Cloud computing models are changing the way governments procure – and at the same time look set to usher in a period of profound change for public-sector IT careers.
Governments and public-sector bodies have been leading the gallop towards cloud computing, but private enterprises have been somewhat less ardent in their charge. One beneficial outcome of this is that the technology has in the meantime been maturing, and some of the earlier objections to cloud adoption have been addressed, if not necessarily resolved.
The lag has also meant that, in the UK at least, public-sector ICT has stolen a march on its private counterpart, and now looks set to have a major influence on how cloud models are mandated and managed. Some sectors are moving faster than others, with the leaders being those in which the initial benefits of cloud appear greatest: with TV broadcasting, for instance, the trend towards multiscreen services, delivering video to non-TV platforms, is encouraging common cloud transmission infrastructures.
It is the risk/benefits equation that explains why public sectors have been swiftest to the cloud. It might seem surprising, given that government departments often have more stringent security requirements and greater integration challenges than most enterprises, as well as stiffer cultural resistance against change. But governments have also perceived cloud as a potential liberator from the yoke of 'mega IT' projects generating escalating costs and overruns.
There has been a general sense that IT was not delivering full value for money, and that this was because projects were too large and yet also isolated, with a lack of cohesion between systems. Managed cloud computing options heralded an era of better-controlled projects delivered by nimbler SMEs, integrated via a common cloud platform – an initiative branded as 'G-Cloud' in the UK.The G-Cloud framework was developed to give public sector procurers access to 'pay-as-you-go' services as a more cost-effective alternative to traditionally sourced ICT requirements, and as such G-Cloud is a key part of the government's ICT strategy.
"The drivers to move to the cloud are the same for all governments – to eliminate wasteful IT spending and deliver innovative services beneficial to citizens," declares Dr Steve Garnett, chairman/EMEA at Salesforce.com, a provider of CRM software and cloud components to the public sector.
Salesforce.com is not an SME, and joined the G-Cloud project only in the second round, along with other big players such as Oracle, Accenture and Success Factors. The first G-Cloud framework was open to SMEs only to give them a head start, although two big vendors, IBM and Europe's largest private IT group SCC, were involved in developing the underlying platform, which was beyond the capabilities of any smaller vendor. SCC had been given the platform contract, and in April 2012 selected IBM hardware and software for the Secure Multi-Tenancy Cloud (SMTC), which underpins CloudStore, providing back-office processes and communications, subject to the levels of security mandated in the public sector. UK public sector spending is increasing in departments where data integrity needs are growing, as predicted by analyst Market Oracle: so security of various requirement is one of the main technological challenges faced by the G-Cloud ideal. In the UK security is specified in seven levels, starting with Impact Level zero (IL0), which is virtually no security over the open Internet. The first level relevant for most G-Cloud services is IL2, which almost all service providers to the platform have to meet. This involves end-to-end security equivalent to the best practice in most commercial enterprises, with strong password authentication and verification of components, conforming roughly to the ISO27001 specification.
The main point about ISO27001 is that it brings together security components under common management and control, ensuring that levels of protection and authentication are consistently applied across a service. This is deemed adequate for most local authority and education services, except those involving access to personal or sensitive data. IL3 is mandatory for central-government services such as online tax-payment systems, and local authority applications involving access to personal information such as names, telephone numbers and email addresses.
Obtaining IL3 certification is much more expensive than IL2 because it requires segregation of data, systems and processes, underpinned by secure databases, with widespread strong encryption, enhanced physical security of relevant IT resources, and also more careful vetting of relevant IT staff. SCC now claims to be the only supplier to G-Cloud to have obtained IL3 certification so far, and in November 2012 won its first IL3 level contract from the NHS for the Mersey Care NHS Trust's operational data and ICT infrastructure. This is moving to SCC's branded OptimiseCloud platform under a five-year contract covering patient administration, email provision, Microsoft's Share Point collaboration system, and business intelligence.
IL3 is described as 'Restricted' in that it allows general access, but with rigorous enforcement of security rules preventing access to unauthorised data. The next level up, IL4, which no G-Cloud provider has yet reached, is described as 'Confidential', restricting access to authorised individuals with security clearance, and would apply to some internal government systems. IL5 is 'Secret' and IL6 'Top Secret', relevant for MI5 and MI6 holding data vital for national security. (Last year's 'Skyfall' was the first James Bond movie to incorporate a data protection plot angle when some IL6 data stored on a laptop belonging to MI6 was lost.)
