Since 2013 the UK Government’s flagship ‘Cloud First’ policy has been at the forefront of enabling departments to shed their legacy IT architecture in order to meaningfully embrace digital transformation. The policy outlines that the cloud (and specifically, public cloud) be the default position for any new services; unless it can be demonstrated that other alternatives offer better value for money.
The policy has served the Government well and has also given rise to the UK’s Digital Marketplace and frameworks such as GCloud, Digital Outcomes & Specialists and Digital Services, all continue to help the UK government to adopt best of breed technologies whilst achieving cost savings.
Yet recently it has become apparent that this Cloud-First approach has resulted in some unexpected consequences due to three separate, but interlinked, events. Combined they have the potential to create something of a data storm.
Why does this matter and why now?
The first is cloud concentration risk. The majority, if not all, of the UK government’s cloud services, and associated data, run on the ‘big three’ cloud providers, with one, in particular, assuming the lion’s share. The concern here is the over-reliance on one service provider to support key service, presenting not only operation risks for the government itself but a tangible impact on its ability to deliver services to citizens should anything happen.
Previously this arrangement hasn’t caused the Government any real headaches, but the recent European Court of Justice (ECJ) decision in the so-called “Schrems II” ruling effectively invalidates the “US Privacy Shield” programme which previously provided a mechanism by which US Companies (based in the US) were able to lawfully transfer EU data to the US and process it. Now, these companies are required to adhere to the principles of GDPR in order to legally transfer data to the US and process it.
Which brings me to the third contributing factor, there is currently significant uncertainty around post-Brexit data regulation and the UK’s data-adequacy status. Such a status has yet to be granted and without which, data transfers between the UK and the EU will not be lawfully permitted post-December 31st 2020. Without an agreed legislative route to allow data storage and processing in the US and EU, the UK Government will be left with one option; storage and processing within the UK only. Whilst two of the big three have UK data centres – what happens if they go down?
It’s fair to say that the stakes are high.
The serious nature of these implications has prompted action from The Government Digital Service (GDS) to review Whitehall’s strategies in the use of US-based public cloud providers and, crucially, the implications of conducting data transfers across borders. A similar review is currently being undertaken by NHS Digital looking specifically at the implications of the issues highlighted above on the storage and processing of Health data.
GDS will likely be looking at its cloud-first policy and specifically, it’s preference for public cloud, in order to understand if it can enable the Government to successfully mitigate complex data processing legislation and uncertain future playing fields.
Hybrid, Multi and Private Cloud environments give organisations much more flexibility and agility in where they host and process data and run their workloads which deliver critical services. Organisations may choose to run sensitive or complex workloads in traditional data centres whilst public-facing applications may be better suited to hosting in a public-cloud environment – Crucially, the movement of data and workloads between environments can be permitted which allows organisations to quickly respond both to changing requirements but also to changing legislation.
Perhaps the question then is not whether it should be cloud-first, but cloud appropriate?