Cloud computing – reliability, security and data protection
11th December 2012
CONDITIONS FOR USE OF TRANSCRIPTS:
This document is intended to provide a timely reference for interested parties who are unable to attend the event to which it refers. Some portions are based on transcripts of proceedings and others consist of text submitted by speakers or authors, and are clearly marked as such. As such, apart from where it is indicated that the text was supplied by the speaker, it has not been possible for the transcript to be checked by speakers and so this portion of the document does not represent a formal record of proceedings. Despite best endeavours by Westminster eForum Projects and its suppliers to ensure accuracy, text based on transcription may contain errors which could alter the intended meaning of any portion of the reported content. Anyone who intends to publicly use or refer to any text based on the transcript should make clear that speakers have not had the opportunity for any corrections, or check first with the speaker in question. If in doubt please contact the forum first.
Contents About this Publication 3 Agenda 4
Session Chair’s opening remarks
Nigel Adams MP, Vice-Chair, PICTFOR (transcript) 6 Cloud computing, Enterprise 2.0 and digital convergence in the workspace
Mac Scott, Associate Director, CIO Advisory, KPMG (transcript) 7 Next steps in the evolution of the ‘G-Cloud’ Andy Nelson, HM Government Chief Information Officer (transcript) 10
Questions and comments from the floor (transcript) 15
Implementing cloud computing - challenges, savings and value added
Dr Mark Ferrar, National Technology Officer, Microsoft UK (transcript) 20 Cloud adoption for UK business and government
Andy Tait, Head of UK Public Services Strategy, VMware (transcript) 23
Peter Dawes-Huish, Chief Executive Officer and Chairman, LinuxIT (transcript) 24
Richard Jones, Senior Associate and Director of Data Privacy, Clifford Chance (transcript) 26
David Wilde, Chief Information Officer, Essex County Council (transcript) 28
Dr Louis Samuel, Chief Architect Software, Services, and Solutions Business Group (S3G), Alcatel-Lucent (transcript) 29
Questions and comments from the floor with Dr Mark Ferrar, National Technology Officer, Microsoft UK and Mac Scott, Associate Director, CIO Advisory, KPMG (transcript)31
Chi Onwurah MP, Shadow Minister for Innovation, Science and Digital Infrastructure (transcript)40 The European digital agenda for cloud computing
Ken Ducatel, Head of Unit, Software and Services, Cloud Computing, DG Connect, European Commission (transcript)42
Questions and comments from the floor (transcript)46
Creating a legal framework for a ‘cloud active’ Europe
Stephanie Liston, Senior Counsel, Charles Russell (transcript)49
Conor Ward, Partner, Hogan Lovells and Chair, Cloud Industry Legal Forum (transcript)50
Professor Ian Walden, Professor of Information and Communications Law and Head, Institute of Computer and Communications Law, Centre for Commercial Law Studies, Queen Mary, University of London (transcript)52
Thomas Boué, Director of Government Affairs, EMEA, BSA | The Software Alliance (transcript)54
Questions and comments from the floor (transcript)56
Session Chair’s and Westminster eForum closing remarks
Chi Onwurah MP, Shadow Minister for Innovation, Science and Digital Infrastructure (transcript) 64
Edward Rees, Forum Lead, Westminster eForum (transcript)65 List of Delegates Registered for Seminar 66 Contributor and Westminster eForum Biographies About the Core Sponsors of the Westminster eForum
About this Publication This publication reflects proceedings at the Westminster eForum Forum Keynote Seminar: Cloud computing - reliability, security and data protection held on 11th December 2012. The views expressed in the articles are those of the named authors, not those of the Forum or the sponsors, apart from their own articles.
Although Westminster eForum is grateful to all sponsors for the funding on which we depend, participation in events and publications is never conditional on being a sponsor. As well as funding ongoing operations, sponsorship enables the Forum to distribute complimentary copies of publications, and offer complimentary tickets for events, to Government ministers, parliamentarians and officials most involved in policy.
This publication is copyright. Its copying, in whole or in part, is not permitted without the prior written consent of the publishers. However, extracts of the text may be reproduced for academic or review purposes, subject to the conditions of use outlined in the previous page, providing they are accurate, are not used in a misleading context and the author, their organisation and the Westminster eForum are acknowledged. We would also appreciate being informed.