Whilst the top three levels lie within the domain of specialist providers of high-security systems, it will be important for SMEs wanting to participate in G-Cloud to attain IL2 certification, which in turn serves as a basis for IL3. Each IL level is in effect a superset of the one beneath it and in turn provides a foundation for the one above.
UK public-sector spending meanwhile is growing highest in sectors where ICT integrity is key, according to analyst MarketOracle. The greatest challenge for G-Cloud as a whole lies not with the providers, but within the government IT departments themselves, which face a fundamental cultural change relating to the way systems and services are procured, according to Rhys Sharp, SCC's public sector CTO. This is the most relevant issue for the future of IT recruitment and employment within the public sector generally, because it involves a quite radical shift of in-house technological skills, away from development, towards integration and procurement of external services.
Sharp makes the important point that these changes will not be confined to the public sector, but will also cause upheavals for businesses, even if that happens a year or two down the line. "What many organisations need to establish – specifically IT departments – is that cloud services will definitely play a role in every enterprise as we move forward," predicts Sharp. "If an organisation understands that, then planning for it now is essential for the smooth transition towards those services."
This will mean being less concerned about day-to-day data-centre operations such as cooling, security, and maintenance of physical servers, SCC's Sharp says. "Those mundane tasks will become less relevant for IT departments, but people will be required to deliver a higher level of value. IT staff must understand how technical and software solutions can be applied to streamline the processes of the organisation" and expect to see their job roles change accordingly.
This does not necessarily mean that IT jobs would be lost or transferred to a cloud provider, but does mean that existing IT staff (both hardware and software) need some reorientation and retraining in the skills required to become 'selectors' and 'integrators', rather than 'developers', Sharp says. "We've had many conversations with a number of customers about that," he reveals.
Sharp has a less encouraging prediction for some software engineering specialists whose abilities and aspirations were rooted firmly in development or maintenance. Their skills might be redundant for their employers and yet also irrelevant for cloud providers. "That can be a tricky one, because some of the skills required are very different within the cloud," he says. The cloud is changing the proportions between the professional skills required in the IT sector, and this should be reflected at university level and in the recruitment market.
"There is also a geographical challenge, in that we are talking about centralisation of the data-centre facilities and quite often that is not in the vicinity of where the staff live," Rhys Sharp adds. The extent to which his forecasts will prove accurate remain to be seen; but they do indicate that if cloud adoption in the private sector follows a similar course to that evidence in public sector, then the win-win messages will have to be modified to take account of the potentially deleterious effects the changes may have on some IT professional's careers.
It is also likely that many new competences required are as challenging and intellectually gratifying to IT practitioners as those involved in traditional systems development. The idea that the cloud reduces the need for high-level IT skills for the customer is "totally false", according to Mark Gittins, information systems director at Lockheed Martin UK, which announced in November 2012 that it had been selected by the Cabinet Office to provide a range of services under the 'G-Cloud 2' programme.
"[As things stand], the prime contractor role is designed to manage the customer's risk," explains Gittins. "In the new model, it will be less clear where the lines of responsibility are drawn and there is still a case for a lead services integrator, with systems integration experience, to bring security and coherence to critical components of the enterprise."
This point was expanded by Steve Cliff, IBM UK's public-sector cloud alliances executive. He points out that there still has to be somebody in overall charge of systems integration, and that would still ultimately be the responsibility of the client, at least in the case of large enterprises. "This will mean clients will need to balance the internal skills and resources to do this," says Cliff, "as well as managing multiple supplier relationships, with the engagement of a trusted supplier."
Cliff suggests that a "new category of supplier" might emerge in the form of the so-called 'cloud broker', whose commission would be to manage complex relationships between components and entities. Such services should appeal to smaller enterprises – and probably larger ones as well. The implication here is that the takeover of 'traditional' enterprise-owned and -managed data-centres by the cloud revolution may also have longer-term implications for IT jobs. In the short term it will create new opportunities for existing staff within internal IT departments; but further ahead there could be a second wave of change as the skills required to manage cloud services also become outsourced to cloud brokers.