Take it to the cloud – or not?

Wednesday, 25 March 2015 00:00 - - {{hitsCtrl.values.hits}}

Microsoft Asia Pacific Regional Director for Government Relations John Galligan visited Sri Lanka on 16 March to discuss secure cloud computing with its public sector clients. At a media interview held with Galligan, the concept of cloud computing and Sri Lanka’s take on it was discussed. Following are excerpts from the interview:

Microsoft Asia Pacific Regional Director for Government Relations John Galligan By Kiyoshi Berman Q: Can you briefly explain the concept of cloud computing and why it has become a trend today? A: Cloud is everything from how you outsource a technology to how you create a platform and how does the technology scale. It’s the next evolution of technology where you lease your technology, everything from the services, storage to processing power to another provider who can do it at scale. It allows you to change your technology usage according to your business growth and flow. If you need more computing power or more employees coming up at a particular time, you can easily scale up and scale down. Cloud is utility computing; you pay for what you use, no more, no less. It’s no longer, invest on the infrastructure and amortise the use from cap ex to op-ex. The cloud allows you to choose different services to match your needs like customer relationship management, email to hosting your websites and so on.

The best thing about cloud is that it’s universal and with just a credit card, one can open up a business tomorrow without investing in technology. For me, it’s changing the entire orthodoxy of an organisation. The original internet was content based then it became more of a transactional medium. What the cloud does is to lay the overall architectural layer that brings the whole business models, essentially moving a lot of the business operations to it. It’s about outsourcing your technology needs to a provider; everything from hosting a website to building a network of ATMs and providing education. It initially started as a cost saving and productivity measure but now the cloud is essentially the new platform for whole lot of different apps to commercial and government environments. We have seen governments across the region take the first approach to cloud. They don’t want to have their own infrastructure, data centres and IT businesses as much as they used to. What they are now saying is – someone else can do it better, secure it better and scale it better. So companies like Microsoft have been investing in infrastructure for 20 years across the world. The efficiency we can bring to them is so much more affordable and scalable than doing it themselves. In an emerging economy like Sri Lanka for example, there are more mobile phones than people and I think the large portion of it is smart phones. The experience you have interacting with Internet is now the way you want it to be. You want the government, your bank, your education provider, or your school to interact with you and the expectations from the provider is being driven by the end user or the consumer. The transaction costs in society wanted to be lowered, that is everything from knowing when my bus is going to arrive or is it going to arrive through to whether my child is getting the best education possible. The cloud increases the scalability of those services because the government or company doesn’t have to build the technology themselves and spend millions of dollars into the services, into the hard technology like data centres. Instead they can depend on a cloud provider to bring the service and quality that is expected. Q: Can you mention some of the key issues raised regarding secure cloud computing at the meetings held here in Sri Lanka? A: The security concerns are pretty uniform across the region or across the world, there are no such concerns that are particularly unique to Sri Lanka. The major concerns have been; can I trust the services to do what I want them to do? Will it return the outcome expected? What if something goes wrong? Will my data be unnecessarily distributed and will it be secured from cybercriminals? There are massive issues of trust regarding the information stored in outsourced infrastructure. Reliability is also a big issue because essentially you’re relying on so much which was done in-house to be done by a different provider. So there are information security and privacy implications. They say data is the new asset class and there’s so much value to it these days. Therefore, there are many concerns in terms of the ways people expect information to be protected. When there is value attached to something security becomes a big concern. Q: What is unique about Microsoft Cloud computing services? A: I would say we’re very unique because we almost scale the full gamut of expectations of technology services. We run the largest consumer care businesses. We have 250-300 million people on our one product called Skype; we have 400 million people using our Hotmail and Outlook free email cloud which was around for almost 20 years now. We are the largest cloud provider to enterprises around the world; 90% of the Fortune500 companies use Microsoft Cloud services. Governments around the world are probably our largest customers using cloud on a massive scale. From the US Defence department right through to the micro agencies, from very large developed countries to small emerging countries, rely on our services. Microsoft has 20 years of experience in running cloud services with search engines like Bing or Xbox Live for gaming and right through to the largest governments’ most precious information. We’re not an advertising company or search engine, e-tailer or retailer getting into that business. We’re a technology company and always have been. For 40 years now, we have been developing technology solutions for customers. We’re not getting into the cloud business; this is just an evolution for us. Scale, heritage and the fact that we’re now the provider of choice for so many customers around the world is what makes us unique. We provide from free solutions, small business solutions to bespoke solutions for large enterprises. We don’t need customer information to run our services; we don’t use customer information as a product line. From a security perspective, we have been in the security business a lot longer than any other provider on the planet. Some of the cloud providers are less than a decade old but we have 40 years of heritage that helps us to build a trustworthy cloud. Q: How to identify a proper cloud service provider? A: The trust in the service provider, the level of transparency should be questioned regularly. These include; how do you architect your cloud service providers? Where is my data services located? Do you guarantee that your certifications are up to date? How can you prove your credentials? What are your security protocols? Are you giving away information to governments on request? The cloud is not necessarily new but people still look at it with a level of caution. As providers operating across 65 countries in the world, we don’t treat our customers any differently though they have varied security concerns. One thing that we’re trying to do is to provide a framework for our customers, not just to evaluate us but to evaluate any cloud service provider. We think that the industry benefits from everyone providing a trusted service. We take a very consistent approach to the underlying way we deliver services. Our principles (as given below) are often interdependent and together form the basis on which a cloud infrastructure is planned, designed and created:

Achieve business value through
measured continual improvement
Perception of infinite capacity
Perception of continuous service availability
Take a service provider’s approach
Optimisation of resource usage
Take a holistic approach to availability design
Minimise human involvement
Drive predictability
Incentivise desired behaviour
Create a seamless user experience

Q: Do you think the current laws and regulations protecting data stored in cloud computing solutions, duly address its security concerns? A: Some of the regulations don’t need to be updated because the principles around them are technology-neutral. The principles around data protection or security don’t change very often, it’s really a case of how. We do see the need for governments to provide some more transparency of what they think can be best practice. Some laws don’t have the disincentives for people who try to do bad things. There should be consistency in the way people should expect their data to be managed. For instance, if you say, yes I’ll download this application or subscribe to this service you shouldn’t have to read through twelve pages of privacy notices to be comfortable with using that service. Basically, secondary use of the information stored in the cloud should be very constrained. For instance, we signed a pledge in the US about student privacy. Because students don’t have a choice, they are not above age to give consent. But if students are being provided with a cloud solution, the data that is hosted about them will not be used for any other purpose whatsoever. Likewise, the contracts are there if something goes wrong, laws hopefully encourage correct behaviour but we think that ethics and transparency is more important in early stages of the cloud uptake. Q: What were the notorious cloud computing threats of 2014, and what do you think it will be this year? A: The threats for cloud computing would mainly be cyber attacks which are mostly cybercriminal attacks or State-sponsored attacks. In the case of Target retail chains, the points of sales (POS) were attacked and the bank JPMorgan despite having their in-house infrastructure was still attacked. There were various reasons why these organisations were attacked but the point is that the same threats apply to cloud computing. Governments are attacked all the time by each other or by cybercriminals, and if you’re a health care provider, airline or education provider, data is the new asset class. It’s possible to pull some pieces of information together and create some value out of it. Simply having your full name, account number and mother’s maiden name might give out the passwords for your online music accounts right through to your bank account. I think that cybercrime will continue to be a threat to anyone using technology in government or commercial organisations, now and in many years to come regardless of whether they use cloud services or not. Q: What are the basic measures that can be taken to mitigate the risk of data loss or breach in a cloud? A: There are technical aspects like encryption. One thing we did to ensure that access was only given to those who approved access was to use deep encryption and more extensive encryption for the flow of information. We found out that governments were taking data as it was travelling on our own networks between data centres. The transparency of what happened is still unsure but we didn’t think that it was a point of vulnerability. From the end user to the data centre we encrypt the data. We now encrypt the data that moves between our data centres and we also encrypt the data at rest or the data lying on our data centres. So at every point of the data lifecycle, the data will be encrypted. There are tradeoffs for that though. It does slow down the movement of data and cause some inefficiency. However, encryption ensures data protection so no one can pry into the data. Also, I think the transparency at policy level, principles and ethics are important. It’s always the customer’s data and we’re just the custodians. The government and regulators must be there to make sure that companies like us are actually maintaining privacy of customers. Sri Lanka doesn’t have a national privacy policy yet. This is not a unique problem, Singapore’s maturity of policies and the size of its cloud computing eco system is not even 12 months old. The advantage of preparing a data protection law now is that you get to choose and pick from lots of experiences around the world and build one that fits the purpose. That’s what Singapore has done very well and we want to encourage the Sri Lankan Government also to do so. Q: What are your ideas on striking the right balance between innovation and security? A: I think there is a lot of innovation around security but without security you won’t have innovation. When the cloud was first discussed as the next big wave of evolution, we were talking about productivity and innovation. Considering the fundamental shift from the internet to the cloud; it was an evolution in some cases and a massive change in another. I think the massive change was a point of distinction because the services could be subjected to outages or reliability issues that arise from fundamental security concerns. If you’re running mission critical applications, whatever that maybe to you; we think security is an absolute necessity. A lot of service providers are now competing on security. I think we should make people feel like they can innovate with confidence. So that they can innovate as much as they want, focusing on what they do best while we provide a secure cloud service. Q: Regarding the adoption of cloud computing, where do you think Sri Lanka stands compared to the rest of the region? A: Well, I don’t think anyone has really cracked the code on countries that are really embracing cloud computing. I think Sri Lanka is far behind because everyone is still getting to that journey of the cloud whether in governments or enterprises. I think Sri Lanka has got a great opportunity with maturity of the cloud and the nativeness people are now expecting. In Sri Lanka, there are probably millions of people who use the cloud but don’t know they’re using it. However, Sri Lanka can take advantage of the low cost services that are going to come into market and the experiences the other countries have developed allowing Sri Lanka to pick the best models for health care, transportation, education and financial services. Better to be second because you can learn from all those who have tried to do it first. Q: What is your advice for Sri Lankan companies that are planning to move to the cloud? A: First the company should look into its mission and goals and what they’re trying to achieve in terms of driving customer value, speeding up innovation and improving security. It is not about adopting cloud services and then hoping it will deliver. What I say to any business small or large, is start with what you’re trying to achieve in terms of new customer value, competitors, through to what can be faster and how you’re innovating. Then spend more time with what you’re good at while outsourcing what you don’t do that well.