news Queensland’s Auditor-General has revealed that the State Government’s ‘cloud-first’ policy has resulted in three quarters of the government data placed into cloud computing platforms going offshore, despite the availability of Australia-based cloud computing solutions.
In May 2014, the Queensland Government announced what it called a “cloud-first” roadmap for its departments and agencies. At the time, LNP ICT Minister Ian Walker announced the state would attempt to resolve its extreme level of IT infrastructure problems at least partially through following the US Government with several key ICT reforms, including initiative a cloud computing-first policy.
At the time, the state published an extensive, 78 page Cloud Computing Implementation Model (PDF available online), with which the state aimed to aid departments and agencies in implementing cloud computing projects. Queensland planned to deliver significant savings, better frontline services and more opportunities for small business through the new strategy.
In a statement, Walker said the strategy gave the Queensland public service the tools to transition to a cloud-based environment, which would reduce costs by government moving away from owning and operating expensive ICT assets.
However, the first results of the strategy are in, and things have not gone precisely as Walker planned.
An audit of the strategy published by Queensland’s Auditor-General last week has revealed a number of major issues with the strategy. You can access the full report online in PDF format.
For starters, the audit notes that around 75 percent of the 8.6TB of data which the Queensland Government has placed in the cloud has gone straight offshore.
This has come despite the fact that Microsoft operates on-shore datacentres through which customers can access its popular Azure and Office 365 cloud offerings. These datacentres were launched in 2014, partially to target Australian public sector clients who tend to be extremely sensitive about their data going offshore.
Amazon Web Services, one of the most popular cloud web hosting platforms, has also established Australian datacentres.
The Auditor-General’s report stats that most departments and agencies in Queensland are in “the early stages of adopting cloud computing” and are using cloud computing “mostly for their website and emails”.
With this in mind, it is not clear why Queensland departments and agencies have chosen to store their data ofshore rather than in Australia. The audit did find, however, that as part of the audit that departments “reported concerns about the lack of technical capability and expertise in managing cloud”.
Other findings in the report include the fact that the Department of Science, Information Technology and Innovation (DSITI), which initiated the cloud-first strategy, had not assessed how effective departments had been in implementing the strategy, because the department did not define expected benefits and was not monitoring and measuring the progress of the various departments in implementing the strategy.
The report added: “Queensland government departments are in early stages of adopting cloud, and in the main consider cloud solutions only when old systems require renewal or when they are purchasing new systems. Nevertheless, they are also not aware of all of the cloud solutions in use by their agencies as they do not have mechanisms to monitor user-initiated cloud computing. Without knowledge of all cloud solutions, they risk leaving government information insecure.”
“Departments now need to take a more strategic approach—to assess where cloud can add the most value, and to address the people, process or technology change activities that are required if the objectives of the ICT strategy are to be realised.”
“Failure to do so will limit their abilities to benefit from cloud and other emerging technologies and may result in higher cost ICT environments, more operational risks, an inability to keep up with citizen expectations of service delivery, and continued risk around ageing systems.”
There were a number of examples given in the report as to areas where the Queensland Government had actually implementing cloud computing poorly. A number of these were what might be termed “novice” mistakes.
For example, although DSITI itself has implemented Office 365, the report released last week revealed that it had done so without upgrading its own desktop PC fleet beyond Microsoft’s dilapidated operating system Windows XP. This meant that the department suffered a number of identity management issues associated with the legacy software.
The report found: “DSITI chose not to implement Microsoft’s recommended best practices, such as upgrading from Windows XP, due to time constraints, and this resulted in downstream technical problems and sub-optimal service outcomes.”
“During the implementation, DSITI experienced major issues with identity management, i.e. how the system will identify users and control their access levels. However, DSITI did not publish learnings that can support other departments when they implement Office 365. We acknowledge that there is a central community of practice for sharing knowledge and lessons from Office 365 implementation.”
“DSITI has re-aligned implementation of a federated identity platform (single sign-on to access multiple systems across departments) within the activities of the One William Street project. In the absence of a cloud-ready federated identity platform, some departments may experience similar challenges to DSITI’s Office 365 experience with identity integration.”
The Office 365 implementation at DSITI cost about $3.2 million, plus an ongoing licensing cost of $955,000 per year. The auditor’s report noted that the department chose to encrypt data as part of the implementation, on the recommendation of the Australian Signals Directorate.
opinion/analysis
I have to say, this is a fascinating report from the Queensland Auditor-General’s Department.
Although it doesn’t go into the amount of detail that some would like, it does deliver the first really comprehensive analysis of how the ‘cloud-first’ ICT strategies of states such as Queensland have been going. And, as expected, the results are very much a mixed bag.
