Cloud firm chief says new method for awarding Protected cloud contracts much better

Phil Dawson, the managing director and co-founder of AUCloud, told iTWire in response to queries that while the ASD was perfectly well qualified to decide on which company met the criteria and which did not, it was not exactly practical for the agency to be involved thus.

“Should they make every risk-based decision on behalf of all government agencies?” he asked. “Of course not, and this is why the basis of the Protective Security Policy Framework and the Information Security Manual is that, ultimately, each agency is responsible for risk and cannot abrogate their responsibility in terms of risk assessment and risk mitigation.”

He said as he saw it, the role of the ASD — along with the Attorney-General’s Department and the Digital Transformation Agency — was to set the framework while agencies had to execute it with full and far better knowledge of their own requirements and risk profiles.

“However, it is clear that many — too many — agencies were abdicating their responsibilities based on what the ASD had provided as a moment-in-time badge and the inevitable rose-tinted positioning of vendors, without full consideration of their context,” Dawson added. “Besides being historically outdated by purpose and structure, the former process did not adequately assist with understanding or managing risk within its agency context.”

The jettisoning of the certification process was announced by the ASD in March and thus those who had been given the label Protected held it until the end of June. The decision was taken after a review that began in July 2019.

Dawson, who was the co-founder and chief executive of UKCloud, the fastest growing technology company in the UK between 2012 and 2015 and the leading provider of infrastructure-as-a-service to the British Government, expanded further on these themes, saying that a badge based on a moment-in-time accreditation, as in the UK, was always going to be abused by vendor marketing.

“Witness the behaviour of some global providers who gloss over the catalogue of risk mitigation controls that agencies should be considering when deploying Protected data on their infrastructure,” he commented. “It was also going to facilitate inappropriate risk management decision making by individual agencies.”

Apart from these factors, Dawson said the old process was outdated and not scalable in terms of both process (unable to support volume and dynamic nature of market) and appropriate risk management by individual agencies.

“This was further exacerbated by a lack of clear distinction between infrastructure-as-a-service and platform-as-a-service, for which there are a small number of providers, and software-as-a-service, where there are thousands,” he pointed out. “Also, the process had not and was unlikely to mature to a sustainable model for the reasons outlined – for example, there was limited consideration as to the implications of re-accreditation, failure or even success in relation to risk.”

Dawson said the process was also not fit for purpose in terms of the maturity of digital technology – “the changing nature of cloud and movement towards digital and cloud native when compared with the Information Security Manual controls that were almost exclusively about the physical environment (pages on cable colour management) and nothing on automation and secure application development practices”.

He said since its inception, the value of “data” had been better understood in respect of there being multiple forms — customer data, customer account data, metadata, monitoring data, analytics data — all presenting a security and privacy risk. Previous definitions and controls ignored this and, consequently, differing approaches were taken to the risk associated with different data types floating around the world.

Finally, he said, the vulnerabilities of extra-territorial jurisdiction positions adopted by certain governments in relation to the “value” of data and their accessibility to it were also now better recognised. As an example, he said this was especially called out during the development of the COVIDSafe app, where the Federal Government passed specific legislation to attempt to negate (unsuccessfully, in his view) this risk.

Regarding recent controversies about the awarding of cloud contracts to American companies like Microsoft and AWS in preference to the local lot, Dawson said there was a difference in the types of contracts which should be noted.

“I recall that I was referring to the difference between the COVIDSafe app decision and the announcement that Defence was proposing to deploy their SAP workloads on Microsoft Azure,” he clarified.

“My view of the COVIDSafe app development is that many, many good practices and decisions were made in an environment where ‘time’ was, for once, a genuine consideration in the overall value placed on the decision.

“In addition, for almost the first time in the public domain, the importance of privacy was considered as the critical part of the design process: a detailed privacy assessment was undertaken and made public alongside specific legislation to overcome the potential risk of extra-territorial jurisdiction. Sadly, not as much attention was paid upfront to the consequences of the hosting decision.”

He said with regard to the SAP project, he doubted whether “time” was a serious factor in decision-making. “Consequently, it would seem strange that the underlying infrastructure-as-a-service decision has been made with little or no transparency,” he said. “I’m sure that AUCloud, along with a number of sovereign cloud providers, could have worked with our global infrastructure vendors like Cisco and VMware to use their reference architectures for Hana database to provide a competitive alternative.

