Wednesday, August 30, 2017

Cyber Security in Canberra, the Cloud and Amazon Web Services

Greetings from the National Convent Center in Canberra, where Alastair MacGibbon, cyber security advisor to the Prime Minister is discussing security and the cloud. He is the keynote speaker at the Amazon Web Services Public Sector Summit. His main message is that moving slowly does increases risk and use of cloud services decreases security risks: "Any platform which will be run professionally for us is a good thing". He made this  comment in respect to small agencies, who have difficulty keeping enough expertise in-house to run their IT systems. He also said that "legacy" systems should not just be migrated.

However, I am reminded of this week's episode of ABC TV comedy "Utopia". In this a fictional government agency was trying to work out why a government project was costing so much. It turned out that the the project had been outsourced and it ewould have been cheaper to run in-house, had the will and expertise been available. 

Previously I was a government in-house IT developer, working in small agencies. These agencies used time-shared bureau services run by a shared services business unit of a supporting government agency. The government had its own data centers, run by staff, to provide IT to other agencies: essentially its own "cloud". This approach had its problems, as when there was a problem their was little leverage a user agency had over its fellow agency supplier: one part of government can't take another to court to enforce a contract.

Now as an independent IT consultant I am hired by lawyers, when their government clients are unhappy with commercial suppliers and need an independent expert witness. It turn out in practice it is easy to take your commercial supplier to court. When examining internal project documentation I usually find there were mistakes made by the client as well as the supplier and these cases are almost always quietly settled out of court.

As an IT educator I teach teams of students at the Australian National University how to manage IT development projects so they do not end up in court. For these students, the use of cloud services is the first and normal option. However, they still have to consider what else to outsource and to who. Before building a bespoke system, they have to consider a whatever-as-a-service.

However, IT developers also have to consider under what conditions their service will continue to operate. If local, national or international links are limited, will the service still be available? If the system is under attack, can the service continue to be provided. When sharing infrastructure with other clients: who gets priority in an emergency? In times of international tension, will the service continue to operate with some countries and support staff who are citizens of those countries excluded from providing service?

Some of the ways more secure and reliable systems can be built are not that technical. One way is to focus on what the client needs and to provide this efficiently. As an example, features built into the web can provide an interface which adapts to different client devices and available bandwidth. This needs no special software, it is a design philosophy.

One aspect of cloud services is not new: suppliers and the industry over-promise what they can deliver. IT professionals have to learn to deal with unrealistic expectations from their clients as what can be done and how quickly it can be done. A new cloud based service can now be set up in minutes, but clients need to understand that this can get them into difficulties equally quickly. An example of this is the Australian Bureau of Statistics census system which failed very publicly. Costs were saved in building this system, but the financial and reputational cost of fixing the resulting failure far outweighed the saving.

No comments:

Post a Comment