Slashdot Mirror
Amazon and Google Barred From UK Government Cloud
judgecorp writes "Amazon and Google both applied for a role in the U.K. government's 'G-Cloud' for public services, but were rejected, a FOI request has revealed. It is most likely this was because of concerns about where data was hosted and backed up. Amazon Web Services has a dedicated cloud service for the government in the U.S., but has not been able to duplicate that in Britain."
How could a government possibly turn down a chance to offshore a major chunk of its IT operations?
Apparently some governments have better sense than some businesses.
Sheesh, evil *and* a jerk. -- Jade
Why don't they run their own datacenter and have centralised IT services, rather than relying on some third party private company? Is it because they want to have someone to blame if things do go wrong?
If a company has any operations in the US, they are expected to follow US law worldwide. Even if the parent is in Germany and the offense occurred by a subsidiary in the Philippines, the US government has no qualms about going after their US arm. If this wasn't bad enough, it isn't always the Federal government. If the NY State attorney general thinks a foreign company has some dealings with Iran, he will not hesitate to pursue legal action.
If I was the UK government, how would I feel about the possibility of some low level government guy in Seattle saying, I can get to everything in the UK cloud without a warrant?
Obama administration is "arguing that you lose your property rights by storing something on a cloud computing service"
Source: https://www.eff.org/deeplinks/2012/10/governments-attack-cloud-computing
If you use the cloud, only do it for data you are willing to openly publish.
I'll bet is was because both of them had unacceptable policies regarding privacy, security/integrity and/or what they are responsible to do if a breach does occur. I'll also bet that those same policies were/are acceptable to various branches of American government, because our standards for those issues here in The United States lag waaaaay behind European standards.
THE ROLLING STONES GET OFF MY CLOUD
Hey, you, get off of my cloud
Hey, you, get off of my cloud
Hey, you, get off of my cloud
Don't hang around, baby two's a crowd
On my cloud
Amazon doesn't have a dedicated cloud service for the government in the UK which has rejected Amazon's application to provide cloud services for the government.
Will wonders never cease?!
And um, regarding comments on off-shoring data/services, Amazon certainly does have cloud services that run on hosts in the UK... Dublin mostly. (There may be open questions about the parent company being US-based, but those wouldn't have to do with the geographic location of the services and data, which surely would be hosted from the Dublin data centers.)
All down to current CESG guidance on data soveriegnty. Until the new data classifications are fully launched (replacing the IL based system) this wont change, and event then its down to the accreditor to assess the risk so still doubtfull we'll be seeing any major offshoring
US cloud players will avoid providing geographically dedicated data centres, in jurisdiction without tax loopholes. Blurring the source of cloud services is essential to perpetuate the claim that the services aren't rendered locally and thus not substantially connected for tax purposes. If they were clearly rendered locally, they would be subject to taxes such as VAT and GST and they couldn't simply say you are purchasing services from a subsidiary in a tax haven, greatly increasing their profits.
This is how Google gets away paying $74000 in tax on a reported $1Billion revenue in Australia and why they won't provide the necessary dedicated data centres in places like Britain.
I stopped using Google search (switch to Duck Duck Go), because I'd search for one thing (Divorce lawyer) and they'd start showing adverts for divorce lawyers to me soon to be ex wife and every other computer on my NAT. At some point, you'll draw the line and say enough, and you'll divorce them too.
I know its not the same thing with their online office apps, but once they started down the Facebook route, you only need to look at FB and see where Google will end up.
If UK.gov has data on UK citizens, then it cannot hand that data out to a cloud service, it's not just the fact the US helps itself to that data and thus has all sorts . There's plenty of local office tools, you don't need to be stuck with Microsoft, you can do a perfectly workable local solution at a fraction of the cost without going cloud.
Also as long as USA is building up data on its own citizens, doesn't enforce it's privacy for its own citizens, why on earth would you give them a single byte of data willingly?
Actually read the article (I know, against /. policy ;-0), read most of the comments, and nowhere read anything about it possible being related to the patriot act. I happen to know that the patriot act is (one of) the reason(s) the Dutch government will not enter into an agreement with American hosting providers, surely the British have similar reservations?
(And yes, the article is scarce on facts, so cannot check whether all American companies are excluded, but heck: so could none of the other people posting a reply).
So:
MY guess is that the patriot act played a mayor role in letting this business opportunity slip trough the fingers of american companies...
I'm sure these companies would love to give them what they want but thanks to US laws they can't be trusted. Europeans should give preference to hosts with no ties to the US if they have sensitive information.
The Governments in particular should avoid big large corporations because of that and because they're avoiding tax.
"Cloud Computing"? JUST SAY NO!
I don't know if you have read about so called "cloud computing". Basically instead of using programs installed on your computer, and storing your data on your hard drive/private network, "cloud computing" is using programs that are on someone else's server (via a web browser) and storing your data on someone else's server. I am sure that you can see the basic lack of security and other problems with this. Once the data leaves your computer/private network, you lose any control over who can access your data, thus you can have no expectation of that data remaining private or secure in any way.
There are even "netbooks" (small, low powered laptops) that basically use the web browser as the User Interface for the Operating System, so that you totally depend on the "cloud" for all programs and storage. You can add optional media for local storage. Sorry, but these expensive and extremely limited laptops are not for me. They make little sense for the average home (or corporate) user. These netbooks are as expensive as more traditional laptops but are much more limited. My used (but in excellent condition) IBM laptops are less expensive and much better built.
