Why AWS is being held back in the public sector

Public sector is a fast growing area of the Amazon Web Services cloud business. Yet it is often not seen as a first choice in government

This article can also be found in the Premium Editorial Download: Computer Weekly: Nato and business join forces to tackle cyber security threats

The public sector is a fast growing area of the Amazon Web Services (AWS) cloud business, but it is often overlooked as a first choice in government.

Aylesbury Vale Council, Royal Borough of Windsor and Maidenhead, the Ministry of Justice and London Borough of Hounslow Council are among a growing number of public sector bodies making using of AWS.

Chris Hayman, an enterprise account manager at AWS, who works primarily in local government, said: "Demand in AWS has never been greater."

Hayman has been at AWS for two years and took the public sector account manager role in February this year.

Last year, AWS became available on G-Cloud. But a challenge for AWS is that its adoption has grown out of the developer community. When asked about how public sector organisations can contact AWS, Hayman said: "We do a lot of outreach to engage with customers, and get them on board with cloud computing."

Buying direct from the government's CloudStore digital marketplace shows that EC2 is available as infrastructure as a service, and is listed at £0.07 per instance per hour. 

While AWS operates a European datacentre in Dublin, the contact details are for someone in Seattle, while there is a UK mobile contact number.

This approach may not fit well with the way the public sector has procured IT in the past, and the deep entrenchment of products from the likes of Microsoft and Oracle across the public sector. So, while AWS can be acquired directly, public sector organisations are more likely to choose third-party providers.

An AWS spokesman said: "We can work very heavily with a partner, acting as an extension of their team – just with deep AWS expertise. In other cases we take a light touch approach and may only involve ourselves in particular elements of a project when explicitly asked by a partner or customer to get involved. 

"In other cases we will support the customer and partner with our 'premium support' service or we may act as a conduit between the partner and our service teams to input into the roadmap for upcoming features and services." 

Arcus Global is one of several organisations reselling AWS to the public sector. It provides support and integration services on the government's CloudStore marketplace. Denis Kaminskiy, at Arcus Group, said: "We offer a broad scope of consulting, strategy, and we plan to use more cloud to implement and develop specific public sector products."

Some of its application and managed services are deployed on AWS. One of Arcus’s contracts is a shared service at Buckinghamshire County Council, which is entirely cloud based. Kaminskiy said: "We use Amazon as a core back-end for storage, processing and running some of the front end."

Public cloud security issue

When asked whether the public cloud posed greater security risk compared to on-premise applications Kaminskiy said: "Data protection applies whether the system is on-premise or in public cloud. There really is not much difference whether you use on premise or public cloud, because you still need a coherent security practice, and do a risk assessment of the environment you use."

In a public cloud, obtaining this information is much easier. He said: "On AWS you manage less, so there is less areas of a risk."

There is always a potential risk that citizen data could be accessed unlawfully. Cloudmask, a company funded from a Canadian government innovation programme, believes it has identified a gap in the cloud security model.

In effect, Cloudmask encrypts data so only trusted parties can access it. Its unique selling point is that even application data can be encrypted, such as customer data in Salesforce.;

The Canadian government has looked at how the product could be used for securing data hosted in a public cloud or SaaS application. "In the Canadian government, we had a few use cases, such as collaboration between agencies," Said Jirka Danek, who until recently worked as director general, enterprise architecture at Shared Services Canada.

"We could we set up a community of interest  and use PKI credentials, such that the information [shared in the community] was only available to people who had the key."

Maturity of AWS in the public sector

Steve Hodgkinson, chief analyst at Ovum, said: "There is no question that AWS is a mature and trustworthy service for appropriate categories of data, applications and workloads in the public sector. AWS's positioning in the US government market is testimony to this, as exemplified by the win versus. IBM of the provision of IaaS services to the US Central Intelligence Agency."

He said buyers need to change their traditional IT-buying behaviour to take advantage of the benefits of the cloud services model. “It is becoming indefensible to insist on customised requirements, irrespective of their costs and risks. Cloud services enable a more outcomes-oriented pursuit of the sweet spot between what an agency thinks it needs and what affordable pre-existing solutions can do."

However, while its maturity is growing, Hodgkinson said it is still constrained by legacy mindsets and a lack of familiarity with the consumption of cloud services on a standardised, shared basis. He said IT staff need to ‘unlearn’ deeply entrenched specification and procurement practices and learn new, more agile, more flexible approaches.

CloudStore makes it much easier for public sector bodies to use AWS. Security is probably tighter on AWS than in a government datacentre, which, incidentally, is likely to be run by an outsourcing provider. 

Arguably the biggest hurdle facing AWS adoption is that the incumbent supplier normally has an edge in the public sector. For instance, Microsoft has an advantage in the sense that most government departments are familiar with Microsoft software.

Hodgkinson said: "Microsoft’s strategy is to blur the boundaries of on-premise and cloud service-based application and workload hosting so Windows Azure is an extension of the in-house environment. Cloud services, such as Office 365, are also being bundled into Microsoft enterprise agreements, so they appear to be available to agencies free, or at very low cost."

But AWS can be regarded as an independent IaaS provider. "Customers are free to choose whatever software they would like to run on their virtual IT environments. This gives more flexibility for [public sector users] who wish to run open source software and software from other vendors,"  Hodgkinson added.

Read more on Service-oriented architecture (SOA)