to plan how to re-insource a SaaS solution that has been running in a public cloud and from which they critically depend (good luck with that…).
Does it mean that public cloud is dead in the public sector? Not at all. People will slowly realize that significant cost savings can be realized only on large scale infrastructures that surpass private and community cloud. They will become smarter at architecting applications in such a way to segregate personal data on premises, leveraging public cloud for the rest.
Category: cloud Tags: private cloud
4 responses so far ↓
1 Bill McCluggage June 24, 2011 at 4:19 am
Andrea, very timely. I attended a discussion group in Belfast last week and we were talking about the perceived problem of data security with use of public cloud and ‘don’t ask, don’t tell’ surfaced. One software supplier, with sales worldwide and recognised the opportunity of Cloud-based SaaS provision, was quite open that they used such a philosophy. However, as you rightly point out in your example from Australia, this may be constrained by compliance issues and the need to provide a robust audit trail and results of due diligence. In some cases it is worth remembering ‘if you ask a question you need to be able to accommodate the answer’.
2 Andrzej's Links » Blog Archive » links for 2011-06-24 June 24, 2011 at 12:02 pm
[...] “Don’t Ask, Don’t Tell” May Be a Good Cloud Strategy [...]
3 Craig June 24, 2011 at 9:52 pm
I think this is also an issue of newness.
Do government agencies worry about using only locally owned telephony providers – who store any voice information that is kept in the same nation or state?
How about courier companies and postal services?
True there are some technical and practical differences.
Cloud computing requires increasing global trust in an age where security is fast becoming one of the most critical – and untenable – goals.
However the world has done quite well in building trust in a global financial system and most governments use ‘global’ software – such as Linux, Apache, Microsoft Office and similar tools, rather than insisting on locally produced equivalents (North Korea aside).
By necessity I can see governments moving towards bipartisan and then multi-partisan and global agreements on data movement (besides the internet), storage and security.
Albeit this is likely to take some time to devise, negotiate, develop and endorse – as did the concept of passports.
4 “Don’t Ask, Don’t Tell” May Be a Good Cloud Strategy | devblogging.com July 20, 2011 at 10:53 pm
[...] May Be a Good Cloud Strategy By RSS FEED, on July 20th, 2011 Author: Andrea Di Maio Source: Andrea DiMaio [...]