Unravelling complex legacy systems and rising concerns over the management of sensitive customer data have emerged as major challenges for the deployment of cloud services in the three biggest Australian jurisdictions, according to a major study commissioned by Macquarie Government.
The study by Ovum’s respected chief analyst, Kevin Noonan, looked at the progress the NSW, Victorian and Federal governments are making toward migrating their technology services out of servers located in their own premises, to cloud environments leased from external providers.
Migration of services to the cloud is seen as a central enabler for digital innovation, freeing agencies from having to manage ageing systems and equipment, and empowering the innovation that comes built-in with many cloud services.
It is also critical to ensuring constant upgrades of services and for designing security into government systems at the core. Combined with network virtualisation, cloud migration is a signifier of just how digitally ready an agency’s technology base is.
Noonan polled government CIOs and, along with his own data, found that agencies were moving basic internal and external services but that the complexity of legacy systems and data sensitivity worries are proving to be major obstacles to large-scale cloud migration.
This means government faces a long period of hybrid system overhead as agency leaders press for services to be integrated and intelligence to be embedded into systems from data.
Cloud gets interesting
Noonan found that compared with a similar federal Macquarie Government study in 2015, public agencies now accepted the inevitability of the transition to cloud, no longer transferring workloads out of their own services because of central government policy. At the time, Noonan described it as a “forced march” imposed by central agency edicts.
“If you move forward to this current survey, across all three governments, that sort of sentiment has completely gone. We’re now starting to look at all three governments rolling up their sleeves and thinking about how we can do cloud. So, it’s moved from why to how, and that’s I think the really big discussion change that has happened.”
Aidan Tudehope, managing director of Macquarie Government, agreed the level of maturity of conversations with agencies seeking to move workloads to cloud was at another level from three years ago.
“Agencies now have a much clearer eye to how cloud fits as part of their overall environment, rather than simply putting their toes in the water with discrete projects,” Tudehope said.
Listen to Tom Burton’s interview with Kevin Noonan
Strategic or operational?
The Ovum survey across the big three Australian jurisdictions found quite distinctive approaches, reflecting their history and leadership approaches.
“We’re seeing in the federal government, a very strong focus on operational transition: how do we get the architecture right, how do we get the finances right, what do we do about CapEx, OpEx? All of this sort of stuff is top of mind for federal.”
Significantly, this was being driven by individual agencies, rather than by a broader strategy.
Noonan found the two big state governments have more strategic intent, with NSW very focused on services and increasingly the role of data, and Victoria the most strategic — being the only jurisdiction to list functional business owners as the primary trigger for cloud investment, ahead of IT operations.
“For New South Wales, it’s a very practical, digital transformation. Not so much about the words; it’s about getting on with it. Whereas federal is really an IT-driven piece of work: how do we get our systems across? New South Wales is more about how do we get our services across?
“Victoria is standing back a little bit and saying, ‘Well, okay, this is about a bigger digital transformation agenda’ and so they’re involving business a lot more. They’re really starting to think about, how do we change government overall? And then they are focusing from that perspective.”
Noonan says no one approach is necessarily better than another, but shows the variations in jurisdictional approach.
Cheap cloud disappears
Noonan’s study also revealed that price is no longer an impetus for cloud take-up: “If we cast our mind back to the 2015 study, one of the big issues in 2015 was cloud equals cheap. So, it was just a commodity cost saving. These days, price or cost is a middle to lower issue, because it’s becoming abundantly clear that once you put all the cost together, the cloud is not particularly cheap.
“But if you start to look at risk, agility and the whole of life costs of delivering a service, then cloud comes into its own. So, we now need to start to link cloud back into broader government policy and strategy in order to get the best value out of cloud.”
The elephant in the room: sensitive data
Across all three jurisdictions, legacy complexity and the management of sensitive consumer data and information have emerged as the largest challenges for cloud migration. This comes as all government agencies are under intense scrutiny around privacy and security issues, deeply influencing senior levels of government, most notably Canberra.
At the same time, security in the cloud context has emerged as a paradox. While properly-established cloud systems are generally considered to be less prone to attack, Noonan explains that public agencies are having to now consider the nature of their data holdings before they move them off premises.
