back to article You have the right to remain on-prem, but you should really head for the cloud, UK plod told

Six years after the UK government introduced its "Cloud First" policy, a load of police forces have continued to mostly keep their feet firmly planted on the ground, a survey has revealed. Just over half of UK's 43 police forces responded to a Freedom of Information (FoI) request, and 13 per cent stated that none of their data …

  1. MJI Silver badge
    Black Helicopters

    Oooo it's a Police drone

    Ready to catch the airport invaders!

    1. werdsmith Silver badge

      Re: Oooo it's a Police drone

      I always felt the outsource to overseas movement was a mistake and so it proved, quite quickly and conclusively.

      I also felt that pushing on-premise to Cloud was not smart but Cloud has improved and I am now happy with most things going to Cloud, because on premise IT is a bit, well, subject to ignorant management whim.

      But always ALWAYS try to keep it as lift and drop portable as possible and don't get yourself dependent on one provider who might decide to start squeezing you once they have you in their vice.

      1. Anonymous Coward
        Anonymous Coward

        Re: Oooo it's a Police drone

        "I always felt the outsource to overseas movement was a mistake and so it proved, quite quickly and conclusively."

        The problem with "cheap labour" for outsourcing is that as demand rises, so do the costs, limiting any savings to the first 5-10 years of a contract. It works OK for early adopters who have well documented environments that are transferred in a competent manner.

        Unfortunately, most outsourcing arrangements occur after local wages have started to rise and the savings are made by cutting corners during knowledge transfers ("transfer the information to the project manager and they will pass it to the technical staff when we hire them").

        Garbage in, garbage out?

    2. Anonymous Coward
      Anonymous Coward

      Re: Oooo it's a Police drone

      soon to become: ready to catch the airport evaders!

  2. Anonymous Coward
    Anonymous Coward

    Seems the right call

    The push to the cloud is not always the right move and for Government Agencies in both the US and UK (Not to mention other major first world nations)

    Its very possible to build your own 'cloud' on Prem.

    Moving to the public cloud can be a very costly mistake and it will take years to clean up the mess when the SHTF.

    You have to realize that the UK Government and US Government are large enough that they can build multiple DCs to support cloud like infrastructure without going to Google, AWS, Microsoft, etc..

    And it would be a heck of a lot cheaper.

    1. A.P. Veening

      Re: Seems the right call

      "You have to realize that the UK Government and US Government are large enough that they can build multiple DCs to support cloud like infrastructure without going to Google, AWS, Microsoft, etc.."

      But are they competent enough? Every time I hear of the combination government and IT, I cringe as overspending on failed projects is about guaranteed.

      1. Anonymous Coward
        Anonymous Coward

        Re: Seems the right call

        But are they competent enough?

        Well the orange panda knows how to tweet and has his head in the clouds, does that qualify? ...

        ...but here in Blighty we're going to pass the project over to Failing Grayling. You know it makes sense!

        1. JLV Silver badge

          Re: Seems the right call

          > orange panda

          Hey, show little bit of respect please.

          Pandas have fur, not toupees.

          Pandas eat a, not very balanced, diet of bamboo. Tweet-head, not very balanced, of burgers.

          Pandas have a (too) chaste sex life. Buffoon never met a porn star he wouldn’t $hag.

          Pandas are cute. Stormy’s already given her take on MagaMan’s looks.

          Pandas’ coloring is subtle, compared to the UV’d One’s strange industrial glow.

          Pandas are, comparatively, intellectually curious.

      2. LDS Silver badge

        "But are they competent enough?"

        There are some options:

        1) You can hire the people with the right skills (and pay them for that)

        2) You can outsource the installation and management of the systems - but keep ownership of it, and avoid that sensitive citizens' data are stored by commercial entities

        It is true many governments have a very bad record when it comes to IT project - but IMHO it's a big evidence there's something really wrong in how government people are selected - evidently they are with their heads firmly stuck in the past, and refuse to acknowledge the skill set required today is different from that of fifty years ago - and new recruiting practices are needed.

