Building the Australian cloud: A GTR roundtable [2/4]

There’s no doubt about it: the local cloud market is more buoyant than ever. To weigh up the prospects for the Australian cloud, we brought together a number of industry experts for a GTR roundtable. Participants included:

• Altay Ayyuce, ANZ director for cloud and service providers and Andrew McGee, chief technology officer with Hitachi Data Systems
• James Boddam-Whetham, managing director of Noggin IT
• Jack Dan, national general manager for government with Telstra
• David Hanrahan, general manager for cloud services with Dimension Data
• John Kaleski, ANZ general manager for cloud with Fujitsu
• Rob Purdy, director of cloud and tools with Datacom
• Craig Scroggie, CEO of NextDC

GTR: Has the growth in Australian cloud capabilities helped customers move past concerns about data sovereignty and governance? SCROGGIE: It's far less of an issue as it was a year ago, although people are still conscious of where their data lives. It's not so much a regulatory as it is a general governance concern – that is, 'do we know who has access to the information and are we concerned if it lives in another country, that government might have access to it?'. But without a doubt, there's a desire for organisations, not just domestically but internationally, to host their infrastructure in Australia in order to demonstrate to local businesses that they can have some confidence that their information is secure – which has certainly been a driver for companies hosting locally.

AYYUCE: Over the last 12 months, the whole question of security has pretty much dissipated. People are now starting to accept that a lot of the infrastructure they're going to put their data on is going to be secure. There are still questions about data sovereignty, and around the NSA type of issues popping up all over the place, but those issues around security have dissipated.

B-W: There's definitely more scrutiny of not just where the infrastructure is based physically, but the organisations that actually own that infrastructure and maintenance of it. For example, some of the legal concepts around the nexus of data ownership mean that a US based entity that might have a local setup within Australia still falls under the Patriot Act. People need to be conscious of those things when they're making decisions about the cloud, and to scrutinise that as part of their contractual negotiations.

The big issue is the ability to be flexible in terms of cloud-backed arrangements. We see there being three tiers. One is the local cloud, so a lot of nation-states will mandate the data be in a data centre within the nation-state and controlled by an organisation within the nation-state. Second are regional clouds, where people may not be so concerned from a security point of view but ensure there is going to be better access to that data in terms of speed. The third is distributed clouds – the Amazon Web Services and so on.

We're seeing organisations start to take a bit more of an interest in our internal security procedures, and that's understandable. They're outsourcing the issue of where the data gets hosted – just like dealing with any sensitive data with third parties. We already have those policies and procedures in place. But for a lot of newer-technology organisations, that requires a bit of thinking and maturity – and can take a bit of time to develop as a business.

KALESKI: Customers have opinions on being able to achieve the goals that cloud offers – such as moving from capex to opex – but it's the journey they go on with a trusted provider which is important. We offer a value assessment process that we go on with customers, for example working through the retirement of certain workloads. By asking the right questions, we can assist them with the cloud transition. That is an often overlooked step in due diligence – and we often find there's not a smarter, more diligent, technologically advanced way in which they move to the cloud.

DAN: Cloud computing involves transferring a degree of control to the service provider and, therefore, trust in that service provider is very important. In the early days of cloud computing, there was a degree of uncertainty as to how data would be managed, governed and who is responsible for insuring integrity, security, non-repudiation, generally who is liable when things go wrong.

This is a normal process and it occurs with any new significant technology or delivery approach that involved changes in the current modus operandi. As more and more successful case studies and implementation stories have emerged, along with a body of literature covering best practice guides, guidelines and guidance, customers have become much more keen to take up the benefits of cloud and the adoption rates have increased significantly.

PURDY: In the initial phases of cloud adoption – say, 2006-2010 – that was a big factor for customers. When customers are adopting cloud in other geographical locations there are a lot of considerations that I think most don’t take into account.

For example, if data is held in Singapore by a US service provider, the customer needs to monitor Singapore Federal Government law, Singapore local law (where the data actually is) and US law e.g. the Patriot Act. Most customers don’t have the ability to do that, so often it’s easier to host the data locally and not have the overhead.

