UK public sector IT grapples with cloud computing security risks

Can UK public sector IT overcome its fear of cloud computing risks in order to reap badly needed savings?

This article can also be found in the Premium Editorial Download: IT in Europe: Cloud computing: Data security outlook

Large-scale government IT projects have proved a huge failure, so could the cloud offer a viable – and secure – solution?

The reputation of UK public sector IT has never been lower. A July report from the Public Administration Select Committee (PASC), the Parliamentary group that monitors the quality and standards of administration within the Civil Service, ominously called “Government and IT - A Recipe for Rip-Offs”, painted a grim picture of how IT projects are currently run.

Its main charge was that a small group of major systems integrators had cornered the market in big public-sector IT projects, and the civil service has lost most of its IT skills, becoming a passive customer that blindly accepts what it is given by its suppliers.

The committee uncovered some astonishing examples of over-charging as well, such as the government department that paid £3,500 each for its PCs.

But the report’s primary theme is the declaration that the government’s whole process for procuring IT projects was fatally flawed. It listed several big-ticket IT projects that have run late, under-performed or failed over the last 20 years:

  • The Child Support Agency's IT system 
  • The IT system that would have underpinned the National ID Card scheme
  • The Defence Information Infrastructure Programme
  • The Single Payments Scheme by the Rural Payments Agency
  • The National Offender Management System

The UK government controls over 100 data centres across the UK, and this infrastructure is inefficient, capital intensive and provides a poor return.

Andy Burton
Cloud Industry Forum

The authors added: “During the course of our inquiry there was evidence of continuing IT mismanagement: the Department for Work and Pensions (DWP) chose to cancel a contract with Fujitsu for desktop computers; one of the NHS partners involved in the electronic patient record system pulled out after the suppliers failed to meet a deadline; and the flagship Universal Credit (UC) programme was reported to be behind schedule due to problems meeting the deadline for building the new IT system.”  Also worthy of mention is the multi-billion pound NHS National Programme for IT, which now faces cancellation nine years after it started.

So how can this cycle of failure be broken? The government has already declared a willingness to adopt cloud computing in some form or another. If implemented properly, there are a variety of cloud services that would provide lower costs and greater flexibility than the current huge siloed data centres run by government.

A research study by the Centre for Economics and Business Research (Cebr), published in February 2011 called “The Cloud Dividend”, assessed how much money could be saved across Europe in different market sectors.  The study, commissioned by storage vendor EMC, found that the macroeconomic benefits of cloud computing for the government, education and health sector for Europe’s biggest economies (UK, France, Germany, Italy and Spain) will amount to 112 billion euros between 2010 and 2015. For the UK, the accumulated benefits in the same period will be 19.445 billion euros (£16.601 billion).

However, the figures assume the government’s plan for G-Cloud, a wide-ranging project to create a secure cloud infrastructure, hosting services and applications to be used by public sector bodies around the UK, would come to fruition as planned.

Yet in recent months, doubts have been cast in regard to G-Cloud. Some sources say the plan has been canned altogether, with the focus now shifting to data centre consolidation instead. A recent publication from the Cabinet Office confirms that change.

Furthermore, a recent Freedom of Information request sent to 25 government ministries revealed little interest in cloud computing. The research, commissioned by Indian IT services company HCL Technologies, found six respondents, including the Treasury, said they had no plans to adopt cloud computing. Their main objections included being tied to one service provider, system integration and Web security. Although several departments said they would follow the government’s IT strategy and guidelines, it was only the Department for Work and Pensions that mentioned G-Cloud in its responses.

Security is often cited as a reason for not adopting cloud services in government. But as the PASC report noted, departments must guard against “gold-plating” their security requirements. “Over-classifying routine administrative and operational information causes unnecessary technology and operational costs, and prevents the public sector from taking advantage of the economies and efficiencies of commodity software and new opportunities,” the report said. “It also acts as a further barrier to more effective use of SMEs in the supply of IT goods and services. Government must do more to demonstrate how a risk-based approach is helping achieve a better balance in information assurance.”

However, government departments are highly regulated and need to be audited against a whole range of standards by different authorities, said Stephen Simpson, UK cloud lead at IT services company Logica. “Today, these authorities look at the organisations independently of each other and this must change in order to achieve large-scale consolidation,” he said. “It only makes sense for ICT cloud consolidation to take place between similarly regulated organisations; so the focus of the authorities can then move towards the general protective monitoring of common services rather than those of the constituent organisations.”

Simpson said the public sector will remain reluctant to embrace public cloud while the majority of the available infrastructure is not located inside the UK. Logica estimates 70-80% of candidate cloud services need to be run at impact level 2 (IL2) or impact level 3 (IL3) (as defined by CESG, the government security body). “IL2 can in principle be managed outside of the UK, but the two levels tend to be mixed-up together in planning,” Thompson said. “Redaction – the filtering of sensitive information – is also a major issue, particularly for unstructured data; organisations are reluctant to put information into a shared service centre when some of the content might be sensitive.”

However, with the general economy struggling to recover, the government knows it must save money by improving its use of IT. There is much to play for, and many opposing forces are jockeying for position. The big systems integrators, under criticism for over-charging and under-performing, have the most to lose from any changes, while smaller service suppliers see an opportunity to step in and grab the business. 

Andy Burton, chairman of the Cloud Industry Forum, a body representing cloud service providers, not surprisingly falls into the second camp and wants the government market opened up to smaller players. “The UK government controls over 100 data centres across the UK, and this infrastructure is inefficient, capital intensive and provides a poor return both economically and in the restriction of agile solutions,” he said. “The Cloud Industry Forum believes the government can save at least £2-4 billion per annum within three years if it mandates a new process for specifying and procuring IT solutions.  This saving would not restrict the government IT agenda and arguably would stimulate creativity and collaboration as is seen on the private sector,” Burton said.

While data security, privacy and sovereignty remain key cloud computing security risks among some parts of government, Burton insists: “As with any technology, solutions exist to these issues and practical precautions need to be taken as with any solution to ensure all data is safe and this applies to using a cloud-based service.”

He also makes a point shared by all parties that the people buying IT services on behalf of the government need to reclaim many of the skills they have lost over the years of outsourcing. “Government IT executives must reposition themselves as leaders who can bring their organisations to new levels of performance and efficiency through IT. Cloud computing is definitely a plausible option for improving performance and efficiency and the government should be considering this.”

There is, however, some good news. Several providers report that local authorities, NHS Trusts, police authorities and others are already taking matters into their own hands to lower costs and respond to demand for better efficiency. By consolidating their own data centres using virtualisation, or pooling resources with neighbouring bodies, they are developing private clouds and avoiding the security concerns they might have while working with an outside supplier.

John Gurnett, who works with public sector clients for EMC (which owns VMWare), said many organisations are making savings of between 40% and 60%.

“I think something like the G-Cloud will come about over the next few years,” Gurnett said, “but it will be built from the ground up in local initiatives and federated over time.”

Ron Condon is UK bureau chief for Send comments on this column to [email protected].

Read more on Cloud security