Teymoor Nabili 0:03
May Ann, thanks very much indeed for talking to me today.
Lim May-Ann 0:05
Thank you for having me.
Teymoor Nabili 0:07
So, we’re talking cloud computing. And this report that we’re discussing was an amalgamation of parties coming together to discuss the issue. Just tell me a little bit about how it came about, and the purpose of it.
Lim May-Ann 0:21
Sure, no problem. That is a really good question because right now, what we’re seeing is a lot of governments, a lot of public servants, wanting to get on board this digital transformation train. And there are a lot of reasons why you want to do this. There could be a discussion around efficiency, there could be a discussion around Sustainable Development Goals and the green initiatives, there could be a discussion around everything is work-from-home right now and it’s Covid so we actually need to find a way to ensure that our government is digitized. How do we do that? Well, a lot of that foundational technology sits on top of cloud computing. So that is absolutely vital in order to build the next generation of fourth industrial revolution or next generation of e-government products for services to the general public.
Teymoor Nabili 1:10
Just from the perspective of the report itself, tell me about the parties involved because you represent the Cloud Computing Association, there were private sector elements involved and the Asian Development Bank involved, just tell me about that dynamic.
Lim May-Ann 1:21
The Asia Cloud Computing Association, of which I am the executive director, is a vendor-neutral association. So we’re not siding on any side of any particular vendor but we do represent business and technology interests. I’m fairly technical myself, and the ADB approached me to say, hey, we want to write and explain and demystify cloud computing to some of the public servants. Could you write it and explain it in a way that isn’t too technica but that makes an argument for using cloud computing to benefit the efficiencies, to make the best out of the cloud computing benefits for the public service? So there were elements of public sector involved, obviously, because we did obviously need to take best practices from countries like Singapore, the Philippines, Mongolia, giving an example of how different organizations, different public sector organizations, have used cloud computing to their benefit – how they’ve used it, what they’ve used. So that’s how everything came together.
Teymoor Nabili 2:21
That’s great. And the point you made there, which is, I think, essentially a great place to start. The point of the report is to tell the benefits of cloud computing. The basic premise here is that in this context of digitalization, in the context of cloud services and the explosion in digital activity, the argument you’re making is that cloud computing is the best way, systemically, to organize ourselves for the digital era. I just want to question that for a second. Let’s begin from that basic premise of why do you think that is the case?
Lim May-Ann 2:58
Well, the premise isn’t that it will revolutionize everything. The premise always starts with, as a government or as an organization, what do you want to do? So let me give you an example. A lot of the governments right now have to have Covid funds disbursed to their people, and they’re saying, okay, we need financial inclusion. Well, in order to get financial inclusion, everybody needs to have a digital identity; in order to have a digital identity, you need to have some form of communicating across all of the different government agencies to set that up in place. So how do you do that? You would want to build it on cloud computing. Cloud computing doesn’t solve the other issues. So for example, how you architect that particular design of the systems, it doesn’t solve it, but enables it to be done in a very fast, efficient and useful manner.
Teymoor Nabili 3:43
But the example you just gave was within a single government, departments being able to communicate with each other effectively. That can be done on a server, an in-house server. It doesn’t have to be in the cloud.
Lim May-Ann 3:55
But I think that a lot of times the in-house server, what happens, we’ve seen time and time again, has been done individually in different silos by different departments. Now, in a country as small as Singapore, it’s okay, because we’re essentially a nation state, but when you start having provincial governments, state governments, oh my gosh ,that connectivity, that interconnection, that standardization of how each individual server connects to other servers, that usually is a headache. Cloud tries to resolve it by creating a foundation which, the discussion within the cloud itself is taken away from the government. You don’t need to think about that technology, and makes the whole stack just easier to manage for the government.
Teymoor Nabili 4:35
Let me just bring up a couple of the issues that pop into my mind when we talk about putting these things together. And one is that efficiency is not always what governments are after in this context, anyway, is it?
Lim May-Ann 4:47
Well, not necessarily. I mean, definitely efficiency and streamlining is one of the areas in which you would start from and that’s a cost benefit analysis that you’d have to do. But again, I come back to what I started from. What does the government want to do? If the government wants to ensure stronger protections around, for example, data privacy, I think that it’s easier to manage one single server and one single data center and impose a lot of international standards on that particular server and data center than it is to manage about, you know, 20,000 other small little servers and having to audit and check every single one of them. So in terms of cloud computing, it actually increases the resilience and the ability of the government to control the mechanisms by which they want to feel more secure. So I would argue that actually, cloud computing gives you more control, not less.
