Cla78 -

How AWS is cracking the public sector cloud market

The public sector cloud business takes time and resources to build, but the rewards can be meaningful, as the founder of Amazon Web Service’s public sector division has found

It was once unthinkable for governments to embrace the public cloud, but more public sector agencies today are tapping into cloud services in a bid to deliver digital services faster and cheaper to an increasingly tech-savvy populace.

Take the Singapore government, for example. In October 2018, it announced its bold decision to move the bulk of its IT systems to commercial cloud services over the next five years.

Earlier that year, the Australian federal government also announced a secure cloud strategy that focuses on preparing agencies for the shift to cloud services and supporting them through the transition.

Public cloud suppliers such as Amazon Web Services (AWS) have benefited from the surge in interest from governments, though the public sector cloud business isn’t for the faint-hearted, according to Teresa Carlson, founder and vice-president of AWS worldwide public sector.

In an interview with Computer Weekly, Carlson and Peter Moore, AWS’s regional managing director in the same business unit in Asia-Pacific, talks up the company’s growth momentum in the region and the challenges it faces in a market segment that takes plenty of grit and patience to succeed.

Growth momentum

AWS has come a long way since it launched its public sector business in the Asia-Pacific region about a decade ago. Can you share more about your growth momentum in Singapore and the region?

Teresa Carlson: We launched a region here in Singapore in 2010, and it was the first one outside of the US and Europe. We made an early investment here in Singapore, primarily because we saw the opportunity in Southeast Asia. And it remains the centre of gravity for us in Asia-Pacific.

When we started our public sector business, we had hardly any customers, but today we have over 5,000 government agencies, over 10,000 educational institutions, and over 28,000 non-profit organisations around the world as customers.

When we first came here to Singapore, we were just really in the early days of talking about things like a cloud-first policy and what that would mean for the region. We were also talking about compliance regimes and cloud security models – and that’s important to every customer around the world.

Today, Singapore has a cloud security model and an acquisition model called the Government Commercial Cloud Infrastructure (GCCI), in an effort to move more government workloads to public cloud services. That’s an important step forward from the earlier view of the G-Cloud, which they have realised wasn’t really cloud. But that’s okay because that was in the early days.

We also saw a lot of countries go down that same path of putting in a few servers in a datacentre and calling it cloud. The reason that didn’t work was because it didn’t have the key principles of true cloud, which is about enabling a fast pace of innovation and having the ability to add services. It didn’t have the ability to scale workloads up and down, nor the ability to only pay for what you use.

In the meetings I’ve had here, the conversations with the government are around moving more workloads out of G-Cloud. We’re also working on more training and accreditation for skilled workers. That includes training the next generation of workers who are going to be coming into government, so we’re working with universities and vocational schools.


Peter Moore: It was a crazy start, because our customers didn’t know anything about the cloud. And as Teresa rightly indicated, there was a lot of cloudwashing. People were calling everything cloud and no one really knew what it meant. We believed that having a definition of cloud really helped to clarify what was really cloud and what was not cloud.

Also, when we started having conversations about existing government security criteria for using technology, there was really nothing to address the unique delivery model of cloud. They had standards around how to build datacentres, they had standards around software, but nothing about cloud.

So, in both Australia and Singapore, which were the most mature markets at the time, we had to work with the government to develop those standards from scratch. Today, Singapore has the Multi-Tier Cloud Security (MTCS) standard and we were the first to attain the level three classification. In addition, we’ve got good momentum with government agencies like the Land Transport Authority (LTA) and Singapore’s trade platform that enables expedited shipping workflows. Leveraging cloud to do those things was the proof point and foundation.

The same is true in Australia, where the Australian Signals Directorate could certify software and hardware but had no clue about cloud, so we had to work through that from the beginning. Fortunately, I was able to leverage the work that we’d already done in the US through things like FedRamp (Federal Risk and Authorisation Management Program), as well as the ISO standards that we already complied with.

At the beginning of this year, we achieved the protected certification in Australia, which meant that we can run highly sensitive workloads in our environment. As we achieve higher levels of certification, not only do we see more classified data being moved to the cloud, there’s an increased velocity for everything else underneath as well.

More recently, in Japan, there was a government congressman who became the IT minister and enacted a cloud-first policy, driving many agencies to migrate to cloud. We’re also seeing the same thing in India where we’ve gone, in the last 12 months, from excuses on why they can’t use cloud, to people saying how they can we move faster.

Other countries are going to come along as well. We’ve announced the Indonesia region and the government there is now progressively talking to us about the policies and procurement environment they need. And they’re starting to look at how can they use the Singapore region to run unclassified workloads rather than wait for the infrastructure region to be available.

Driving cloud adoption

Can you elaborate on the procurement environment necessary to drive cloud adoption? Do you see that as a stumbling block, given that it takes time to change polices on the part of finance departments that hold the purse strings to government spending?

Carlson: I think it depends on each country, but I would say at the top level, most governments lock themselves into very long-term outsourcing contracts which include talent. While a lot of enterprises don’t do that or can cut off such contracts, it’s more difficult for governments to do so.

One of the things we advise governments to do is to build their own talent. If they make that switch and get young talent to use the newest technology, they can move fast because now they have the cloud infrastructure that we’re taking care of. It’s time for governments to say: “We’re going to take back more control, we’re going to have our own builders, we’re going to create a talent pool that can use the latest and greatest technologies to move faster.”