That said, for companies that operate in multiple geographies, the argument of laws is moot really. In my discussions with both Australian and NZ Governments, because we’re in the Five Eyes and close collaborators with the US, the Patriot Act isn’t a big concern for those departments that are dealing with data at the lower classification levels, albeit some are under laws that restrict them from using international locations. That said, I’ve spoken to many departments that are already using services like Office365, Salesforce, and so on — so, adoption is occurring.

GTR: What limits have the availability of Australian telecommunications services put on the expansion of cloud computing? Are these being resolved?

PURDY: To get the true benefits of cloud (the ability to move workloads around and burst into public clouds from private) we need high bandwidth networks at low prices. The promise of the NBN seems far away but there’s hope that with regulation and the investment going on that this will unlock the true potential of cloud. I still cannot help but feel that the major telecommunications providers are extracting too much money out of customers still and stopping widespread cloud adoption.

HANRAHAN: In Australia we're starting to get over those challenges we've always had, with the network being the bottleneck.

SCROGGIE: Latency is one factor in cloud: depending on the type of application the further away the infrastructure the more issues you potentially experience. The other issue is telco cost, and whilst the cost of interstate and international transit has been coming down, its still a sizeable ongoing op-ex investment therefore telecommunications will continue to play an important role when considering the cost benefits of your cloud solution.

There's a lot of commerce that goes on inside the four walls of the data centre, where customers do business together and a lot of the data never leaves the data centre. This commerce is quite substantial in its own right, and the concept of an ecosystem – commercially neutral ground where our customers and partners can do business together – is an important one. The bigger the ecosystem, the bigger the force multiplier it becomes.

GTR: Security is also important. How have Australian cloud providers handled customers' need for security, and how does this compare with the capabilities on offer from overseas cloud providers?

B-W: From years ago when we got into the market, there have been a whole lot of questions about security and the risk proposition around cloud computing. We went through Common Criteria security evaluation to the EAL2+ standard, and at the time the evaluators had a lot of difficult in actually understanding it. As a consequence, the security evaluation took a lot longer to do – 12 months instead of 6 months.

These days, organisations and governments are becoming more at ease with the issue of data security in the cloud, and that's enabling organisations to adopt the cloud more easily and readily. The big issue everyone is looking at is how to manage risk in relation to cloud and infrastructure.

As with any emerging technology or platform, that tends to take a little bit of time for people to articulate their thinking about standards. A number of bodies are trying to develop standards, and a lot of government authorities are having their go at ensuring there are cloud security policies enforced at the vendor level. So, I think we will see a consolidation of the standards and clear guidance as to how you manage risk in the cloud.

SCROGGIE: When we talk to customers we consistently see that they themselves in many cases would rarely have been able to build the scale, security, high availability, and resiliency on their own. The massive scale of these cloud solutions brings many benefits for customers that they wouldn't be able to derive in their own right. Like any security consideration, there are no absolutes; what you have is defence in depth strategies that enable you to apply appropriate security to appropriate classes of information in order to protect the things that matter most.

HANRAHAN: The thing is: we're becoming one of those big giants overseas. We've now got managed platforms for public infrastructure in 12 locations around the globe through our one cloud program, where there's at least that much infrastructure again. It's the same architecture and we get the economies of scale because of our global reach. We're doing it in each of the regions that we operate in, so that we can deal with data sovereignty and latency. From that perspective, we're finding that we're able to compete very well.

We're also starting to see people asking for standards-based security assertions, as opposed to every specific thing they may have heard hype about. In delivering cloud solutions to banking clients, for example, we are able to manage auditor access for data centres and provide specific and customised reporting through our outsourcing capability if required. There is a lot more maturity in evaluating the risk of moving things to the cloud than what we did 12 months ago.

This is part 2 of 4 in this GTR roundtable, which originally ran in the May/June 2014 issue of Government Technology Review. Read part 1 here.