news Queensland’s Auditor-General has revealed that the State Government’s ‘cloud-first’ policy has resulted in three quarters of the government data placed into cloud computing platforms going offshore, despite the availability of Australia-based cloud computing solutions.
In May 2014, the Queensland Government announced what it called a “cloud-first” roadmap for its departments and agencies. At the time, LNP ICT Minister Ian Walker announced the state would attempt to resolve its extreme level of IT infrastructure problems at least partially through following the US Government with several key ICT reforms, including initiative a cloud computing-first policy.
At the time, the state published an extensive, 78 page Cloud Computing Implementation Model (PDF available online), with which the state aimed to aid departments and agencies in implementing cloud computing projects. Queensland planned to deliver significant savings, better frontline services and more opportunities for small business through the new strategy.
In a statement, Walker said the strategy gave the Queensland public service the tools to transition to a cloud-based environment, which would reduce costs by government moving away from owning and operating expensive ICT assets.
However, the first results of the strategy are in, and things have not gone precisely as Walker planned.
An audit of the strategy published by Queensland’s Auditor-General last week has revealed a number of major issues with the strategy. You can access the full report online in PDF format.
For starters, the audit notes that around 75 percent of the 8.6TB of data which the Queensland Government has placed in the cloud has gone straight offshore.
This has come despite the fact that Microsoft operates on-shore datacentres through which customers can access its popular Azure and Office 365 cloud offerings. These datacentres were launched in 2014, partially to target Australian public sector clients who tend to be extremely sensitive about their data going offshore.
Amazon Web Services, one of the most popular cloud web hosting platforms, has also established Australian datacentres.
The Auditor-General’s report stats that most departments and agencies in Queensland are in “the early stages of adopting cloud computing” and are using cloud computing “mostly for their website and emails”.
With this in mind, it is not clear why Queensland departments and agencies have chosen to store their data ofshore rather than in Australia. The audit did find, however, that as part of the audit that departments “reported concerns about the lack of technical capability and expertise in managing cloud”.
Other findings in the report include the fact that the Department of Science, Information Technology and Innovation (DSITI), which initiated the cloud-first strategy, had not assessed how effective departments had been in implementing the strategy, because the department did not define expected benefits and was not monitoring and measuring the progress of the various departments in implementing the strategy.
The report added: “Queensland government departments are in early stages of adopting cloud, and in the main consider cloud solutions only when old systems require renewal or when they are purchasing new systems. Nevertheless, they are also not aware of all of the cloud solutions in use by their agencies as they do not have mechanisms to monitor user-initiated cloud computing. Without knowledge of all cloud solutions, they risk leaving government information insecure.”
“Departments now need to take a more strategic approach—to assess where cloud can add the most value, and to address the people, process or technology change activities that are required if the objectives of the ICT strategy are to be realised.”
“Failure to do so will limit their abilities to benefit from cloud and other emerging technologies and may result in higher cost ICT environments, more operational risks, an inability to keep up with citizen expectations of service delivery, and continued risk around ageing systems.”
There were a number of examples given in the report as to areas where the Queensland Government had actually implementing cloud computing poorly. A number of these were what might be termed “novice” mistakes.
For example, although DSITI itself has implemented Office 365, the report released last week revealed that it had done so without upgrading its own desktop PC fleet beyond Microsoft’s dilapidated operating system Windows XP. This meant that the department suffered a number of identity management issues associated with the legacy software.
The report found: “DSITI chose not to implement Microsoft’s recommended best practices, such as upgrading from Windows XP, due to time constraints, and this resulted in downstream technical problems and sub-optimal service outcomes.”
“During the implementation, DSITI experienced major issues with identity management, i.e. how the system will identify users and control their access levels. However, DSITI did not publish learnings that can support other departments when they implement Office 365. We acknowledge that there is a central community of practice for sharing knowledge and lessons from Office 365 implementation.”
“DSITI has re-aligned implementation of a federated identity platform (single sign-on to access multiple systems across departments) within the activities of the One William Street project. In the absence of a cloud-ready federated identity platform, some departments may experience similar challenges to DSITI’s Office 365 experience with identity integration.”
The Office 365 implementation at DSITI cost about $3.2 million, plus an ongoing licensing cost of $955,000 per year. The auditor’s report noted that the department chose to encrypt data as part of the implementation, on the recommendation of the Australian Signals Directorate.
I have to say, this is a fascinating report from the Queensland Auditor-General’s Department.
Although it doesn’t go into the amount of detail that some would like, it does deliver the first really comprehensive analysis of how the ‘cloud-first’ ICT strategies of states such as Queensland have been going. And, as expected, the results are very much a mixed bag.
Firstly, the good news. The Queensland State Government is indeed implementing cloud computing technologies en-masse across its operations. Its departments and agencies heeded the call two years ago to implement cloud infrastructure and are rapidly ramping up their investment in this area. And it’s not just Microsoft and Amazon Web Services — the evidence shows that a wide variety of cloud and Software as a Service providers are involved.
However, there is also bad news.
For starters … there is just some really dumb stuff going on here. Why would any major organisation — government or not — implement Office 365 as a secure communications and productivity platform, without also upgrading its desktop PCs beyond Windows XP? XP is just not designed to work with Office 365 — it was designed to work with the versions of Microsoft Office which came out a decade ago. DSITI has hamstrung itself by using XP with Office 365 — it’s like fitting out a Ferrari with the engine of a Volkswagon Beetle (not that I have against against VW Beetles).
In addition, although the LNP administration at the time in Queensland made the ambitious ‘cloud-first’ strategy, the Government has pretty much failed to monitor the situation since that time, leading to a lack of understanding of what impact this cloud push is having.
All this is, of course, par for the course for the Queensland Government. The state’s litany of IT-related disasters over the past half-decade is now legendary within Australia’s IT industry. We should all have expected this situation — in no way is it a surprise.
But it is disappointing. The Queensland Government can do better than this — much better. It needs better ICT governance structures, better consultation with industry and better accountability mechanisms. Only then will then it be able to maximise the effectiveness of what was quite a visionary strategy — to resolve many of its IT infrastructure issues by skipping ahead to the next generation.