        Governments were able in the past to cope - more or less - with huge changes in transportation, communication, etc. Probably some of those changes were still understandable by people with the classic "governmental education", or maybe they were more likely to listen to experts.

        Now they are faced with changes they don't understand, don't want to learn, and think "experts" are those marketing people waving the bigger cheque.

        1. Doctor Syntax Silver badge

          Re: "But are they competent enough?"

          "2) You can outsource the installation and management of the systems - but keep ownership of it, and avoid that sensitive citizens' data are stored by commercial entities"

          You also have to hire people with the right skills to manage the outsourcers. The evidence is that those skills are lacking. They may well be the skills needed to make an informed choice between both your options.

        2. JLV Silver badge
          Flame

          Re: "But are they competent enough?"

          Part of that, apologies for the politics, is, _IMHO_, directly linked to union membership. On one side, seniority is paramount there and there is no incentive for a worker to leave, one of the main ways folks acquire new skills: by varying jobs. On the other side, you can’t layoff an insufficiently or inappropriately skilled unionized employee and your pay scales may not allow retaining star employees.

          In most cases, heavy public sector unionization is “just” an extra cost burden on tax payers. With IT, due to its ever-changing underpinnings, it’s a real barrier to having skills in-house.

          P.s. just to be clear: I am not against unions in dangerous occupations or in industries where the employer/employee relationship tends to predatory employers. Neither remotely applies to the public sector.

      3. UkSingh

        Re: Seems the right call

        I guess the government push to the cloud will also end up as being an expensive mistake, to maintain consistent failure

      4. Anonymous Coward
        Anonymous Coward

        Re: Seems the right call

        But are they competent enough? Every time I hear of the combination government and IT, I cringe as overspending on failed projects is about guaranteed.

        This isn't always the case.

        And even if it goes to the cloud, its the same IT staff.

        And then you have the issue of security.

        So the key is to hire competent staff.

    2. Doctor Syntax Silver badge

      Re: Seems the right call

      "Moving to the public cloud can be a very costly mistake and it will take years to clean up the mess when the SHTF."

      Just think of the "Who, me?".

    3. Teiwaz Silver badge

      Re: Seems the right call

      You have to realize that the UK Government and US Government are large enough that they can build multiple DCs to support cloud like infrastructure without going to Google, AWS, Microsoft, etc..

      Should be, but there have been 'incidents' that certainly don't reassure on that assumption of compentance.

      Just 'google' (or search engine of choice) 'government unsecured aws buckets' for ample lack of assurance.

  3. Teiwaz Silver badge

    And who says 'cloud first'?

    A quick search (hardly conclusive, maybe), brings up the UK government reference or (more tellingly) the likes of AWS and other cloud providers....

    Don't most people who blindly follow the instructions of companies trying to sell you things get considered gullible and generally need someone to look after them?

  4. Rich 11 Silver badge

    Initialism

    Yes, some forces use a combination of on-premises, hybrid, private and public. We probably need a new acronym for that.

    HFC-SSD

    Horses For Courses - Screw Stupid Directives!

  5. Anonymous Coward
    Anonymous Coward

    What about the US Cloud Act?

    I would have thought it was a Very Bad Idea for plod to put anything in any way sensitive in a US-linked cloud (almost all of them) given the US Cloud Act.

    1. Fenix43

      Re: What about the US Cloud Act?

      Agreed - to say nothing of FISC and the fact that transferring data anywhere offshore (outside of EEA until the day of Brexit; then anywhere outside of the UK) is almost impossible for a UK Law Enforcement agency (a Competent Authority) to practically do under the terms of the DPA 2018 Part 3 Chapter 5 (see here for explanation - https://www.linkedin.com/pulse/dpa-2018-part-3-eu-exitall-change-owen-sayers/)

      Its not strictly speaking illegal to do - but every single transfer of data must be provably "strictly necessary", and must be reported to the ICO with a full justification each time you do it.

      Since nearly all large public cloud requires offshore transfer in order to work (certainly Azure/O365 do and AWS whilst able to work mainly in European Geo groups will have the same problem from Brexit day); its literally going to make the UK CJS community unable to use Public Cloud.