Cloud computing - reliability, security and data protection
Timing: Morning, Tuesday, 11th December 2012
Venue: Sixty One Whitehall, London SW1A 2ET 8.30 - 9.00 Registration and coffee
9.00 - 9.05 Session Chair’s opening remarks
Nigel Adams MP, Vice-Chair, PICTFOR
9.05 - 9.15 Cloud computing, Enterprise 2.0 and digital convergence in the workspace What are the emerging trends in workplace computing? What are the implementation challenges and costs? How far are efficiency savings created by the new software solutions being realised and quantified?
Mac Scott, Associate Director, CIO Advisory, KPMG
9.15 - 9.45 Next steps in the evolution of the ‘G-Cloud’
The challenges ahead as the government aims to develop larger framework deals for government cloud services and move half of all government IT spending into cloud services by 2015.
Andy Nelson, HM Government Chief Information Officer
Questions and comments from the floor
9.45 - 10.00 Implementing cloud computing - challenges, savings and value added
Examination of the issues faced in implementing a cloud strategy in a large organisation, the costs in terms of purchase, training and ‘downtime’, and results seen.
Dr Mark Ferrar, National Technology Officer, Microsoft UK
10.00 - 10.55 Cloud adoption for UK business and government
How competitive is the UK’s regulatory regime for attracting data centres and the establishment of cloud computing businesses? How can British companies involved in cloud services - SMEs in particular - capitalise on UK competitive advantages, trusted data protection and legislation to grow internationally? Will proposals in the EDPF (European Data Protection Framework) Review have a negative impact on the attractiveness of the UK and other European countries to cloud operators who wish to utilise user data for purposes such as data mining? What will be the impact of the CloudStore and the government’s ‘cloud-first’ strategy on UK industry and government IT procurement? What are the emerging priorities for G-Cloud development to improve service delivery? What lessons can be learned from the different use of cloud computing by central and local government? Andy Tait, Head of UK Public Services Strategy, VMware
Peter Dawes-Huish, Chief Executive Officer and Chairman, LinuxIT
Richard Jones, Senior Associate and Director of Data Privacy, Clifford Chance
David Wilde, Chief Information Officer, Essex County Council
Dr Louis Samuel, Chief Architect Software, Services, and Solutions Business Group (S3G), Alcatel-Lucent
Questions and comments from the floor with Dr Mark Ferrar, National Technology Officer, Microsoft UK and Mac Scott, Associate Director, CIO Advisory, KPMG
Chi Onwurah MP, Shadow Minister for Innovation, Science and Digital Infrastructure
11.35 - 12.00 The European digital agenda for cloud computing
Following the launch of the Commission’s Cloud Computing strategy and one year on from Commissioner Kroes’ Davos announcement of the European Cloud Partnership, what progress has been made in the creation of a ‘cloud active Europe’ and what are the priorities for 2013?
Ken Ducatel, Head of Unit, Software and Services, Cloud Computing, DG Connect, European Commission
Questions and comments from the floor
12.00 - 12.55 Creating a legal framework for a ‘cloud active’ Europe To what extent is user uncertainty on the legal framework underpinning cloud computing a barrier to wider deployment and development in the sector? How far will principles for data protection proposed in the EDPF Review deliver a legal framework for cloud computing in Europe? What are the options to address cross-border legal jurisdiction challenges - between users, data centres and vendor headquarters? What are the next steps to creating cross-provider standards in cloud computing to enable data portability, harmonisation of standards and to engender trust in the technology? What are emerging challenges to the creation of standardised SLAs (Service Level Agreements) and EUAs (End User Agreements)? What role can central and local governments play, as a major procurer of services, to assist SLA and EUA standardisation?
Stephanie Liston, Senior Counsel, Charles Russell
Conor Ward, Partner, Hogan Lovells and Chair, Cloud Industry Legal Forum
Professor Ian Walden, Professor of Information and Communications Law and Head, Institute of Computer and Communications Law, Centre for Commercial Law Studies, Queen Mary, University of London
Thomas Boué, Director of Government Affairs, EMEA, BSA | The Software Alliance
Questions and comments from the floor
12.55 - 13.00 Session Chair’s and Westminster eForum closing remarks
Chi Onwurah MP, Shadow Minister for Innovation, Science and Digital Infrastructure
Edward Rees, Forum Lead, Westminster eForum
Westminster eForum’s opening remarks
Edward Rees, Senior Producer Okay, hello, good morning everyone, thank you for coming.
