The Cloud First policy is well known throughout the UK public sector. It is an important tenant of the government’s digitalisation initiative, and a wider push to be “Cloud Native”. To guide this, the Government Digital Service (GDS) published an advice-driven blog post, in which it suggested that IT teams should create “resilient, flexible, and API-driven” applications. At the same time, the GDS is encouraging any staff in defence, government, or the NHS to trial new Software-as-a-Service (SaaS) applications.
It’s a significant statement of the government’s intent. Yet, with over £2.6bn spent on cloud and digital services over the last five years, adoption remains comparatively low. One might expect that more than 30% of NHS and 61% of central government entities would have adopted some level of public cloud, which were the findings of a recent FOI request conducted by SolarWinds. Even the Ministry of Defence (MOD), which has adopted some public cloud, stated it had migrated less than 25% of its architecture.
Despite their different levels of adoption, some common enemies exist across the public sector in terms of limiting factors in the form of legacy technologies, leading to self-imposed vendor lock-in, as well as concerns around security.
The NHS, central government, and the MOD have all previously made significant investments in infrastructures, which have inadvertently created a legacy technology environment. Up to this point, this technology has been invaluable in digitalisation, but it now forms a barrier to public cloud adoption for 65% of central government organisations and 57% of NHS trusts. Existing licences for vendor-specific solutions are creating a sense of vendor lock-in, as organisations feel they need to justify their previous investment before adopting cloud technology.
While this may be cost-effective in the short term, in the long term it could be a costly strategy. This is the great advantage of cloud-based as-a-service offerings. These prevent legacy technology issues, such as when an upfront investment fails to deliver the longevity it promised.
IT directors in the public sector should take stock of their digital infrastructure and investments. With the whole landscape in mind, the question to ask is: “Are these delivering the flexibility and cost-efficiency we need?” The answer for many is likely to be “I’m not sure.”
This lack of transparency stems from an absence of visibility into technology performance. Many NHS trusts (77%) and central government organisations (55%) are either unsure if they are using the same monitoring tools across their whole infrastructure or are using different tools for on-premises and cloud environments. This is a natural result of ongoing digitisation and innovation from different departments. Nevertheless, IT departments now need to consider how they regain visibility across these disparate systems. Overarching measurement and monitoring tools will likely form a significant part of this.
Security also remains a consideration. NHS Digital only provided guidance in January 2018, affirming public cloud’s suitability for patient data. This delay may account for a significant portion of the security mistrust around the cloud plaguing 61% of NHS trusts according to SolarWinds’ recent FOI request. However, security and compliance also remain concerns for central government as well as the MOD, although at a much lower 39%.
To this end, the UK Government and National Cyber Security Centre has issued overarching guidelines on cloud security. However, these advisory measures do not go far enough to reassure public sector organisations that the public cloud is secure. It’s easy to understand why the public sector remains reticent about the cloud. Given recent high-profile security breaches, any organisation would want reassurance.
Next steps and solutions
Much like the implementation of the Cloud First policy overall, it is all trust and little verification. While the government may lay out best practices, there is no real initiative in place to check that these are being followed. In this regard, the GDS may stand to gain from a look across the pond. The Federal Risk and Authorization Management Program (FedRAMP) in the US provides one approach to security across the US public sector. With a pre-approved pool of cloud service providers, the public sector can easily find trusted, secure solutions. This makes adoption of cloud services simpler, and shifts the conversation from security and assurances to innovation and meeting business needs.
At the same time, IT providers need to make the transition as easy as possible for the public sector. A crucial part of this is monitoring tools capable of working across both a legacy and cloud environment. Using many different monitoring tools may make it difficult to create a cohesive picture of the whole IT environment. With 48% of the NHS and 53% of central government using four or more monitoring tools, this appears to be very much the case in the public sector. Technology providers need to help IT departments overcome this with solutions that link legacy and new systems into one environment. This will be integral for converting public cloud investment into demonstrable ROI.
Additionally, the public sector should not be looking to the cloud as an enabler of the “next big thing”, but instead taking an end-goal perspective. The cloud is not just a solution that empowers IT. It can be a cost-effective, secure, and available platform for delivering specific business goals.
Proactive steps are needed to address the uncertainty around the use of public cloud in the public sector. Without them, the UK will struggle to make the most of new cloud-centric technologies. Embracing the cloud is critical. Without it, public sector organisations may find themselves struggling in the face of cyber attacks, downtime, and costly maintenance, all risk associated with a legacy IT environment.
In the post-Brexit landscape, the UK public sector needs to act as a benchmark of successful digitisation. This will act as an example to other businesses, and help the UK keep pace with our European neighbours.
Paul Parker is , Chief Technologist at SolarWinds