After a tendering process started in late 2011, the UK Cabinet Office selected over 250 vendors providing about 1700 services that government agencies can choose from in order to meet their cloud needs. Yesterday it opened its cloud store.
The store, which admittedly in its early stages, allows to browse services by type (IaaS, PaaS, SaaS, specialist cloud services) and deployment model (private, public, hybrid), as well as by vendor name and service description.
This looks like an impressive and comprehensive list of services. Hoverer the site offers a number of caveats though.
The first and probably most important one is about assurance and accreditation.
We’re still in the early stages of this work and have hundreds of products to assure, so most of the products you’ll see in the pilot CloudStore have not yet been assured.
The next stage will be to accredit some of the products in line with CESG guidance on information assurance. This means that once products have been accredited, Government buyers will be able to use them straight off the shelf without having to go through the accreditation process again. There will be products available up to IL3.
In fact I have tried to browse quite a few services and in all cases a purple ribbon at the top of the page warns you that “the service is waiting to be assured”. It appears that they are pretty much where the US government was when they first opened apps.gov, although in that case only public services were available.
The selection is quite impressive, and there is a fair amount of small players alongside the usual, large service providers. Search capabilities are moderately effective but information about suppliers is reasonably consistent to at least get to know who are the players.
The best thing is that government agencies can buy services straight from those vendors without issuing a European call for tender, which implies significant time savings.
On the downside, besides the time taken by the accreditation process, a fundamental question remains about the readiness of both prospective users of cloud services and their suppliers to really meet the objective of “moving away from custom built and hosted IT to cloud based services bought as commodities on short term contracts” as the cloudstore itself states.This is certainly not unique to the UK public sector and delves into the relative immaturity of standardization activities around cloud. However the whole idea that shifting between suppliers of a commodity service across a number of short-term contracts may take some time to materialize. Also, it is not entirely clear how agencies can assess the risk that those suppliers pose in term of long-term viability of their offering.
The Cloud Store is a great first step toward what Gartner calls a storefront in its research, (see Five Roles for Government in Cloud Computing – login required) but there is still quite some way to go before agencies can move safely into the cloud territory.
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
4 Comments
Accreditation a downside? We have to accredit all services now and rightly. Cloudstore services will be accredited “pan government” which will enable reuse and avoid massive duplication for suppliers and the public sector today.
Chris, thanks for your comment. What I meant was the current uncertainty about the timing for accreditation, as there is no schedule available yet that I am aware of. Of course my assessment is partially skewed by how long it is taking the US federal government to establish a more centralized and sustainable C&A process for their store (with many fewer services) and, although I know that their FISMA has peculiarities that are not reflected in the UK, I believe it is an important lesson.
Services will be accredited as they are taken up as with every other service used in public sector that requires accreditation. The difference with Cloudstore products is as I said above and this will save time and money for everyone.
Thanks Chris. Does this mean that the accreditation would be performed by the organization that buys the service first, or would the G-cloud team be responsible for that? I believe this is quite an important distinction.