My name’s Ed Rees, I’m Forum Lead here for the Westminster eForum. I’ve got a couple of business announcements to start us off with.
Everybody will get a copy of the transcript of today’s events which will be sent to you in the next week that’ll include a copy of everything that’s said and PowerPoint presentations from the morning. Anyone can submit a 600 word article to include in this document which will go round to everyone who attended today and anyone who couldn’t attend on the day but would like to be involved in this area, we also send it round to quite a few parliamentarians so it gets quite widely distributed.
I’ve got a word of thanks to the core sponsors here at the Westminster eForum who provide us with a lot of helpful insights into seminars we set up, these are Arqiva, BBC, BT, Clifford Chance, ISBA, KPMG and O2.
Also if you’re speaking today I’d ask that you turn your mobile phones off when you’re on stage just to stop interference and when you’re in the audience I would ask that mobiles phones are muted to stop disturbance in the transcript today.
That’s really it from me, ill pass over to our Chair for the morning, Nigel Adams.
Session Chair’s opening remarks
Nigel Adams MP, Vice-Chair, PICTFOR Morning everybody.
This is the third in a series of seminars that Westminster eForum have put on with regards to cloud computing. By way of introduction I’m Nigel Adams, I’m the Member of Parliament for Selby & Ainsty, which will draw blank faces, that’s in Yorkshire for you southerners which is roughly 2 hours on a train so it’s not too far away and I am one of the Vice Chairmen of PICTFOR. Prior to coming into parliament I ran a ICT business, a number of ICT businesses.
So I have an industry perspective, I’m not a professional career politician who’s ever since being at school desired to get into politics, my background is in the real world so this to me is a real key interest and by the looks of the agenda you have you’re certainly going to get your money’s worth today in terms of the number of speakers we’re going to have in this first session, three speakers and a Q&A session with the government’s CIO which I think you’ll find really interesting, we’re lucky in that we’ve got a number of people taking part this morning both from central government, local government and very importantly from the industry so we’re going to be discussing security and reliability and clearly something that’s very important to the people out there, data protection.
So I think without further ado if Mac is around from KPMG who’s going to talk to us about digital convergence in the workspace, so Mac, very welcome.
Cloud computing, Enterprise 2.0 and digital convergence in the workspace
Mac Scott, Associate Director, CIO Advisory, KPMG
Morning everyone. I’ve got 10 minutes to talk about cloud computing, Enterprise 2.0 and digital convergence in the workplace so that’s quite a lot for 10 minutes, hopefully it will keep everyone awake. I don’t quite know why I agreed to it but we’ll see. Okay that’s just the list.
So first thing, Enterprise 2.0. The Enterprise isn’t one thing when you talk about it from an IT point of view, everybody talks about cloud like it’s one thing, everybody talks about the Enterprise like it’s one thing. There’s at least 10 different parts of the Enterprise, we use this model quite a lot, it’s not rocket science it’s kind of adaptation of a number of things. Going from top to bottom, the there’s stuff that happens at group or central level, that’s the stuff that everybody in the organisation uses, stuff that happens at region or it could be common or it could be within a sub business unit of an organisation and then stuff that happens in country or it happens in a specific part of the organisation. And then the stuff on the right which is IT generic, things like email, collaboration, that sort of stuff, stuff in the middle which is business generic, HR, finance, payroll, every business has to do them. By the way if I keep referring to business I do most of my work in the private sector but I think a lot of the messages are the same. There’s the stuff you have to do to operate the business but it doesn’t actually differentiate yourself in the market place or add significant value.
And there’s the stuff on the left which is the stuff that really makes the business tick. The more up and to the right you go, the more you standardise, the more you centralise, there’s no point in trying to be different there, the more down and to the left you go the more you have to localise, the more you have to differentiate and then the not insubstantial one that goes around the middle which is quite often forgotten which is no 10, I don’t know why that’s at the back of us there should be no 1 which is integration, it’s actually making all of that work for the various parties within the organisation.