Teymoor Nabili 5:38
I was thinking actually, when I was thinking about national interests, I was thinking in terms of things like employment, economic performance, the way they organize themselves. Are those not elements that come into this conversation?
Lim May-Ann 5:49
Well, I think national interests in terms of technologization and digitization of different assets, I think that this is something which all governments are moving towards. I’m not saying that it’s a fait accompli, but it’s something which everybody wants to do so that they can free themselves up, so that they can free their own people up, to develop in other ways. So as we move up that value chain, we want to enable governments to also move up that value chain for e-government services. Because I think, in many instances, what we’re seeing on the international scale is the role of the government is going to be exceedingly important in the years to come because of the requirements for data governance, and the policies that need to be set by the government on cross-border data transfers, management of human resources, management of national resources, moving people up the capacity scale of how to use technology. I think that all is really built on something like agreeing on cloud computing as a foundation, by which you can therefore free yourself up to say, hey, let’s do innovation, can we do it? Can we speed up a server? Can we take it down without needing to think too much about the costing? It frees you up, not just in terms of the efficiency and financial argument, but also frees you up in terms of just capacity. If you can do it, if it’s easy to do, and it’s all self-service, it just makes it easier.
Teymoor Nabili 7:15
Okay, it’s a couple of things you mentioned there that I want to get into: security and cost. Let’s start with cost for a second. You know, one of the points that you make in the paper is that cloud is more cost efficient. But if a government has already invested in a massive infrastructure nationally of computing systems, isn’t it more efficient just to maintain those than to spend on a cloud?
Lim May-Ann 7:35
To a certain extent, yes. I’d suggest you speak to your accountants, do your amortization rates, and then come to a point where you decide, hey, the cost of actually maintaining that server, that architecture, is not going to be worthwhile. Because there will come a point in the amortization where you’ll say, okay, it’s diminishing returns right now, already. In addition, in many cases, what we’ve seen in some of the aging infrastructure is the human resources that are available to maintain those systems – you’re going to run out of people, they’re not going to be learning those languages anymore. That’s number one. And number two, the longer you stick with those aging technology architectures, the more at risk you are for cybersecurity penetration, because it’s actually quite risky to keep old servers, old architectures in place for too long.
Teymoor Nabili 8:26
Security is obviously one of the major issues that everyone in any context with whatever technology is concerned about. Let’s get deep into that one. Now, you’re presenting cloud technology as being more secure, but is that really the case? I can think of a number of issues that might come up. One, for instance, might be just general regulation. The regulation of cloud companies internationally is very fragmented, isn’t it? There aren’t any real global cloud computing regulatory environments that everyone can rely on, and that guarantee the system.
Lim May-Ann 9:04
Thank you for that. Global regulations are what you raised. But in the premise to that, you said, let’s talk about security. So let’s talk about security. I agree with your statement that says there’s no global regulation of all CSPs, all cloud service providers, globally. No problem. I totally understand that. And I’m not expecting there to be. We don’t want that. What we do have is security standards, and those are internationally recognized. We’ve got SOC standards, we’ve got ISO standards, IEC standards, and all of these standards have got to do with how the controls for cybersecurity are placed on these cloud systems. There are also other systems for example, the EU GDPR system, the APEC CBPR system, which govern how cross-border transfers for personal data are managed. So there are all these systems which are in place. So yes, there isn’t a global regulation of all CSPs but for specific types of data transfers and data flows, there are definitely standards that are in place already for cybersecurity.
Teymoor Nabili 10:07
When we go into the cloud environment, we’re putting our faith in actors outside of our own control and outside of our own country. Is it not necessary to have a better understanding and a better consensus as to what that regulatory environment might look like?
Lim May-Ann 10:27
I absolutely agree. I think that’s where the assurance mechanisms are not quite in place just yet. I do know that government to government, let’s talk about jurisdictions. We’re worried that if we put data in a place that’s not in a jurisdiction, how are we going to get, for example, law enforcement access, or LEA law enforcement agency access, to the information? Well, that’s really got to do with procedures, which you yourself have to put in place. So there is some level of capacity building, some level of understanding of something like the mutual legal assistance treaties, the MLATs that need to be put in place. If you think that the MLAT system is not working for you, can you find a more efficient way of doing that for your own government that makes you feel reassured of using technology? I don’t think that there is a one size fits all approach that we’re looking at right now, but I do know that a lot of countries are working with the Asia Cloud Computing Association and others to work through their thoughts and the thinking about this to increase their capacity and to improve those processes as well.
