In May, the UK public sector was given a mandate meant to profoundly shape the way all information and communications technology (ICT) is sourced by government, the NHS, education and indeed all corners of the sector.
The problem: while the move was meant to deal with some of the widely-acknowledged challenges that public sector bodies are facing around IT procurement and value for money, IT buyers within those organisations also have to think through all of the implications.
If they don’t, they could end up putting their organisations in more danger around both security and cost.
The commandment from the very busy team of IT reformers in the Cabinet Office is, of course, named the ‘cloud first’ policy.
Under the terms of this commitment, any public sector buyer of ICT should always look first to a cloud solution, ideally through Whitehall’s fledgling but growing ‘G-Cloud’ or ‘CloudStore’ buying frameworks.
I applaud many of the drivers for this route of travel – to quote Francis Maude as the Minister involved in this project, who among us would not wish to also see “quicker, cheaper and more competitive” ICT in the market? However, I also see a very serious challenge in any shift to the cloud.
This lies in the potential for introducing insecurity. However, this is not about the cloud itself being insecure. It has become almost a cliché of cloud debate to worry about the physical location of data if it is handed over to a cloud service provider or hosting provider.
The Cabinet Office and Government Digital Services, the body responsible for CloudStore since that announcement, have both taken great pains to reassure public sector buyers that data is safe in the cloud and, for at least some services in central government, perfectly appropriately stored there.
It is not just the data side of cloud but also the applications side that has to be considered – something almost no one is raising any concerns over at all.
Let’s make this concrete with an example. A part of your organisation, enjoying its new-found freedom to buy an application or a service from the CloudStore, goes off and procures something useful.
Users start engaging with it; useful work gets done. Then someone from that team leaves or is promoted. What happens with their access to that system?
In the ‘old school’ version of public sector ICT procurement, that individual’s access to that package would have been set up by the central IT function. This team would have sifted the team member’s identity and clearance so as to assign them a controlled amount of entry to the system.
This doesn’t happen with a SaaS (Software as a Service) app of the kind we are being urged to sign up for on the CloudStore.
The third party supplier is responsible for the donkeywork of managing access, while it would be up to the user or the department to keep them informed of any changes. Many of these individuals or teams don’t yet think about those requirements.
This is just one application and one user; what about all the other systems – indeed, possibly the many SaaS apps that this individual is asked to use?
How is a user’s ID being verified across these proliferating ICT systems, and how is it being managed when he or she moves role or leaves public service?
The spectre here is what respected IT leadership organisation Ovum calls ‘shadow IT’: a sprawl of cloud services often open at the point of delivery which allow anyone to sign up, entering and using information systems that the organisation no longer centrally controls.
This fear is also echoed by another research body, Gartner, which warns that by 2015 as much as 35 per cent of enterprise IT budgets will be managed by line of business managers.
Indeed, according to research my company conducted earlier this year among 200 IT leaders, some 71 per cent admit they are using cloud apps unsanctioned by their internal IT departments.
As stated, there would be nothing wrong with this if there were still some over-riding governance of staff access, the policing of identity and conformance to policy here.
What is missing, though, is the understanding of proper identity and access management. This is functionality that traditional ICT procurement is familiar with and accepts, but which is still all new to the world of cloud, more often than not.
If you follow the ‘cloud first’ ruling, it becomes your responsibility to look for what SaaS misses out – adequate support for organisational safety checks on usage.
This is where new approaches like portals will come into play too, securely governing access to cloud apps on as many devices and platforms as the organisation deems suitable.
This will help the public sector decision maker offer their teams the best of both worlds – cloud-style cost-efficiency and ‘old school,’ well-organised security management.
The Public Cloud edict is clear around finding potential opportunities for innovation, agility and cost reduction using the cloud.
Do not, however, let this justifiable enthusiasm for new ICT procurement style overpower hard-won lessons about the need to properly run and support the apps the public sector could benefit from.
By using the best practices of both cloud and traditional ICT, public sector bodies can benefit more in the long run.
---
Autor(en)/Author(s): Dan Power
Quelle/Source: The Information Daily, 11.10.2013
Bitte besuchen Sie/Please visit:
