The government’s decision to reduce pan-government accreditation requirements sends the wrong message, according to James Walker, president of the CloudEthernet Forum.
Any small business still worried about migrating to cloud services must have felt reassured by the British government’s “Cloud First” policy announced in 2011 – with the aim to shift half of IT government spending to cloud-based services by 2015.
To further emphasise this commitment, the mandate was to comply or explain: so central government purchases should go to cloud services unless it could be shown that the alternative was more cost-effective.
In addition they launched the G-Cloud CloudStore, listing accredited products that allow public sector organisations to buy approved services without having to go through all the customary tendering processes.
This is a fine example of the far-reaching benefits provided by standardisation or certification of goods and services.
The busy buyer feels more confident buying something that has a seal of approval, especially if a first time buyer of relatively new technology. In this, case government departments can press ahead with cloud migration with fewer bureaucratic delays.
Part of the assurance offered on CloudStore was that services could have pan-government accreditation (PGA) meaning that they have been recognised as suitable for government data up to a specified “business impact level”.
The CloudStore web site states “Any services procured which have not achieved pan government accreditation are purchased at the risk to the consumer.”
PGA must be very comforting to a business with responsibility for handling public data, to know that specialists in the field have decided that the service is appropriately secure for the work in hand.
Without PGA the buyer becomes responsible for working out for themselves whether the services offered are suitable for the sort of information and privacy levels they are handling. That –with all the complexities of IT, of hacking threats, of cyberwar and data legislation – could be a major worry.
From July this year, however, G-Cloud stopped providing PGA. Instead the suppliers are required to self-assert how their services meet required security principles. In turn, the buyers themselves are now responsible for assessing the appropriateness of the services. Is this really a good idea?
In June, the Government Digital Service held a round table discussion with suppliers and it highlighted the need for the public sector to make informed decisions on the sensitivity of their information, and concerns were raised about the risks in both government and private sector from a shortage of skills and understanding about security and its legal consequences.
But the reassurance of PGA was being removed at the same time as it was recognised that there might not be skills available to make the necessary decision choices without PGA.
It is an interesting and important debate, but it is also just one example of the much more serious long-term risks faced by the entire cloud computing ecosystem.
For all the hype, cloud computing really is a “game changer” and every bit as significant for the IT industry, business and society as the shift from mainframe computing to PCs in the 1980s.
That shift was not just about business machines, but about the whole future of hierarchical management structures. So it is worth looking back to what actually happened with the arrival of the PC and why it took nearly ten years for the market dust to settle.
The advantage of the PC was soon realised, and sales began to take off, but the market became fragmented with incompatible offerings by IBM, Apple, Apricot and others. It took time for the IBM PC and the Microsoft operating system to win this “platform war” and become the de facto standard for business buyers.
Even then, Apple still held a niche and some argued that “market forces”, while selecting a clear victor, had not delivered an operating system truly optimal for business purposes.
Picking up the crumbs
A similar problem could result in the fragmentation of the cloud market. AWS, Google and Microsoft together accounted this year for some two fifths of all ethernet ports shipped worldwide.
That gives some idea of the massive investment they are making in their cloud services, and yet the total being less than 50% also tells us that not one of these giants is yet big enough to dominate the scene and dictate its own cloud connectivity “standards” for global usage.
So we face another possible platform war. When cost and choice become the user’s primary decision criteria, rival platforms can rarely co-exist, and certainly not on an equal footing. Winners can grab up to 70-80 percent market share, leaving crumbs to one-time market leaders, as happened with Apple in the early 90s.
The parallels between this scenario and the CloudStore issue are clear. Without basic standards to provide guidance, the IT buyer is forced to make difficult decisions with possible long-term implications. In the 1980s it was the problem of deciding which PC operating system would best suit the organisation’s long term needs.
Now it is to decide whether AWS, Google, Microsoft or another would be the best cloud service provider.
Of course one might opt for “best of breed”, allowing different departments to select the cloud offering best suited to their own specific needs – an attractive short term solution but one that invokes all the fragmentation problems of BYOD and “shadow IT”.
The alternative for the cloud community would be to find a better balance between competition and co-operation. Taking the outstanding success of carrier ethernet as an example: that happened because vendors and carriers collaborated to create and certify global standards in a standards body (the MEF) – rather than battling each other to see whose technology could take the lead.
You could still call it “winner takes all”, but here the winner was everyone: the users who could buy certified services and equipment without having to waste time choosing technologies, the service providers and vendors made faster sales, and world business for the acceleration of high performance, lower cost WAN services brought about by Carrier Ethernet. And in fact Carrier Ethernet is a big contributor to cloud infrastructure today.
The successes of FaceBook, YouTube, eBay, Amazon, Google, NetFlix, Skype and others reveal the many ways the cloud can support the business environment. But for the long term we should be asking not how the cloud CAN work, but rather how it SHOULD work.
The MEF did not simply ask “what might be possible with ethernet?” it went on to ask “what characteristics should ethernet have if it is to become the world’s WAN transport of choice?” The way forward for the cloud should be similar, and this is the vision that has brought together so many and diverse cloud stakeholders to form the CloudEthernet Forum (CEF).
The CEF believes in a dynamic and competitive cloud market, but it should also be supported by a collaborative process that involves every type of cloud stakeholder – customers as well as providers and carriers – in order to ensure that cloud development is not only fast and well-targeted but also leads to an open market based on universal standards and certified conformance to recognised needs.
The CEF has already laid the groundwork by identifying five fundamentals to be considered, under the headings: Virtualization, Automation, Security, Programmability and Analytics (VASPA). It has also paved the way for global cloud standards as an on-going iterative process based on a feedback loop involving an evolving cloud reference architecture, a reference test bed (the OpenCloud platform) and a growing set of “use cases,” real business needs that need to be solved.
For members of the CEF there is a clear benefit: the opportunity to be involved in the development and definition of future cloud services. But for industry, government and society as a whole there are also big benefits.
Any level of openness and interoperability between cloud services will make it easier to choose suppliers and solutions, without the fear of vendor lock-in and future business fragmentation from runaway shadow IT. And if the services and equipment can be certified to recognised global standards, then the choice is even easier.
Such standardization does not put a damper on the market, it helps it to grow.
Take the automobile market as an example: there is no end of choice between types of car – from SUV through family saloon to sports supercar – but whatever the choice, the buyer can be confident that any car sold legally will satisfy al the basic road safety and legislation criteria. Similar basic standards would provide a major boost to the cloud market.
Returning to the CloudStore issue: there is a real possibility that playing down the need for PGA could increase rather than decrease uncertainty.
Public sector buyers now have to make their own decisions as to what controls will deliver the most appropriate protection for their data, and they are likely to find this process of assessing, comparing and selecting from multiple suppliers more difficult in the absence of a single trusted, credible and rigorous assessment system.
For reputable and security conscious suppliers, these changes also make it harder to demonstrate how their security credentials accurately protect their services and their customers’ data in a less confident marketplace.
The UK government may have good reasons for its decision to reduce its accreditation standards for cloud services, but it does need to explain those reasons better. The cloud market is booming, but its growth could falter and fragment unless government adds its support to industry and business demands for global open cloud standards.
James Walker is vice president, managed network services for Tata Communications and president of the CloudEthernet Forum