Teymoor Nabili 11:25
What about the issue of hardware security? At the moment, as we speak, we’re still in the midst of this major disagreement, if you like, between the US government and Huawei. The issue of hardware, and how hardware is configured and why hardware in itself may be a security problem. How do we figure that into this conversation?
Lim May-Ann 11:48
That’s a great question. It’s a geopolitics issue, less about the technology itself. However, it really is also about the technology itself. What I would go into the discussion with, and how I would tell everybody to go into discussion with, is do your risk assessment analysis. It’s as simple as that. No single country will put all its eggs in one single basket, no country will put all of its faith in one particular country’s products. You’d always diversify your risk, you’d always assess the risk and then you make your decision then. So I would say that yes, there is discussion around hardware security, but you talk and you joke to people, well, would you like to be spied on by this particular country or the other country or this agency or that agency? Who’s trusted in this regime? So I think that it’s a matter of increasing the trust systems. Which systems are you going to place more trust in which can give you more assurance. We’re coming back to, again, security standards and assurance mechanisms.
Teymoor Nabili 12:50
Isn’t there a danger also, security-wise, that the cloud security industry in itself becomes a systemic force within any country, whether it be through a hardware situation, or through the cloud service provider, it becomes a systemic player within the country, and particularly within smaller countries. They may in fact, end up having an awful lot of power. Doesn’t that become a security issue?
Lim May-Ann 13:12
That definitely does and that’s why I mentioned earlier that governments are going to play a massively important role in the development of the fourth industrial revolution and those policies, because we’re seeing that you actually do need to have a look at that risk management for your entire country and say, actually, in terms of national interest, how are we going to control that mix of industry? How are we going to move around the different critical information infrastructure and ensure that we have a good mix, and, and not put all of our eggs in one basket? Again, that’s not a one-size-fits-all thing. It’s a conversation that takes a really strong government to do it. And I really want to free up, with cloud computing, free up the governments’ hands to actually think about these really important policy issues.
Teymoor Nabili 13:55
That speaks to the resilience question as well, doesn’t it? If you do have the market being dominated by one or two, maybe even three cloud computing companies, you have business risk. In the case of insolvency, for instance, what happens if one of those players goes down through insolvency?
Lim May-Ann 14:14
Absolutely. Again, risk management is your answer to this issue, because in every single cloud contract, you don’t go into using cloud computing just willy nilly. Everybody will have a service level agreement and within that service level agreement or the SLA, you’re going to have clauses, you’re going to have compensation clauses, where if the service goes down a certain way you’ll be compensated. Of course, you don’t want it to go down. So there’s always going to be checks and balances on what happens. Is there a failover? Do you need to pay extra for a failover? And again, this is a cost benefit analysis and the risk analysis that whomever is on the government side who is deciding on cloud computing is going to have to make a decision on, because it really depends on how much money are you willing to spend on this, are you willing to pay for disaster and other risk management approaches? Or are you going to say, okay, you know what, I’m just gonna do this and that’s all the budget that we have. That is a discussion to be had for sure.
Teymoor Nabili 15:13
Is there a sufficiently robust or adequate insurance system, for instance, to deal with cases of data loss, of insolvency, or things like that. Is that one of the elements available to governments to safeguard that?
Lim May-Ann 15:30
I was just talking to my friend about this. She’s in the insurance industry and she’s like, well, it’s a real big moneymaker but right now, the reinsurance guys don’t know quite how to cost it, because you never know how much the actual damage for cyber breaches are going to be costing. So it’s very hard to underwrite that sort of risk at this point in time. We’re learning, but I think that it’s going to be a journey for all of us. But to answer your question, are there insurance policies that you can take? I think, yes, there are, but what I would do is not put all your eggs in one basket. Have a multi-cloud strategy, talk to your cloud service provider. Let’s see how you can increase that business continuity, how can you increase that disaster recovery, how can you put a little bit more of a mix of clouds that are available to use so that you don’t need to be so reliant on one single system itself. And this could be across one CSP, could be across multiple CSPs. One of the projects that I’m working on right now it’s called the Fair Technology Institute. And it really talks about this exactly, do I really want to be putting all of our eggs in one single basket? What’s fair, what’s not fair? How can we think about it from a government perspective?
