Different cloud procurement strategies. Photo: Karl Hilzinger
The Australian and New Zealand governments are poles apart when it comes to cloud computing policy, with one prescribing centralisation, the other leaving it open for agencies to buy hotchpotch services from anyone.
The ideological differences go to the heart of the argument between economies of scale and centralised control, and potentially impact on data sovereignty.
The Australian Government Information Management Office (AGIMO) recently announced a data-centre-as-a-service procurement strategy (DCaaS), as part of a broader strategy which adopts a whole-of-government approach to save $1 billion over five years.
After a consultation process that started in November 2011 and involved 34 companies, the government concluded that a panel arrangement, where a lead agency is responsible for all government purchasing, would not provide agencies with the flexibility and agility needed to take advantage of new services as they become available.
Instead of a whole-of-government approach, the DCaaS strategy simplifies the process for suppliers to participate in the procurement process by using a standardised agreement and "template quotations", as well as a standard, post-delivery approval process. Importantly agencies can acquire services under $80,000 and/or 12 months without going to tender. This aims to remove "risk exposure" and the need for complex contracting and legal arrangements.
The aim is to empower agencies and suppliers to have better control of their technology purchases by removing the barriers that prevent the take-up of new technologies. The move met with support from the majority of suppliers and industry stakeholders, according to comments on the AGIMO website.
However, the new strategy will create a mess as agencies select a range of cloud providers, according to Datacom director Mark McWilliams.
"What happens then when the government wants to take advantage of things like collaboration, so they want to federate their [Microsoft] Lync link servers to make everything talk to each other, or to start using collaboration websites, like SharePoint or other tools," McWilliams said.
"If you've allowed all these small enterprises to just cast their stuff into the cloud wherever they like, then that job becomes virtually impossible."
"Not to mention the fact that if you've got these little tiny islands of compute all over the place, I think overall you're bound to be paying more than if you consolidated into a few suppliers."
He said the Australian government also risks losing control over data if an agency used a "cloud service broker", someone who hires cloud computing capacity from a distributor or wholesaler, he said.
"Some people are talking about cloud service brokers and how they're a really cool idea, I think it's a shit idea."
"That [broker] actually might then have their cloud hosted in a data centre which isn't theirs. Now you have a government agency interacting with an organisation who buys off a distributor, who buys off wholesaler, who buys critical services off a data centre provider.
"Now what's say the data centre provider doesn't get paid by someone along the chain, what does the government do, what recourse does the government have to walk in and get their data back? That's what people aren't thinking about."
Datacom, IBM and Revera were selected for a whole-of-government agreement to provide cloud computing services to New Zealand public services agencies late last year, and McWilliams said the centralised model means the government is always aware of where the data is hosted.
However, there are problems with the centralised model, according to Diversity Analysis principal Ben Kepes, who believes that it forces governments to choose between data sovereignty, or the benefits of economies of scale.
He said locally based services for one major customer can't match the cost efficiencies that can only be achieved by managing a large number of customers from around the world as does Amazon Web Services for example.
"[The New Zealand Government] is doing it because it wants to secure benefits, economies of scale in terms of whole-of-government contracts which is a great aim but one of the requirements is data be domiciled locally," Kepes said.
"I'd suggest that's a throwback to a traditional regulatory approach and unnecessary and unhelpful in a cloud age where it's all about gaining economies of scale and vendors in NZ in particular, but even in Australia, arguably don't have the scale to drive those economies."
"It's a tension between where is my data and how much efficiency can this new technology bring."
The Australian Defence Signals Directorate (DSD) recommends against outsourcing IT services and functions offshore, unless agencies are dealing with data that is publicly available.
It "strongly encourages" agencies to choose either a locally-owned vendor or a foreign-owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australia, according to its Cyber Security Operations Centre Initial Guidance, April 2011.
It notes that "foreign-owned vendors operating in Australia may be subject to foreign laws such as a foreign government's lawful access to data held by the vendor".