“Ultimately, competition is enhanced through transparency and, through basic economics, not only drives a better price point, but also access to a wider innovation pool. In the first example, despite the urgency, considerable transparency was applied to many aspects of the development and procurement. I’ll leave you to decide how the second example matches up.”

Dawson has a whole list of credentials, apart from starting and running the two companies mentioned earlier. He has also been a board member of TechUK, a member of the UK Information Economy Council and co-author of the UK Data Capability Strategy before moving to Australia for one of his biggest professional challenges to date; launching AUCloud to deliver sovereign cloud services to support Australian Government and Critical National Industries.

“Replicating previous activities hasn’t been easy. However, with a deep-seated belief that if you deliver price-competitive services on an ‘apples-for-apples’ basis and reduce the risks to data for your customers, through enhanced security and automation, success will then follow,” he averred.

“In doing so [one is] creating jobs, paying taxes and supporting worthy charitable causes, but this time Australian jobs, Australian, taxes and Australian charities.

“I’m currently a member of the AIIA’s Federal/ACT Council and have played an active role in both ASD’s Cloud Security Forum and a PM&C’s Digital Task Force. I am passionate about the role and contribution that SMEs/Scale-ups can make within the digital economy in delivering innovation, social value, sovereign resilience and above all better products and services than large, unwieldy multinational corporations whose self-interest is headquartered elsewhere in the world.”

Asked about a recent report that said multinational companies were dominating the Australian hyperscale cloud market, Dawson again clarified that the market itself was not hyperscale, merely the companies that were global in their operating models.

“The reason global operating models are predominating is for three reasons,” he said. “Economies of scale on the supply side: build it big and reduce the unit costs; economies of scale on the demand side: aggregate customer volatility, improve asset utilisation and reduce the unit costs; and automation: use technology to manage technology to improve quality, enhance agility, increase security and reduce the unit costs.”

But he said foreign solutions — what he called Made in California/Shanghai models — had an inherent weakness when localisation — security, privacy, service — considerations came into play.

“To date, relatively few workloads have moved to cloud compared with sub-optimal on-premise solutions. However, as they do, more cloud consumers will become uncomfortably familiar not only with the privacy and security implications of their global provider choices, but also with the painful realisation of switching costs. Governments will also realise that tax, jobs and sovereignty are risks that they cannot ignore or outsource.

“In addition to this, development of local competition requires a more transparent marketplace so that buyer decisions can be understood and scrutinised, innovations can come to the fore and investors can double down on the successful models.”

He commented that following the lead of the NSW Government, the Federal Government was starting to move towards a more transparent marketplace for cloud services and – “hopefully” – with more understanding and awareness, government agencies and Australian enterprises would see the value in buying from some of the many sovereign IaaS, PaaS and SaaS providers. In doing so they would be enhancing sovereign resilience.

During an initial email exchange, Dawson pointed to two government procurements and said they highlighted the impact of how agencies specified their functional needs to the market and influenced — or distorted, depending on one’s perspective — the potential supplier-based and related competition/innovation.
He was more than willing to elaborate on that, saying the first example — a procurement for the Department of Agriculture, Water and Environment — provided a detailed, functional description of their need.

“It was very comprehensive and involved a new mission critical biosecurity application that interfaces through APIs with many other high-security applications across other government agencies,” Dawson said.

“I liken this to buying a car and deciding that you need one with four wheels, petrol engine, manual transmission, five doors and some safety features – all good so far for competition – but then mandating that the engine has to be provided by Company M. In a stroke, you have limited competition and innovation. Prepare to pay more and get less.”

With regard to the second procurement notice — from the Department of Health — Dawson said this was for a similar mission-critical application for reporting notifiable diseases. “Probably less complex and not as scalable, but nevertheless similar in nature. The spec for this was equally good but left the engine open to all manufacturers,” was his comment.

He said his intuition was that the first one would receive fewer bids with higher costs, less innovation and longer lead times than the second, which would also be more encouraging of new entrants to the Federal Government market.

“The remedy is keeping bid lists transparent, open to anyone who has cleared the basic hurdles of the cloud marketplace, and avoiding restrictive specification that pander to your legacy switching costs,” he said. “Continuing the status quo will not bring about a transformative, service-oriented, technically-enabled society.”