Organisations need to pay attention to a series of issues in planning to migrate IT functions to a cloud service, writes Kelvin Ayre, Sentinel practice manager at SCC.
An increasing number of public authorities are following the Government's 'Cloud First' policy, looking to a cloud service as the first option when planning to refresh or upgrade crucial IT functions.
This reflects a growing appreciation of the benefits of cloud, with the potential to obtain significant savings through a transfer of the financial burden from capital to operational expenditure, and the ability to scale operations up and down - responding to increases in demand but only paying for the services used.
Cloud providers can also offer an extensive skills capability, and high levels of security, freeing up in-house IT teams to spend more time on strategic issues and transformation plans.
But the migration process is seldom straightforward, especially when it involves the transfer of information classified as OFFICIAL under the Government security classifications. Organisations therefore have to deal with a number of issues that demand they work with a partner that understands the process and has the capabilities to relieve any anxieties about the change.
These became clear at a workshop SCC staged late last year which brought together 40 public sector IT leaders and cloud professionals to discuss the challenge of selecting, procuring, then implementing the storage and management of files with the security classification of OFFICIAL in the cloud.
Most of the participants were either using cloud services (42%) or in the process of procuring some (31%), with the majority doing so through G-Cloud. Just 27% were still at the stage of considering procurement. All were aware of the challenges involved, and some were able to provide valuable advice on how best to manage the process.
Predictably, the largest concerns were about the security of data and where it would be stored. Moving data from in-house servers to a host's data centre prompts understandable anxieties, and these have taken on another dimension with revelations over the US security services' intrusion into digital records and the breakdown of the EU-US Safe Harbour agreement.
This is placing the onus on cloud providers to allay any fears. Most public sector organisations handle information classified as OFFICIAL, many have some caveated OFFICIAL-SENSITIVE, and they have to be sure a cloud provider has shown it can meet these demands. This involves a number of steps outlined in the Government Summary of Cloud Security Principles, including network protection and encryption, having a security governance framework in place, and protecting interfaces from attacks. Ensuring the accreditation for this is in place is a crucial step in choosing a cloud service.
Data centre location
There is also a growing premium on the use of data centres located in the UK, providing an extra degree of assurance that they will be free from any future intrusions by foreign agencies.
Assured network connectivity is essential to support the exchange of information and collaboration with other public sector organisations, the third sector and supply chain at OFFICIAL and above. Ensure your hosting provider meets code of connection accreditation requirements for Government networks such as PSN, N3, POISE, SWAN or secure enterprise VPN’s.
Reliability of a service is always a major factor and the data centre tier classification systems from the Uptime Institute, a US based international authority, provides the relevant assurance deriving from the design of the facilities. Any centre hosting OFFICIAL data should be a minimum of Tier 3 standard.
Looking for these indications of reliability is an important step, and can be combined with stringent service level agreements to prevent downtime beyond the most minimal level.
There is also a need for flexibility, providing scope to develop new systems and processes using the data in the cloud. This is where a combination of Infrastructure, Platform and Software as a Service can provide the capability to respond to changing demands, and to develop a blend of cloud services when needed.
Soft skills needed
A migration also faces cultural barriers that require 'soft' skills: 26% of the workshop participants highlighted the problem of resistance to change, and 13% pointed to risk and the fear of reputational damage if things go wrong. A handful expressed worries over dealing with the legacy supplier and whether it would provide support during the transition.
Some guidance emerged from the discussions, such as:
- engage early with stakeholders to manage expectations
- assess the scope of requirements at an early stage
- think about hybrid solutions to minimise risk
- ensure that legacy data standards are accommodated
Organisations can take responsibility for these measures, but they will also benefit greatly from working with a supplier that understands such factors, and is experienced in supporting a migration. If it has the technical accreditations, a cadre of highly trained consultants and engineers and a strong support structure it can ease the journey to the cloud, and provide a secure environment in which a public authority can evolve its IT estate into the long term.
No one Cloud migration is the same as another and therefore it is paramount to ensure that the cloud provider has broad evidential experience across a range of projects. Moving to the cloud can be a daunting step, but with the right partner it will provide immense benefits.
The full white paper from SCC, Procuring and Delivering OFFICIAL in the Cloud, can be downloaded here.