      And since many non-cloud services use EU hosting or support desks the problems post Brexit will impact them too.

      Police (and other CJS) + Public Cloud = legal nightmare + potential for lawsuits galore

  6. Doctor Syntax Silver badge

    Fair do's

    We call out the police often enough for unlawful data retention etc. Let's give them credit for doing the right thing by being at least cautious here. It might be, of course, caution about the risk of what happens when there's a leak from the traditional misconfigured AWS backup of stuff they shouldn't even be holding.

  7. wyatt

    Interesting times with the police, there's a lot of companies offering hosted software, advertising it as a saving the force as it can be scaled up and down as required. My major issue with this is that whilst the software/licensing may be scalable, the people who have to operate it aren't and so you're generally working to fixed figures taking away any advantage. Couple this with adding an internet link which could be lost (yep, I know about redundancy) you add a layer of risk.

    1 large police force hosted their ICCs in a a manufacturers data centre. They suffered an outage and decided to bring it back on prem, literally having the servers moved to their own data centre in the back of peoples cars to get functionality back.

    Hosted systems/data have their benefits and pitfalls, you need to weigh up each and ensure have business continuity to carry out your job.

  8. Anonymous Coward
    Anonymous Coward

    I wonder

    I wonder if some of these forces have realised the government is full of shit. Cloud first means more expense. Hybrid is cheaper but some hipster IT execs think "full cloud" is going to be cheaper despite having it clearly slapped in the face that "its fucking more expensive".

    Funny that we had a local force come to our site to "explain" IT security to some managers. When I found out I looked at the forces site. Funny, they were still using a certificate that was part of the lot that was deemed untrusted as lots had been stolen from the vendor. I mentioned it. They never replied. A month or so later I checked and they were "developing" a new site. Still using the old certificate on the current site though.

    I give up.

  9. Dedobot

    Why not Yandex cloud, pretty sure they will give massive discount for Brit's police and intelligence:-)

    Honestly, pressing security forces to use and rely at private owned , foreign! services for sensitive data and operations is beyond absurdly.

  10. M7S
    Coat

    We probably need a new acronym for that.

    Hopefully Integrated Public, Hybrid, On-premises & Private

    HIP-HOP

    Well, somebody's got to take the rap.

    1. Jimmy2Cows

      Re: We probably need a new acronym for that.

      Can't we just call it CLUSTERFUCK?

      That's what it will become once all that lovely sensitive data is on private potentially foreign hosts who can lose access, lock-out on a whim etc.

      Yes, that's exactly where sensitive citizen data should be held.

  11. Christoph Silver badge

    There's some very nasty security issues

    The possible problems are not just the standard one tiny configuration mistake and all your data can be read globally (and there's some horrendously sensitive data that might leak - such as thugs finding out who shopped them).

    But suppose someone gets write access? Delete their own records and the evidence - or add records and 'evidence' to someone else's file. And all sorts of other nasties depending on just what gets stored.

    1. ExampleOne

      Re: There's some very nasty security issues

      "In a statement today the police denied any evidence existed that AWS were engaging in illegal activities. In an unrelated announcement, they confirmed they were renewing their AWS subscription for another year"

      Or maybe I am just being cynical.

  12. Maelstorm Bronze badge

    Cloud security? What can happen?

    This is just me, but I have been against cloud storage for private, sensitive data. The only way that data in the cloud can be secured is to encrypt it BEFORE it is stored in the cloud. In some cases, you might be able to use a custom app to access the cloud, and perform the crypto on the fly. Also use obsure or random file/directory names so if someone does get access, they will not be able to determine anything.

  13. mr_souter_Working

    numbers?

    "Just over half of UK's 43 police forces responded to a Freedom of Information (FoI) request, and 13 per cent stated that none of their data and applications were "in the cloud". 71 per cent had sent anywhere between 1 and 25 per cent of workloads cloudwards, while only 4 per cent were in the 26 to 50 per cent bracket."

    first of all - it is "percent" not "PER CENT" - FFS!