Corporations and their minions are pushing this "cloud computing" as the greatest thing since sliced bread, hoping to create a huge cash cow for themselves. Sorry, but I will still do things on my own computer and store my data locally (with off site backups at a trusted location). That way I always have access (What about the "cloud" servers going down or getting hacked?) and I control all access to my data. Even if your data is encrypted, if the encryption is not done totally on the local computer, the encryption key is stored in the cloud, thus accessible to anyone. Also, even if the "cloud" service provider is reliable, what about rogue or pissed off employees? There have been incidents where data has been lost (hardware failures etc...), and where data has been stolen by hackers.
Many people today seem to care less about privacy and security than they should. How else do you explain the existence of data mining sites like facebook, myspace, twitter, etc...? These so called "social networking" sites are nothing but a way for corporations to collect personal data to use for targeted advertising. If you don't believe that, read their user agreements. It is (not always clearly) stated that these sites own anything that users post there, and can do whatever they want with this data. In other words, to these sites you are not the customer. Corporations that want your information are their customers, you are the product being sold! Hackers often target these sites, stealing information to use for their own nefarious purposes.
"Cloud computing" is just a bad idea all around. Any advantages (if there are any) are more than offset by the disadvantages, and the impossibility of having any security or privacy. JUST SAY NO!
I am sure national governments will be really happy about storing their private/ secret data in another country's territory "because it's encrypted so it will be safe".
Would the US government network be happy about a Chinese commercial provider supplying their network provision on Chinese territory? without auditing the network? From the article: "Amazon had concerns over the stipulation that the UK government could audit US data centres" - Amazon were asking the UK government to store their data on another country's territory, and not even be given permission to check how the centres were secured? Not surprised the UK government weren't too keen on this deal.
The problem is simply that Amazon and Google servers in the US fall under the US Patriot Act. This means that the US Government ALWAYS has access to the hosted files, if it wants. It is not possible for a company and foreign government to negotiate on this: Amazon and Google are bound by US law.
Of course, as a government you don't want another other government to have complete access to anything you put in the cloud. And in some countries (e.g. the Netherlands where I live) it is explicitly forbidden to host privacy sensitive information (e.g. medic records) on systems that have servers outside of the country in question for exactly this reason.
Ceterum censeo Carthaginem delendam esse
It's a totally fair and free process, however all companies except for three will be eliminated from the process due to various concerns, sadly this will include all major industry players. Two the the last three will be clearly unable to provide this service and will be eliminated in the last round.
They already know who they are giving this deal too and the decision has nothing to do with common sense or sound financial management. They will award this contract to a low quality provider with a history of dealing with UK government bureaucracy who by total coincidence has a high hospitality budget. Most likely EDS.
As are the bulk of Googles European operations infrastructure.
I'm guessing they don't want the Irish to have access to their governments data
The problem with putting it in a cloud, you have no control over your data. You can encrypt it. But there's no way to tell whether that data had been sent somewhere else. So i find it funny that UK gov't reject Google & Amazon because they don't have data centre in Britain? Once it's replicated, your data probably ended up somewhere in Asia or Latin America.
I used to log into salesforce cloud, and i noticed (using flagfox plugin) that i was routed sometimes to Singapore, Indonesia, Phillipine, Hongkong, Japan. That's how the cloud supposed to be. So if you want to put governmental data into the clouds, know what you're doing. If you stupid enough to store classified data into it, then your stupidity would be rewarded, once they break your encryption.
Government should always use a local (in country) solution rather than rely on a foreign solution, no matter how good a foreign solution might be. Things as important as government data, public websites, etc., need to be controlled in-country. The fewer people and networks needed to operate, the better.
I don't trust Amazon or Google with my own data. I really don't think I want them in bed with government. Government needs to use servers they control and operate, featuring DAC, MAC, and RBAC. Servers need to be dedicated to ONE task only. Only a few people need to be involved, and never a third, civilian party, which could compromise the data.
Seeing several comments here that seem to be treating this as an either/or discussion. Thought I'd post for the benefit of US & global readers: the UK already outsources plenty to service providers, and many of those service providers either run their own data centres or in turn consume managed capacity in one form or another from their own suppliers in turn.
For instance:
DVLA (vehicle / driver licensing) - Capita
Many civil service departments, including Highways Agency and significant chunks of what is in effect the civil service WAN - ATOS
TfL (Transport for London - authority and infrastructure for London and surrounding areas) - IBM
And yes - some of this data, and the analysts, are offshore already.
One does wonder quite why the DVLA needed 39 locations onshore in the first place however...
The stupid thing is, if they shut many of the expensive London offices and moved these services to the Northeast of England, they'd achieve a good half of the saving anyway and WIN political points. I can't understand why this isn't happening.
"... and more and more now there are all kinds of electronic goodies available" -- Pink Floyd 1972
The organization that I work for is building up our data center presence in the UK specifically to target that market, and to some extend, the whole of the EU. They do not want their data kept in the States. I do not blame them. With a global network like the Internet, it still strikes me as odd that it matters where the servers are physically located and why that matters for law. I mean, I get it... physical presence, search and seizure and all of that. But when you are dealing with encrypted SAN arrays and "secure" communications, the only difference between the US and the UK (or anywhere else) is latency on the connection to get there. It's not like the NSA is not snooping packets going into the UK the same way they are snooping packets in the US. Or if not the NSA, then British intelligence... or the Israeli's, Chinese, Russians... The entire network is compromised anyway.
Google and Amazon could still of listed for IL0 public services on their clouds without having UK physical locations. e.g. Much of the Open Data content (police.uk/data) is published from S3.
Either they are not happy with terms, their services are procured via other channels, or they tripped up for their PR around paying a far amount of tax based on UK revenues.