Besides long-term outsourcing contracts, governments are also being held back by people we call server hoarders. These individuals don’t want to give up control and will give you all kinds of reasons for not moving to cloud. It takes an organisation’s leadership to set the cloud-first agenda before we can see the momentum going.

It’s also important that the chief financial officer (CFO) and the legal group understand the things we’ve been talking about. We work a lot with CFOs to explain how the budget changes in terms of capital and operating expenditures, and the value and cost savings that they’re getting from cloud.

Moore: I’ll add that unlike Australia, Singapore never really went into the massive outsourcing route with long 10-year contracts, while every conversation I have with government in Australia is about capital versus operating expenditure. I’ve not once had that conversation in Singapore.

No Singapore government agency has ever said to me that they have a capital versus operating expenditure problem. For them, it’s about the budget, and they just decide how they’re going to spend that budget.

Read more about cloud in APAC

What is your thinking process when it comes to expanding in countries where governments have enacted data sovereignty laws but may not have a big enough market opportunity to justify a new datacentre?

Carlson: Some governments do their own assessment and may put workloads in another region while others don’t want to do that. Over time, though, they may adjust.

When we look at markets, we see which ones have a great opportunity that we need to build a region in. It’s also important that customers want us. Then, we have a conversation with government stakeholders to explain the value that we bring.

Often, we make billions of dollars of investments when we go into countries, but it’s not just about putting in some servers. We put a team on the ground, we have offices and we build datacentres and we continue to add on to that infrastructure. We put a great deal of thought into a market: Does the government want us there? Can we be a partner with them? Can we be successful with both government and enterprises? It’s a big package that we look at with lots of indicators including data sovereignty needs.

In the European Union (EU), individual countries have said that they want their own cloud even though data can be moved across the EU under the General Data Protection Regulation (GDPR). If you look at what we’ve done there, we’ve built regions in the UK, Ireland, Sweden, France, Germany and we’ve announced Italy. We’ve made an investment to go into those countries to ensure that they have data sovereignty.

My point is we listen to different groups and try to respond effectively to ensure that we’re meeting customer needs. And that’s how we’re trying to do it here in Southeast Asia. We’ve never said we’re done building, and we want to continue to respond to opportunities in countries like Indonesia. I don’t know where we’re going to be yet, but I’m sure in the foreseeable future we will announce other regions.

Requests from other governments

AWS operates the GovCloud service in the US. Have there been requests from other governments for a similar service?

Carlson: We launched GovCloud in August 2011 because of an edge use case. Nasa (National Aeronautics and Space Administration) came to us and said they needed an Itar (International Traffic in Arms Regulations) compliant service to support the transfer of data about defence components, including those made by smaller companies that go into defence and missile systems. Nasa was tracking those components manually at the time as there was no Itar cloud, so we literally created GovCloud to manage and move data digitally for Itar workloads.

Since then, GovCloud has grown and we do have lots of workloads there now. But over the years, most of those workloads can now be run in our commercial cloud regions with all the security controls and encryption methodologies put around them.

But yes, there are places where we are still asked to operate specialty clouds, like the one we built for the intelligence community in the US, which is very disconnected with its own network. So, we still do have those use cases, but it is more rare than it was.

The government segment

In some of your earlier interviews, you mentioned that the government segment is the toughest among all the verticals. Could you elaborate more on that?

Carlson: I’d say it’s not for the faint of heart. It’s meaningful, important and my team loves it. The reason government can be a lot more challenging is all the things we’ve talked about – more strict regulations, policies that have to be updated, and procurement processes.

An enterprise might run a formal procurement process, but they can do it in a week. It’s not a rigorous, formal process driven by policy which can be costly. For example, meeting FedRamp requirements in the US is a very rigorous and costly process.

One thing we’ve tried to do is to advocate to government, on behalf of our small partners, is that if you want to get innovation into government, you can’t make it so costly that you’re keeping out innovative start-up companies that may have a fantastic tool.

So, what we have done is to put in a process to help our partners get FedRamp certified faster. We also have a team to help them understand how they can meet the security controls. We are trying to do our part to help our community and that’s expensive.

Sometimes, you also need a government affairs and policy team to support your efforts in government. And many times, I like to tell the team, we have two customers, a systems integrator or contractor, and the government. Having more than one customer is more costly and extends your time to get to market.

Meanwhile, we’re also doing a lot of education and retraining of people who were working with very old and outdated systems. You really need a spirit for innovation and making sure that government has access to the same technology as a start-up. But if you love it, like we do, it’s also exciting.

Being a global company

AWS operates globally, but it is still a US-based company. Has that hindered your progress in countries that might not be so friendly with the US?

Carlson: In some countries, it can slow us down, because we have to be patient and make sure they understand that we are a global company. We hire local people and we train locally. We’re not like some tech companies that are much more virtual.

We come in and put people on the ground, and we invest in very big ways across Amazon and AWS. We want to be part of the community when we come in. And we work hard to make sure that we are listening to customers and fitting into a country and culture in the right way.

We don’t import people into the countries we operate in, though we may have to do that sometimes to do the training. But our goal is to train and hire locally. That’s important for the work that we’re doing in the public sector and in our commercial business.

As a US company, we educate international customers on US policies that we operate within. But we also protect our customer data and privacy on a global basis, and we have very rigorous policies to support our customers wherever they are. So, while it’s important that we meet the laws of the US, we also work to meet the laws of countries where we operate as a local entity.

Read more on Cloud computing services

Data Center
Data Management