“When you’ve got your data within a government-controlled data setup, you can manage it because it’s your own staff and your own procedures,” Noonan said.
When sensitive data is migrated to external cloud providers, agencies still bear the ultimate responsibility for ensuring access is granted to staff who are appropriately vetted and data cannot be accessed offshore, Mr Tudehope said.
“Once you start to move the data out into a commercial operation into the cloud, we now have to start to think about some of this data is quite different. Some of it we have to care about deeply, in a privacy and security sense. Some of it, not so much.”
Noonan explained that at the federal level, data has been broadly well classified — in part because of the greater influence of the Australian Signals Directorate (ASD) and national security concerns — so it is relatively straightforward to migrate data into cloud environments.
At the state level, however, CIOs are reporting that up to 30 per cent of their data holdings would be substantially impacted if compromised. This is a similar characterisation to the federal government’s protected status, but in many government information it has not been classified as such. According to Noonan, the self categorisation by state CIOs reflects the data that comes from the large frontline focus the states have around health, education, justice and social services.
Managing segmented data pools into hybrid cloud environments will mean state agencies will need to be confident of the underlying data sensitivity. And a major architectural challenge for system designers.
Asked what impact that meant for cloud vendors, Noonan suggested: “Once we get to the point of saying some of the data is different, we now need to start to think about a multi-cloud solution. And start to think about different vendors who are good at different things.”
“We can get cost savings and architectural savings by going with particular vendors, then if there is particular data that needs a particular level of security, maybe we need a vendor that has the classification coverage, that does that sort of stuff.”
“So, there’s a halo effect (for vendors) because not only does the government need to be doing the right thing, it needs to be seen to be doing the right thing as well. And having a tick in the box of government accreditation in some form or other, is a wonderful thing.”
Noonan said certification by ASD was overwhelmingly seen as significant for state and smaller agency procurement. “Not only does it provide value, but it also implies that it provides the all-important tick in the box of some levels of certification.”
Legacy trumps everyone
While more than half of respondents reported favourable workload cloud migrations, there were many agencies having problems.
Noonan said vendor issues rated low but system complexity and the new skills needed for the cloud environment were challenging many government agencies: “The vendors actually are stepping up and doing the right thing. So, we can’t beat up on the vendors for the problems.
“When we started to look at the high-rated issues, they all tend to relate around the complexity of the job, the cost of the job, of just moving stuff across and getting things working.”
“So, unpicking legacy systems and unpicking that spaghetti code is a challenge. Unpicking the infrastructure and trying to deal with that. And then the bill shock of people moving to the cloud but not having the processes in place — to manage billing, to work out the turn-off service, to gain the savings — they just haven’t got all of those things in place yet.”
New digital skills needed
Virtualisation of systems and networks are totally software-driven and need very different skills and practices to traditional ICT.
Noonan found CIOs having to juggle two work groups: “Skills came up as a big one for us, and, in particular in the one-on-one discussions that I’ve had.
“And it was put to me like this: ‘Okay, we’ve got great architects and great developers who are really accustomed to on-premise work, now we know that we have to shift to the cloud, so we need a new set of skills. But we can’t afford to pay both, so somehow we’ve got to get over this hump. We have to create new skills and keep the existing skills for our existing work … and we’ve got a diminishing cost envelope to run all this within. So, we now need to look at our vendors, to give us some help and support here because we can’t do it all ourselves’.”
With the report stating that only about 20 per cent of all workloads in public agencies are sitting in the cloud, there will be a long period of hybrid operations. Noonan says this will have significant network and architecture impacts for each jurisdiction, especially as they seek to integrate services across multiple tiers of government.
“We have a really big challenge, where we have legacy systems sitting on the premise or elsewhere. We have other parts of our system sitting in the cloud.
“If we haven’t got the network sorted out correctly, we’re now getting into the problem of APIs that are reaching out right across the internet, and we’re having all these delays as two systems try to talk to each other, via the internet.
“We now need to start thinking about both our choice of cloud vendors, and our choice of architecture as we transition. To start to think about ways of managing the network in a more creative way. So, it’s not just about being up, it’s about being the best network we can.”