Public sector IT procurement - a long way to go before G Cloud makes the grade

Opinion Davey Winder Feb 25, 2013

IT procurement in the public sector should have been shaken up by G Cloud, so why are vendors jumping through hoops over security demands?

The government has been quick to release what amounts to a virtual birthday card celebrating the fact that the G-Cloud is a year old. Francis Maude, the Minister for the Cabinet Office, calls it a "model of an innovative, more cost-effective and open way for the government to buy and operate IT" but is that actually the case?

There's no doubt that G-Cloud and the CloudStore have created a buzz in the rather staid world of  public sector IT procurement, dragging the government into the cloud and the 21st century as a result. The morphing of the technology from one where public sector organisations used to have to develop and run their own systems and infrastructure to an on-demand driven, utility-based pay as you go service, has the potential to be revolutionary. However, with only 459 providers (approximately 75 percent being SMBs) on the supplier framework for current cloud-based services, offering around 3,200 services ranging from hosting through to document management, G-Cloud has been only a very limited success story with £6m of spending through the CloudStore. 

Not, then, as much of a game changer as the government would have liked. After all, when G-Cloud was being launched there was talk that 50 percent of all new government IT expenditure would move to cloud computing services - that simply has not happened (in fact, it's a long way off, although it is still early days).

Phil Dawson, CEO of Skyscape which is a provider of cloud services to the public sector, wonders of this has something to do with a lack of education amongst public sector decision makers when it comes to the importance of secure cloud services. "The G-Cloud framework enables the UK public sector to utilise a wide range of assured cloud services" Dawson states "allowing organisations to reap the benefits from lower costs, reduced procurement times and a simplified tendering process, without the need for compromising on performance or security". 

I think Dawson has a point, and issues surrounding perceived cloud insecurity and trust have a habit of coming to the fore.

Although the whole cloud security debate continues to roll on, hopefully in ever decreasing circles until it will fizzle out with a pop at some point in the not too distant future, I think it's the trust issue that's perhaps the most important to focus on. 

In the US, for example, there's a well defined 'Cloud First' policy in place to drive more business into the G-Cloud. The very fact that the UK Cabinet Office has chosen not to pursue such a formal strategic policy in the roll-out of cloud services suggests, rightly or wrongly, that it just doesn't think that the cloud is ready for the big time yet. By stating 'cloud first' the US government has stamped the system with a great big badge of trust. The UK has given a much more mixed message, and one that simply does not provide the same feeling of confidence.

When Denise McDonagh talks to business leaders about favouring the cloud first stance it comes as no surprise, she is the programme director for G-Cloud, and she's to be applauded for her vision of the CloudStore as the government store for "all IT in government, not just the Cloud". But although McDonagh is all in favour of a 'GovStore' in the cloud, the Deputy CIO of the UK government, Liam Maxwell and the head of government innovation and delivery, Mark O'Neill, speaking at the exact same conference as McDonagh suggest that the benefits of the cloud should be so obvious to public sector organisations and government departments that they come to their own conclusions that it's the better delivery route.

While I don't actually agree with this approach, and survey after survey would appear to suggest that far too many IT decision makers are still stuck at the cloud security hurdle, I do think that Maxwell has his head screwed on an pointing in the right direction over one important issue: the over-engineering of the accreditation process. With suppliers having to jump through numerous security hoops to become accredited, it's no surprise that relatively few have been successful to date. Maxwell has spoken of the need to "make the use of security in our applications more rational" and change the current system which has a tendency to "over securitise" the services available via the G-Cloud.

If all the people involved with running the G-Cloud could get together and knock heads to the point where a simplification of the security measures (and simplicity is always easiest to understand and therefore sell) is coupled to a firm cloud first commitment, I think that the second birthday could really be a cause for some celebration. At the moment, and given the relatively slow start that CloudStore has experienced, I think it's way too soon for balloons and cake...

Davey Winder

daveywinder (2).jpg

Davey Winder has been covering the IT security beat for the last 20 years. Along the way he has won the 'Information Security Journalist of the Year' title no less than three times, and in 2011 was bestowed with the Enigma award for his lifelong contribution to information security journalism.