Cloud computing storm
An e-mail sent to public servants warning about cloud computing services has caused uproar in the IT industry, writes JOHN COLLINS
ON A Thursday afternoon early last month an e-mail with the subject line “eTenders – Cloud Computing Warning” began to arrive in the inbox of public servants.
Sent by the National Public Procurement Operations Unit, which operates the Government’s electronic tendering website, eTenders, the brief communication said the Chief State Solicitor’s Office had advised “that issues such as data protection, confidentiality and security and liability are not necessarily dealt with in a manner that would be necessary for public-sector responsibilities” by cloud services.
The e-mail was quickly forwarded around Ireland’s technology industry. Not only are companies such as Microsoft, IBM and HP investing millions into research centres and data centres here to support the new model of delivering software and other services over the internet, but Minister for Communications Eamon Ryan last year identified cloud computing as one of six “pillars” that would drive the creation of a smart economy.
In fact, Ryan is understood to have been extremely annoyed at the message being sent out, and his advisers have moved to soothe the nerves of some of the major technology multinationals based here.
While not renowned for its technology expertise, one of the roles of the Chief State Solicitor’s Office is to review commercial agreements for public bodies before they sign them.
“They must have reviewed a contract which wasn’t up to scratch and now they have concluded all cloud contracts are like this,” says Philip Nolan, a partner in legal firm Mason Hayes + Curran who specialises in technology contracts. “It’s a totally disproportionate reaction and the IT industry is recoiling in shock.”
Nolan equates the advice given by the Chief State Solicitor’s Office to someone saying 12 years ago “don’t buy anything using e-commerce because it’s not secure”.
Describing the e-mail as “damaging”, Ed Byrne, general manager of Hosting365, a local firm that provides a platform to support cloud computing, says eTenders should have instead “outlined the questions that need to be asked before buying a cloud service”.
According to Byrne, this would have included questions such as where is the service based, who is the supplier, how much money can it save and what levels of support can be expected.
While the Irish public service seems to have concerns about the new technology, in Britain and the US it is being embraced wholeheartedly. US president Barack Obama’s administration wants to link its data centres in a cloud to cut costs and reduce the environmental impact of its computer systems. At the start of this year the British government said it would create its own cloud platform in an effort to cut £3.2 billion (€3.54 billion) from its annual IT bill of about £16 billion.
Byrne says that if the US, “which is notoriously security conscious with data”, and Britain are both investing heavily in the technology for their public sector, you would have to conclude that “it’s relatively safe”.
While cloud computing as a term has become popular in the past two years, as a concept it has been around a lot longer. In the tech boom of the late 1990s, the idea of “software as a service” rather than something you install at your own premises was embraced by a crop of well-funded application service providers (ASPs), with Salesforce.com the leading one to have survived from that era. While cloud might finesse the model somewhat, the basic premise of a service provider hosting data on behalf of a customer is the same.
Nolan says he has clients in the insurance sector whose core technology has been provided on an ASP basis for years.
“The agreements that support them are quite robust,” he says. “As with any technology there are thousands of ways to licence it but the issues can be surmounted.”
Security consultant Brian Honan believes the situation around cloud computing has not been helped by loose definitions of the term, which often confuse it with hosting applications or managed services.
He defines it as a service which allows unlimited processing power, memory and disk space to be added as and when needed from a pool of resources provided by a cloud operator.
“That pure model of cloud computing can be as secure as the provider will make it for you,” says Honan. However, he points out that cloud providers are in the business to make a profit and that requires having a single scalable solution for all its clients. For that reason, an Irish company won’t be able to demand a unique service-level agreement with a global provider such as Amazon or Google.
The public sector is right to be “concerned about how new technology safeguards data from a privacy, security and governance point of view”, says Dr Chris Coughlan, who heads up HP’s €11 million cloud computing research centre in Galway. “But it has been proven already that government agencies have lost disks, computers etc . . . The IT industry specialises in this so it’s better if the security is built into the cloud.”
Microsoft Ireland’s executive responsible for cloud computing, Richard Moore, also believes the cloud concept is misunderstood and some people think the services are running in an open and unsecured environment. “The public internet is simply the connection pipe and of course you can encrypt that traffic,” he says.
“The data centre itself has very sophisticated security mechanisms in place – both from a physical and electronic point of view.”
EuroCloud, an industry group formed to promote best practice, is in the process of forming an Irish chapter. According to Dave Feenan, vice-chairman of the group, three of its key action points are around security, certification of services and education.
He suggests the group may need to establish a “badge of honour” similar to the guaranteed Irish logo, which “buyers of cloud computing services could draw comfort from”.
Specifically on security, Honan is involved in an initiative called the Common Assurance Metric (CAM), which is backed by the European Network and Information Security Agency and cloud providers such as Amazon, eBay and Microsoft. It will create standards which measure the security of services objectively. CAM will also rate services on a scale from one (suitable for consumers) to 10 (secure enough for government departments).
“If you have two services – one which costs €100,000 versus one for €20,000 – how do I judge what I am getting for my money, particularly from a security standpoint?” asks Honan.