    OK, so just over half of 43 is 22

    13 percent of 22 is - 2.86 - so 3 of the forces states that none of their data and applications "were in the cloud"

    71 percent of 22 is 15.62 - so 16 of the forces had sent anywhere between 1 and 25 percent of workloads cloudwards

    4 percent of 22 is 0.88 - so 1 force was in the 26 to 50 percent bracket.

    now, why is this surprising to anyone - to make use of cloud services, you must cover certain minimum requirements

    1. You must have fast internet access everywhere - fast enough so that all the staff in the building can access the cloud and anything else they require from the internet

    2. You must meet data protection requirements - ensuring that all the data stored is hosted entirely in the UK and Europe (most of the data held by the police cannot legally be held outside the UK/Europe - and come Brexit, it will all need to be held within the UK)

    in addition to the above, most police forces, and other government agencies, generally only replace kit after a very long and drawn out process - it takes years for them to plan and move any applications on to new hardware - never mind implement new apps and services (one Scottish Local Council had spent at least 2 years trying to implement iPads for councillors - before changing to Surface Pro's, and the project has taken another 2 years - and is still not fully implemented)

    1. Anonymous Coward
      Anonymous Coward

      Re: numbers?

      "You must meet data protection requirements - ensuring that all the data stored is hosted entirely in the UK and Europe (most of the data held by the police cannot legally be held outside the UK/Europe - and come Brexit, it will all need to be held within the UK)"

      So you pretty much nailed it:

      The data cannot be transferred (which includes viewing it from offshore on a screen) to a 3rd country - currently as you say outside of EEA and from Brexit anywhere other than UK - so its not just hosting; it can be support too, and after Brexit it could affect a whole lot more than just cloud - that convenient DataCentre in Dublin that you use for DR is now offshore and hence pretty much 'verboten' - DOH!

      It CAN legally be held there but its an absolute nightmare to do so and would require more paperwork per case of offshoring that the size of the data itself - so not illegal, but absolutely impractical.

      The real question is why the hell the Police and wider CJS (there are well over 700 Competent Authorities in the UK) cottoned on to it? (and indeed neither have the press).

      My thoughts are:

      1 - Their DPO's still think they operate under 'GDPR' - they do but not for any operational law enforcement data (which is most of what they process; so maybe that GDPR course wasn't ideal for the new DPO appointee?)

      2 - Their IT/CTO's/Service Providers are unaware - or don't think anyone will actually do anything to enforce the law - even though breaking the law to keep the law is kind-of...bad?

      3 - The Cloud providers are pushing their wares as hard as they possibly can to get folks hooked up ASAP so they find it too hard to move - just look at the National Enabling Programme for O365 (no actually don't do that; its a bag of rags..)

  14. Anonymous Coward
    Anonymous Coward

    Cost

    I would bet the main reason most of the police forces haven't migrated to cloud is cost. For a regional police department managing it's own budget the cost of going cloud first doesn't make sense.

    If the gov provided a centralised cloud services platform then that would be a different story.

    1. Spanners Silver badge
      Big Brother

      Re: Cost

      If the gov provided a centralised cloud services platform then that would be a different story.

      I would still question the security. If you lower the cost of public cloud to roughly the price of existing systems, you will drop the security so low that you might as well give away copies.

      1. Anonymous Coward
        Anonymous Coward

        Re: Cost

        No argument from me on security. All I was saying is that cost is the most likely reason more regional forces haven't jumped on the "cloud first" policy.

  15. Twanky
    Meh

    Six years after the UK government introduced its "Cloud First" policy...

    So this is promulgated by 'Government Digital Service'? Is that the same outfit that mandate use of ODF formats for information exchange across government?

    https://www.gov.uk/guidance/using-open-document-formats-odf-in-your-organisation

    Oh. Them...

    Never mind. Right. Where were we?

  16. Nolveys Silver badge
    Trollface

    One force questioned had gone all-in on the public cloud (with restricted access, of course)

    Access restricted to those with Internet connections.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019