So when you map that on, this is just one mapping for one client, if you map that one to things like software as a service, platform as a service, infrastructure as a service, different parts of cloud work well in different areas. Trying to take software as a service proposition and apply it down here on the bottom left hand corner when you’re trying to be different and local with a smaller number of people, probably not going to work. Stuff at the top right, economies of scale, centralised standardised will work. I think that’s kind of… there’s one message you take away from the 10 minutes it should be that.
So the emerging trends in the workplace, bring your own device, I’ve brought mine today, it’s not KPMG standard piece of kit, there’s probably a security alarm going off somewhere. How many people here just use one device and every day? How many people use 2? 3? 4? 5? There’s always one. I mean you get on the train there’s people with two phones, an iPad, laptop, sometimes 2 laptops, there’s… Gartner are saying 1.2 billion smart phones will be purchased in 2013. People are expecting to use those, not just for the work they do at home but also other stuff as well, you know, so we’ve got to integrate those with the workplace. The workplace is no longer a place, it’s a mind-set that somebody’s in when they’re at work or at home or travelling. This isn’t simple. In most organisations bring your own device is not seen as a cost outlay, at best it’s seen as cost neutral, seen as having a lot of strong HR factors, it’s a very strong in generation Y which I sadly don’t fall within and also green, you know, why give people 2 smart phones, 3 smart phones, 2 laptops, if we can make it all work there’s a green agenda there as well. There are some issues, tax implications etc, my email address by the way is at the back so if anybody’s got any questions that aren’t answered at the end session I’m happy to take those as well.
This multitude of devices is increasing complexity for IT, it’s no longer just a lockdown desktop with a single operating system that we’ve got to deal with, we’ve got to target multiple devices, multiple operating systems, the graph on the right, the orange is android and the blue is IOS or iPhone and just showing that you know both are growing significantly that’s… these are figures for the US I think in million in terms of the market penetration so there isn’t just one smart phone device that most organisations are having to deal with. But this has been done for strong business reasons, Barclays just recently ordered 8,500 iPads, they didn’t do that because they thought it would be nice for their staff to have them, because they’re going to be doing lots of things at point of sale.
Always connected, that would be really good if it worked. My experience of 3G, I come down from Manchester as it varies at various places but the model is moving to that. If you go to software as a service model you’re presuming always connected so this is a major infrastructure issue for governments and for suppliers worldwide but it’s also major issues for the support of those aspects. If I’ve got a chief, a CEO out in the field and the only way he can work is with software as a service then I could have some issues if he goes to some countries.
Other things, new security model is required behind all of this. Previously we tried to protect everything so we tried to drum currently in many organisations we still use the same model, we try and protect the whole boundary it’s a bit like, I put this together, a bit like the Roman Empire, Hadrian’s Wall, Antonine Wall, you know some of these protection areas are poorest because what’s happening is the organisation is no longer one organisation, you see companies forming partnerships using consultants, using contractors, using associates, JV’s, stuff that’s set up for a few months and then moves onto something else. The organisation is no longer one entity so therefore protecting that boundary becomes very complex, it becomes even more complex when you put in all of the devices always connected, people working remotely.
So what we’re seeing is a move to kind of going back to gathering up the wagons, all the core sensitive data held safely within a data centre or a secure site you know you can trust, not trusting the network, not trusting the device, using certificate based authentication to identify a person, work out what device they’re on and what rights they have there and then if there is any data on the device that’s persistent making sure that’s encrypted so if the device is lost you don’t lose the data.
Implementation costs and challenges, application design. Traditional monolithic applications don’t fit well within the new model. The idea that, you know, at the moment we use applications of proxy for security, a person logs into the application, that gives them rights to data. In the new model that data’s all over the place if you take on the big data it could be in multiple locations but it has to be a new model. I’m for saying SAP are going to go out of business anytime soon but there’s a lot of companies spending a lot of money deconstructing traditional applications to be more in components and also putting certificate based systems that actually authenticate the user’s rights to access data, not the user’s rights to run an application.