Firstly, the good news. The Queensland State Government is indeed implementing cloud computing technologies en-masse across its operations. Its departments and agencies heeded the call two years ago to implement cloud infrastructure and are rapidly ramping up their investment in this area. And it’s not just Microsoft and Amazon Web Services — the evidence shows that a wide variety of cloud and Software as a Service providers are involved.
However, there is also bad news.
For starters … there is just some really dumb stuff going on here. Why would any major organisation — government or not — implement Office 365 as a secure communications and productivity platform, without also upgrading its desktop PCs beyond Windows XP? XP is just not designed to work with Office 365 — it was designed to work with the versions of Microsoft Office which came out a decade ago. DSITI has hamstrung itself by using XP with Office 365 — it’s like fitting out a Ferrari with the engine of a Volkswagon Beetle (not that I have against against VW Beetles).
In addition, although the LNP administration at the time in Queensland made the ambitious ‘cloud-first’ strategy, the Government has pretty much failed to monitor the situation since that time, leading to a lack of understanding of what impact this cloud push is having.
All this is, of course, par for the course for the Queensland Government. The state’s litany of IT-related disasters over the past half-decade is now legendary within Australia’s IT industry. We should all have expected this situation — in no way is it a surprise.
But it is disappointing. The Queensland Government can do better than this — much better. It needs better ICT governance structures, better consultation with industry and better accountability mechanisms. Only then will then it be able to maximise the effectiveness of what was quite a visionary strategy — to resolve many of its IT infrastructure issues by skipping ahead to the next generation.
“… better ICT governance structures”
Agreed. Governance for this is way behind the times. Sheesh … our decision makers are still drying to get a handle on Dropbox, let alone the more expansive offerings out there for more than just file sharing.
“… better consultation with industry …”
Yes indeed … and this can translate to …. “Microsoft is not the be all and end all of solutions, no matter how hard their marketing tries to convince you otherwise.”
“… better accountability mechanisms”
This one I’m not so sure about. There’s plenty of accountability to go round in my experience … and the nervousness of being accountable is precisely why government is hedging their bets on cloud technologies rather than actually committing properly to it. Nobody wants to be hung out to dry (or sunk with a cloud millstone around their nect, a la Qld Health fiasco), so the frontline technical people at the coalface … while they advise how to assess and implement this properly … sit back and watch as the architectures become more political and less solution focused … and there’s not a thing they can do about it.
Very frustrating.
P.S. ‘Scuse the rant … but this is something that’s bothered me about government since I joined from private enterprise a while back … and IMO … is the greatest roadblock for innovation, particularly with cloud technologies. You can innovate with accountability … but very few people think that’s possible.
Now … if I was Premier for a day …. *grin*
1) No, Microsoft aren’t the only solutions provider, but the fact is they have failed to heed what Microsoft would have advised them to do anyway. If they’d had a Microsoft team come in and design a solution for them, it would *not* have included leaving XP in place, and it would have included all sorts of best practice deployment and reporting processes that haven’t been followed. So Microsoft aren’t the only game in town, but as far as their own solutions go they do know what they’re doing. Assuming they know better and can ignore everything that’s inconvenient is tremendous hubris, which speaks to why this situation is so terrible.
2) Renai wrote ‘better’ accountability mechanisms. That’s not more. And I have to agree – indeed, it sounds like you do, too. Accountability of the actual decision makers, who ignore the advice of technical staff and consultants, who empower department heads to procure and implement solutions like this with little to no input from technical teams. Decision makers should be held directly accountable for their handling of public funds and private data, they should have to demonstrate that the best decision was made after extensive evaluation and recommendations made by sufficiently skilled and knowledgeable technical staff and/or external consultants. Skilled technical people should be the ones deploying and configuring solutions, not bureaucrats.
So yes, much better accountability mechanisms is key.
Oh and a lesson for upper management bureaucrats – you can’t pick and choose *bits* of a solution and avoid some of the inconveniently expensive bits and expect that it will work. Upgrading Windows XP was a *mandatory* requirement. If you couldn’t afford that as part of the solution, you should have gone back to the drawing board. Or back to budget basics and ensure that XP was being upgraded a part of maintenance funding, because continuing to run it was/is knowingly negligent.
+1.
“The audit did find… that departments “reported concerns about the lack of technical capability and expertise in managing cloud”.”, “…because the [DSITI] did not define expected benefits and was not monitoring and measuring the progress of the various departments in implementing the strategy.” For example, “although DSITI itself has implemented Office 365, the report released last week revealed that it had done so without upgrading its own desktop PC fleet beyond Microsoft’s dilapidated operating system Windows XP…”
Wow.
My ghast never ceases to be flabbered. This is seriously boggling my mind. I sort of expect this from the land of Banana-benders, but truly they are no orphans, merely today’s talking point.
But the guv’ment want to stop encryption. How’s that going to work out for them?
Perfectly. Now affabet agencies and police sevices don’t need to upgrade from (bad)XPerience…
Comments are closed.