Teymoor Nabili 16:38
You mentioned the word disaster there. And when it comes to resiliency, security to a certain extent, we live in an area where natural disasters are very, very common. Putting things out to the cloud may seem like you’re diversifying, but in practical ways, in systemic ways, you’re actually bringing the risk much more focused into maybe a single line, one single data cable or some systems like that. Is there not a systemic risk issue in that?
Lim May-Ann 17:06
I really don’t think so. We have a lot of data centers that I know of in Japan, for example, and they have amazing technology on how resilient they are to the actual seismic shocks. I think that the benefit of putting everything on cloud is that as a corollary to that, you’re going to have to improve the other infrastructure, the connectivity infrastructure to your country. And if that connectivity line breaks, yes, you stop having business continuity there and then, but your data stored somewhere else is going to be still resilient enough. And if you’ve got a failover system within the region, you’re going to be able to get back up and running really, really quickly. And I think that in a lot of the most recent disasters that’s actually played a part in how quickly the country actually gets back on its feet.
Teymoor Nabili 17:54
We talked about the potential for the CSPs themselves, the cloud service providers themselves, if they become big enough, if they dominate the market, then they become something of a systemic risk within the nation itself. Let’s talk about that in the context of the consumer as well, because there’s a massive asymmetry of power between consumers and cloud service providers that are dominating that market. How do we balance that out?
Lim May-Ann 18:20
There are currently really, really interesting discussions around antitrust and competition issues right now, which are going on. And those are bigger and broader than simply the technology use of cloud computing to the government, which we’re actually focused on right here. I think that the discussions are massively interesting. They have a lot to do with history and how we’re managing the resources. But again, I come back to the point, governments are going to be massively important in how they want to see the technology mix that they’re using, and controlling it for their own government and how they’re playing out this within the industry mix that they have in their own countries. So the governments are going to have to upskill, they’re going to have to make sure that they come up to speed on understanding the technologies before they actually start to use them.
Teymoor Nabili 19:07
How can governments be assured that the cloud service providers have the interests in mind of the consumers, of the countries, of the governments, because privacy and rights infringements can happen at the level of the corporation. The ability of corporations to manage, manipulate, sell, use the data that comes out of those countries is something that governments can’t really control.
Lim May-Ann 19:32
That is a foolish, foolish approach if any government is going in and thinking that the private businesses are going to have consumers’ interests at heart, that’s actually a wrong approach. And again, coming back to the role of the government, the government has to have its citizens’ interests at heart and therefore has to work hard to protect that interest.
Teymoor Nabili 19:53
That’s my question – how does that relationship work? How can a government – if they set up and subscribe to the idea of cloud computing – they will most likely be getting engaged with one of the big players in global cloud computing. Their ability to make sure that they have sufficient control, and impose enough consumer protection activity around that relationship – how do they do that? How can they make sure that that is there?
Lim May-Ann 20:23
That is a super-duper good question. The answer is you need to find, and you need to play your role as the government, looking for ways in which the interests of the business community – in this case, the cloud service provider – is aligned with your own. They cannot afford the reputational risk of saying that, hey, this particular cloud service provider doesn’t protect anybody’s data, and if any government asks them for data, they’re going to release it. They can’t afford that reputational risk. So you need to find ways in which your own interest to protect your customer data, to protect your citizens’ data, is very much in alignment with the CSP’s. And I think that in many cases, they have become aligned. I think that the strong security concerns, the strong law enforcement access concerns, are shared by the major CSPs. And I think that that’s something which is a good thing, and it sends a good signal to the entire community and to our market, that this is something which both the business side and the government side are taking seriously.
Teymoor Nabili 21:18
And again, to the point of that relationship between large powerful corporations within a nation state, isn’t there also an economic danger attached to that, insofar as when you have the digital services being dominated by large players it tends to stifle the market internally, prevents any local innovation or prevents any local entrepreneurism, because they simply don’t have the capacity to get over the barriers to entry?
Lim May-Ann 21:44
Well, I think that that approach looks at it from a very zero-sum game. You’re saying that the pie is only this big, and if we slice it up, it’s going to go to them and these people are going to lose out. We’re going to have to look at it a different way. The digital economy knows no bounds at this point in time. We’re looking at different kinds of services which are being delivered digitally. And we never thought that somebody could grow up and decide that he wanted to become a YouTuber, for example, it wasn’t a viable job description previously. It’s new, it’s unusual. Let’s think of it as now we’re trying to expand the pie for everybody else. It’s not about slicing the pie and everybody gets a smaller pie. It’s about making it bigger.