Integration, big issue which I think talked about enough already but we’re talking about multiple suppliers, multiple technologies, emerging standards, I mean, I think it’s very good in G-Cloud and the stuff that’s happening in the Government in the US and the UK because standards can be set there but if I look at retail finance at the moment in the UK, it’s opportunities to use cloud are constricted quite a lot because of agreement on standards, agreement on security etc. I know the movement’s there but it is still an issue. The other thing which is, I’m steering away from some of the common stuff here by the way, I’m not denigrating security, I’m not denigrating you know data lock in, there’s a load of other stuff, I’m just trying to talk about some of the stuff that doesn’t always get talked about.
The other issue for me I think is commercial. The old school model for IT was that you had a single contract with a single IT provider, you negotiated that and won jurisdiction, there was a bit of a bun fight between you and suppliers about what the terms were but everybody knew what the rules were, it was that contract and it was within that legal entity, between the two legal entities and it was within that country. If you go to Amazon and ask them to accept your T’s & C’s, so you go to Google and ask them to accept your T’s & C’s, there’s going to be a long wait. If you do to some of these companies and ask them to sign an NDA it won’t even do that so there is a big issue here and what you’re getting is a load of companies who are building up strong market share in technology that you want to use, they’ve got their T’s & C’s in their jurisdiction to their terms and their model is to take it or leave it. Now if you’re big, government, you’ve got some play, if you’re small, single company, that’s difficult. So what’s happening at the moment is within the private sector is how do we kind of mix all those together to understand the contractual framework and then integrate that in terms of the service that we deliver?
Are cost efficiencies and savings being realised? Well the answer is yes, down at the bottom right, the client I’m working with at the moment, moving 500 servers from a traditional outsourcing environment into a private cloud environment, saves them 75% of their running costs. The interesting thing about private versus public, if they switched it to Amazon or Google it’s only about + or – 5%, it’s a bit saving, it’s getting out of that old model and into the new model. This is a 3 year lock in so it’s pretty good pricing but it’s 75% saving, that’s a big saving. If you’re a start-up, you know I set up my own company years ago, you buy a server, you buy some software, you configure it, you can get your credit card out now and you can have Enterprise level CRM, Enterprise level HR, all of these things on a per pay basis per user just by getting your credit card out so I think for SME’s and start-ups it’s great but some of the things that people are expecting on bring your own device is a hope that support costs will drop but that’s… I don’t think that’s proven yet so the hope is it will drop because people will value the device more and will be more self-supporting but there’s a complexity issue there, there are a hope the devices will last longer but on top of that we’ve got the investment that’s required for the security model and there’s investment that’s required for the new application model so if you’re sitting on an old legacy estate with investment in applications and investment in technology there’s a big transition to make from the ‘as is’ to the ‘to be’ and that’s going to require a capital investment to then gain the operational savings that are going to come from the new model. The biggest issue though is running the two models at the same time is probably the worst place to be because you’ve got all the costs of the old model and you haven’t really got the benefits of the new model yet so be careful about that.
Another one I think which is, there’s perception that you only get the economies of scale and you only get the value with public cloud. Really great UK story, it’s a design by a Nottingham based company deployed in Cambridge for a UK company arm have a 2 megawatt data centre, there’s a PUE, that’s a power efficiency the data centre of 1.08, that’s as good as the best that Google can do and a 2.2 megawatts that Google is an annex to side part of a data centre.
So if you want to understand, there’s a great guy, Joe Weinman, Cloudonomics, he’s got a lot of stuff there, some of it’s a bit left field but there’s some really good stuff on the economics of cloud and how it works.
So a final message, efficiency and cost savings are there, they’re definitely there, they’re there for SME’s and they’re there to move from the old model to the new model but the opportunities for missing those are significant, if you get stuck half way, it’s the worse place to be.
Nigel Adams, MP: Thank you very much Mac, thank you. I feel terrible if you’ve come from Manchester and we’ve just given you 10 minutes, that’s a long way to come but I’m sure Mac will be around later on for lunch for a chat. Now we’re extremely fortunate to have Andy Nelson with us this morning, he’s a Government CIO and he’s going to speak for 20 minutes on how we’re going to get half Government IT spending into the cloud before the next election Andy, and then we’re going to have 10 minutes questions afterwards, so over to you Andy. Thank you.