ShareBy Mohammed Al-Roomi
Mohammed Al-RoomiKUWAIT: The government of Kuwait announced a strategic alliance with Google to set up a local office, open multiple data centers which provides organizations the ability to host data/resources within the Google Cloud in Kuwait, and support the government migrating its systems onto the cloud.
Public Cloud Services (like the Google Cloud) are now mature and proven to deliver superior performance and stability compared to the government running and operating their own infrastructure. Therefore, accelerating Kuwait's technology transformation, by adopting public cloud services can be a step in the right direction, for the Kuwaiti public and private sector, if implemented and managed correctly.
Whilst this announcement can be a cause for optimism; it is a massive undertaking, requires multiple years to implement, and needs top talent in the Kuwaiti government experienced within this space who can ensure the government is selecting the best Google resources (ie computing, storage and networking services) that meets its needs for the lowest cost and highest rate of productivity.
Limited information so far
Several local news outlets reported that the deal could cost Kuwait in excess of a billion dollars. Limited information was released regarding how the government evaluated cloud vendors, if proper due diligence was performed, the basis on which Google was selected, if the cost of the deal is justifiable, and if the interests of the government were adequately protected (ie Service Level Agreements, Protection against fines, etc). The starting point for cloud contracts is primarily the suppliers' (ie Google's) standard terms, which tend to be supplier-centric. Thorough pre-contract due diligence is vital before entering into any cloud agreements.
What can go wrong
Key risk areas to consider related to cloud transformations include: Cloud Strategy & Reputation risks
*Delays in the cloud journey because of dependencies, unpredictability, legacy systems etc. may result in a risk that the initial business case doesn't pay off.
Operational & process risks
*Organizations do not adopt their current risk management approach to the new cloud environment.
Corporate governance risks (compliance, regulatory requirements and data privacy)
*Insufficient transparency on data holding aspects leading to non-compliance with legal and regulatory duties.
Availability and resiliency risks
*Lack of business continuity planning addressing cloud provider failure, acquisition with negative impact, or change in their service strategy.
Infrastructure risks
*Considering the complexity of the existing IT landscape. No clear target architecture defined. Addressing aspects such as: directory services, network micro segmentation, authentication, encryption, logging and monitoring and use of virtual machines, containers and/or serverless computing.
People risks
*Knowledge management, skills and change. Legacy systems knowledge is lost because of team changes and larger focus on new topics. Lack of communication and focus on the people dimension in general.
Data management risks
*Lack of data management ownership due to missing governance structure lead to insufficient protected data.
Vendor lock-in risks
*Dependency on the cloud provider (ie Google) and lack of portability and interoperability in case of missing IT architecture concepts.
Cloud security risks
*Risk of data leakage, eg due to configuration errors during the cloud transformation. Confidentiality breach due to identity & access management issues.
Why migrations fail
Many IT leaders and entities experienced failed cloud migration projects because they move systems into the cloud only to find that they were costlier and don't work as well there as they did prior to the move. Reasons previous Google Cloud Migrations did not succeed include:
* Unclear shared responsibility model/overdelegation
* Cloud platform and services selected were not fit for purpose
* Operating cost on the cloud exceeded the cost of purchasing and managing infrastructure independently
* Vendor lock-in
Unclear shared responsibility model/overdelegation
There is a general misconception that by moving to the cloud, the provider (ie Google) will take care of everything and that organizations don't need to do any administration. The government of Kuwait and/or companies are still responsible for managing and securing their systems. Understanding the shared responsibility model is vital when determining how to best protect data and systems on Google Cloud. Over delegation can lead to security breaches and risks not being handled/managed appropriately.
Cloud platform and services selected were not fit for purpose
Application evaluation is crucial. Evaluating each application supporting the various government agencies is of paramount importance to determine which can move as they are into the cloud and run successfully, which should be modernized and which should be decommissioned and replaced. Organizations that just migrate systems as is (ie lift and shift) run the risk of system failure. Code changes or optimizations should be considered for each system to take advantage of native cloud services. The government of Kuwait and/or companies need to ensure they understand the Google service offerings available (ie Compute Engine, App Engine, Kubernetes Engine, Cloud Functions, etc) and select the ones that best suit their needs. Choosing the wrong offering can lead to lack of control, increased operating costs, slow system performance or failure, and the inability to take advantage of what Google can offer, particularly around agility, resiliency, efficiency, and innovation.
Operating costs
Cloud computing is popular as organizations seek to save money on IT costs. However, the cost of running systems on Google Cloud can be more expensive if not implemented properly. If systems are simply "lifted and shifted" into the cloud without being modernized to use the Google environment efficiently, the government can end up paying more than the cost to manage and operate systems within their existing infrastructure.
For each system, the government plans on migrating, they should have a technical understanding of the system and the proposed architecture they plan on implementing that makes best use of the Google cloud (and any associated cost savings).
Vendor lock-in
When organizations move systems to the cloud, the core motivation is often to break free from the demands of maintaining the infrastructure themselves. However, if the government of Kuwait is not careful, they might end up in a cloud lockup with Google. This is called cloud vendor lock-in - a scenario where you become tied to a cloud service provider without an easy or cost-efficient way to break free.
If for some reason, Google's quality of services declines with time; or it never meets the promised thresholds, being locked into one vendor can be dangerous. When re-architecting and migrating systems into the cloud, the government of Kuwait should ensure the backend infrastructure that supports the systems is interoperable with different cloud providers.
Next steps?
The cloud is a must-have to compete in the digital age. The need to develop products/electronic services more nimbly, and operate more efficiently, drives the businesses and governments to pursue transformative technology solutions on the Google cloud.
However, if the right due diligence isn't performed, the appropriate Google products aren't selected, the complete governance structure isn't in place, and the right talent and skills aren't involved; the consequences over the cloud implementation to the government can be significant.
Note: The views expressed in this article are those of the author and do not necessarily reflect the views of Ernst & Young Global or its member companies. Mohammed Al-Roomi is a senior manager in Ernst & Young's Information technology advisory practice with over 12 years of experience managing information technology (IT) matters for international companies. These organizations include high profile Big Tech corporations, Globally Systemically Important Banks (G-SIBs), and Media conglomerates.