Teymoor Nabili 22:22
Okay. Now, I’ve asked you lots of tough questions about the problems involved. Let’s take a slightly more positive approach to the issues and the questions here. So let’s go into a situation where we assume that a government in Asia decides that yes, cloud computing is the best way for me to provide citizens service, and to organize my digital environment in my country. What is the first step to be taken here? How does one begin to address the legacy issues that we’ve touched upon? The cost issues, the implementation issues, the local talent issues? What’s the first step for all these for this purpose?
Lim May-Ann 22:59
I always advise governments, let’s start small. Let’s start with a pilot project first. Let’s start doing something which you know is doable, to gain confidence. So to give you an example, let’s start with moving perhaps one department’s email onto a cloud service, and let’s see whether that serves its purpose. Does it still function well? Does it still play its role in a communication model? Let’s talk about the backend security, are people comfortable about it? And then after that, maybe you want to move on and talk about file storage and data sharing within a particular agency. And then you can start to dream a lot bigger, because the next step is going to be, okay, who’s going to talk about and plan the digitization for the rest of the government? So a lot of things have got to move in tandem with each other. So I said, start small, start with a proof of concept first, and then we gain confidence in the cloud, and then move on to bigger projects.
Teymoor Nabili 23:55
Where can governments go to get advice on this kind of stuff? What is the source of knowledge for implementation? Because this is not easy work.
Lim May-Ann 24:06
Again, there is no one size fits all. I know that one of the things which I’ve done is this paper written for the ADB. You can refer to that. Again, I’m vendor-neutral, not promoting any particular one vendor. Lots of the vendors will tell you and give you free advice if you’d like to talk to them as well. I think that other governments are actually going to be your mainstay, if you’re a government official looking for information on this. I know a lot of the work that’s been done in Singapore, in South Korea, in Japan, in the Philippines, a lot of thinking has gone on behind the scenes within Asia on how to actually get this done. And in many cases, there’ll be one particular industry or one particular regulator who has pushed forward in a lot more advanced way in thinking through some of the updates to the regulations that they need to get done. So, learn from each other, I would say, in the second instance. The first instance is, if you want to get free information, you can always go to the CSPs.
Teymoor Nabili 24:59
Back to what we were talking about at the beginning of the conversation, about regulatory systems globally and even regionally, is there much underway in terms of regional interaction and cooperation to make these issues of cross-border communication and regional standards more concise and more understandable and more practical?
Lim May-Ann 25:20
Well, I would say absolutely yes, and also, absolutely no. The reason is because a lot of the discussions are fragmented. There are discussions on the Asean level, for example, there is an existing discussion around this Asean single window where you do clearance of customs. Now that’s very linked with ecommerce discussions, and that’s very linked with consumer protection, and then that segues very quickly into data protection issues. And that becomes very niche very, very quickly. At the same time, that’s about standards and about information exchange, but they’re not really talking to perhaps the other side of things, which is manufacturing and logistics. Not quite, just yet. So how do we bring all of those together? Right now, again, there are platforms, there are discussions on the standards level, there are discussions on the ecommerce level, there are discussions on the trade levels. Are they integrated? Not quite yet. Are we moving towards a way in which we can possibly harmonize and take a whole picture look at the entire ecosystem? I think we’re working our way there.
Teymoor Nabili 26:20
And let me just finish off by asking you about sustainability. Tech For Impact is about sustainable development. In the context of the sustainable development goals, in the context of developing countries and their moves towards being more sustainable in the future, how do you think the cloud computing conversation can play into that aspect of things? Where is this technology able to help in making sure that development is more sustainable?
Lim May-Ann 26:48
I think that there’s been a lot of transparency from all of the data center players on how they do their energy mix. I think there is a very focused attempt to look at the carbon emissions which are coming out and the energy use of data centers, especially with Covid-19 pushing everybody into work from home and using all these data centers at this point in time. What the green discussion and how cloud computing contributes to all of this is that it centralises that discussion onto one or two or three or five CSPs who are building data centers and asking them – give us that accountability. Are you having a green energy mix? How are you buying your carbon credits? What’s going on with your contributions to ESG goals? And that’s something which I think is really a positive step. I think we’re starting that discussion. One thing I note within Asia, that we’re falling quite short on, is that there isn’t enough renewable energy to purchase. So we’re not able to actually justify that from the Asia point of view. But from a global point of view, I think that the biggest CSPs are definitely balancing that out really well.
Teymoor Nabili 27:54
May-Ann, thanks very much for talking to me.
Lim May-Ann 27:57
Thank you very much for having me.