It's pretty normal for ordinary government workloads in the UK, or at least it was at GDS. Using niche suppliers who cater to government paranoia is expensive, and they're usually much less mature than hyperscaler platforms. It's also open for debate whether those niche, inflexible suppliers result in a genuinely more hardened target or not.
In the Netherlands, critical infrastructure is required to be hosted in government cloud data centers.
An exception is possible if after a risk assessment and the determination that no state secrets may be exposed, a government body decided to use a commercial cloud provider.
The private cloud providers list is then filtered by whether or not their country of origin / incorporation, or effective control, has an effective cyber-control program it runs against the Netherlands or against Dutch interests. This arguably includes corporate espionage programs.
Storage and processing location is a big, big trust issue on the world
stage. There are all sorts of wobbly notions of alignment. And no
doubt lots of leverage going on behind.
If you made a democratic poll and asked people, "would you like
national data stored in your own country or elsewhere?" there would be
no ambiguity in the answer. And that would not be an "uninformed"
poll, since matters of public trust should direct policy and not
technics and economics.
Of course there are good reasons for outsourcing, like geographical
diversity, but those raise a new and I think separate questions like
"Who would you trust with our backups?". That nuance of examination
seems to be missing in the UK at present.
> "would you like national data stored in your own country or elsewhere?"
And if you ask the question "how much more would you pay to host UK data in the UK with UK owned providers only", you get the answer £0. So it doesn't happen.
Yes. I mean it's a fair objection to that question as is. Many people
expect technology to happen magically and for free. When it comes to
critical infrastructure like roads, reservoirs and the army, nobody
asks "how much would I pay?", because people elected a government to
make those decisions and raise taxes appropriately. Ironically one big
missing source of income is fair tax on overseas tech. Although we
have a body that recognises digital as critical national
infrastructure [0], some people in London haven't got the memo yet.
> GOV.UK Notify makes it easy for public sector service teams to send emails, text messages and letters.
Doesn't seem that critical to me. Important, but doesn't pass the sniff test of "is this a matter of national security" that would justify self-hosting ultimately slowing down development and making it more expensive and in effect less feature-rich for taxpayers
EDIT the API docs suggest this is used for sending formal Notifications en-masse rather than mission-critical comms
Yes, personally I don't think it's a good idea to host these things with the US companies. As a citizen I prefer it's in my own country, unless it's really not critical or interesting information / services.
Is the gov.uk website infrastructure compliant with their own Cyber Essentials requirements? I very much doubt it, as the anti-malware requirements applicable to cloud providers that are not using Windows or MacOS ([1], section 5, subsection "Requirements", option "Application allow listing" on page numbered 14 in the corner) are not implementable as worded. Using Azure instead of AWS could have helped here.
It's pretty common, all the biggest clouds are USA or China owned.
In the UK government services go through information security classification to determine what level of security is needed, with the most confidential stuff still being self-hosted.
You have to understand that buying computers comes out of the capital budget, and is several times more expensive than just leasing them for this year; and that hiring staff runs into severe civil service pay issues. Once "buy some computers and hire staff to manage them" has been ruled out by politics, buying hosting on the open market becomes the remaining reasonable choice, and nobody got fired for choosing AWS.
You can lease or even rent the servers without paying cloud prices, and there's a wide range of companies providing devops services on contract. So really, the main reason is your last clause - AWS is "safe" even though you might as well set cash on fire.
But then you have to run two competitive tenders, one for the servers and one for the contract devops. How much does that cost and how long does it take?
Unfortunately, cloud provision isn't very competitive and is very US/China centric.
I was at a talk recently around how one of the UKs major infrastructure providers was building their architecturrle, and I was pretty freaked by the level if vendor lock in.
Would love to see more governments viewing this as the security risk it is, but I'm not holding my breath.
