Kate's Comment

Thoughts on British ICT, energy & environment, cloud computing and security from Memset's MD


A couple of months ago HP started rumors that the G-Cloud had been canned, but that is most certainly not the case. I have spoken to a number of government officials and can confirm that it is going ahead. But what will it actually be, and is that what it should be?

I was technical co-lead on phase two of the G-Cloud project. Miles Gray of the NHS (the other lead), the technical team and I proposed a fairly detailed architecture for the G-Cloud (here). There were some core principals that we felt were vital: it would not be a “thing”, but instead a collection of cloud infrastructures, services and applications, probably mostly provided by private sector but with some public sector in there too, all bound together by open standards cloud APIs with an app store and services interchange at the heart. The Public Sector Network (PSN), the Government Secure Intranet’s (GSi) proposed successor, would be the unifying platform.

I am increasingly convinced that G-Cloud will happen. Martin Bellamy,  Ministry of Justice official and previous G-Cloud project leader thinks so, and Chris Chant, now head of the programme, certainly thinks so too! The public sector is already moving to cloud; there are a number of local government initiatives with pooling infrastructure resources and running shared services. A good example is Hampshire, who run infrastructure and services for a number of smaller local authorities, linked together via the Hampshire PSN.

There are two main features that make G-Cloud different to other government ICT projects, and which are why it will work:

1) There is no “big bang” spend. We, the supplier community, are making the up-front investments and then simply offering those services to government on a pay-as-you-go basis, with no requirement for long-term contracts. Therefore, there is little risk to government.

2) The G-Cloud services will be vastly cheaper than what government is used to paying, but will come with a seal of approval from CESG’s new Pan Government Accreditor body so that government customers can have some surety that the services meet requirements.

On the security front, working with the security work stream we proposed multiple G-Clouds, one per Business Impact Level. Applications, data, suppliers and users at similar security levels would be grouped together.

The core commercial tenet would be government not pay anyone up front to build any infrastructure or software, but instead would consume everything on a pay as you go basis, with the app store doing the billing. Suppliers’ service quality record would be shared (a bit like eBay ratings), to enable cost-quality buying decisions, and supplier switching would be straight forward thanks to the disintegrated stack approach and standardized infrastructure and platform as a services (IaaS/PaaS).

The only parts that we envisaged vital for the government to own and control (to maintain its impartiality) were the app store / services interchange and the proposed “Pan Government Accreditor” – a centralized CESG body that would pre-certify G-Cloud components (IaaS/PaaS/SaaS, stand-alone applications, etc.). Cloud economics expert, Simon Wardley, of CSC’s Leading Edge forum, agrees that it is imperative that any app store remains centralized and government controlled.

I was therefore worried to learn at a briefing on PSN at last week’s Efficient ICT, Greener Government conference that Cable & Wireless are attempting to “do an Apple” and turn PSN into a platform where they offer 3rd party services, hosted on their infrastructure, to government, taking a slice of every transaction. Such plans should be resisted.

My other big worry about the G-Cloud was that they would only talk to the usual suspects – the large systems integrators that appear to have government ICT sewn up and have done a highly debatable job of delivering value – who I do not believe are capable of delivering the cost benefits of cloud. SMEs are going to be a vital part of the G-Cloud ecosystem, and as part of the technical architecture we envisaged ways to facilitate their entry. For example, by splitting up the stack an innovative software development SME, once they and their application was pre-certified, would not need to invest in List-X data centres to offer a secure solution, they could partner with a pre-certified IaaS or PaaS supplier and get their solution into the app store.

So, what of SMEs? Well, as an SME who has recently been signed up to the IaaS/PaaS foundation delivery partner activities for the G-Cloud project, I am pleased to report that they are staying true to their word of assigning 25% of the contracts to SMEs. The next step is for our Miniserver VM® virtual server and Memstore™ cloud storage services to go through accreditation with CESG’s new pan government accreditor. Some of the commercial aspects also need to be finalised, but the aspiration is to be able to provide IaaS to government via the G-Cloud framework as early as January 2012.

So far, so good, but there are hurdles to enable pre-certification, and thus easy buying of cheap, secure services: i) EU procurement rules remain a problem, though a framework agreement is coming out imminently which will hopefully enable pre-certification; ii) Security responsibility needs to be centralized, but getting SIROs to trust the pan government accreditor would be a major culture shift; iii) The usual suspects have huge vested interests and appear to have convinced government that a 30-40% saving is acceptable. It is not. The government should actually be aiming for a 70-80% savings on their ICT spend from the G-Cloud. If done properly, G-Cloud has the potential to be hugely disruptive and could be saving the government £12bn per year by 2020.