When I discuss about potential cloud deployments with government clients and many vendors, the center of gravity tends to be “private clouds” or “community/government clouds”. Depending on who’s who – an agency with a large IT department, an IT shared service provider, a smaller agency or local authority, or a vendor to either – the big elephant in the room is whether a private or (at most) a government cloud exist in order to even consider cloud as a plausible sourcing option.
Behind the scenes and the official statements, though, there is a lot that is happening or has happened already, with government agencies using off premises solutions, even before cloud became so prominent. From HR applications to firefighter training systems and land registries, I keep finding many examples where government clients do have pretty important, albeit self-contained, applications in a public cloud. In some cases these applications do not manage any personal identifiable information, in other cases data is encrypted or anonym zed (by using on-premises correspondence tables between identifiers and personal data), and in few cases personal data is simply stored off-premises, in a different jurisdiction (and even country) by a third party.
The last case is less infrequent than I thought with an Australian state client who recently inquired about what to do with an HR service they had been using for quite some time, after their privacy commissioner clearly stated that personal data should stay not only in the country but in the state.
It seems to me that there are quite a few cases where people use a don’t ask don’t tell approach to cloud. The lack of clear directives or the uncertain interpretation of norms conceived in a less technology-intensive context has created opportunities for cloud deployment. As clarity increases, such initiatives are likely to become more difficult and I have already come across at least one case where a department is starting to plan how to re-insource a SaaS solution that has been running in a public cloud and from which they critically depend (good luck with that…).
Does it mean that public cloud is dead in the public sector? Not at all. People will slowly realize that significant cost savings can be realized only on large scale infrastructures that surpass private and community cloud. They will become smarter at architecting applications in such a way to segregate personal data on premises, leveraging public cloud for the rest.