Escape from Legacy – is Cloud Computing the answer?

Al MacIvor and Neil Sumner were asked to speak this month at the virtual ICDDF event on the challenges faced by UK policing around escaping from the lock-in to legacy systems that still dominates force IT.


From our experience of working at force level, we know that bespoke systems are critical to managing the investigative workload and supporting local ways of working. However, as these systems are often locally developed and business-led without formal IT support, keeping pace with change can mean a race to simply stand still rather than taking advantage of opportunities to innovate and improve.


In parallel, outside policing, IT services are moving with increasing inevitability towards the cloud. You are already using cloud services whether you know it or not. While it was once the case that the capabilities UK policing needed could only be developed in house, more and more of the capabilities that are needed can be bought as a cloud service, where you only pay for what you use. You can now access cloud services, in particular in the field of analytics, that have been built up over the last 10 years with a level of investment across industry and academia way beyond UK policing budgets and with greater capability than you could ever achieve yourself.


This inevitable evolution means that what were bespoke requirements and systems that had to be built in-house are now available to purchase as products, if not commodity services. A cloud strategy has to start with an honest assessment of where you are on this evolutionary path, what you want to achieve and what is stopping you. You can then determine what still needs to remain purely in-house and bespoke, what can be bought and whether using cloud services to build your own systems.


So, what does move to the cloud actually mean?


Well, as is the case with most systems engineering problems, it depends.

For most forces, it will mean a gradual migration of the systems that you may currently be running on a server under your desk onto a cloud platform – and potentially handing control of the platform and systems to someone else. This represents a significant culture shift – both for the end users and for IT departments who will have to consider architectural choices – can they use public or private cloud? Should they work with one supplier or take forward a multi cloud strategy? Is a hybrid approach needed? What trade-offs are acceptable around speed, control and security?

The first consequence of moving to the cloud is the consequence of connectivity. This can cause a rethink of your identity management and security controls for any legacy systems – what worked for a closed system with a well understood user base may not offer the security you need once connected to the outside world.


A further consideration is how you manage data privacy and protection. With a growing maturity of understanding from the public around personal data, you need to ensure that your processes and controls around data handling will stand up to scrutiny if needed. Again, this was rarely a consideration that is built in when local systems were developed – and isn’t always straightforward to retrofit, so a simple lift and shift of existing legacy systems may not achieve your goals. While it can be tempting to treat migration as simply moving to a new infrastructure platform, there is a risk of having to rebuild the “plumbing” of the application for no new user benefit while increasing the costs of sustainment. It makes sense to take a step back and consider this as an opportunity to improve functionality rather than doing the minimum to migrate.


You also need to understand your eco-system of suppliers as you no longer control security across your end-to-end supply chain. You will need to work proactively with your suppliers and consider what risk assessments you may need to do to counter any vulnerabilities that you may be faced with.


Your migration strategy has to be driven by what you want to achieve. For many, the focus may be on reducing cost rather than fundamentally changing ways of working. Although the high costs of legacy may help to drive a business case, you need to ensure that you understand what your new cost structure will look like – both the upfront costs of migration as well as the longer term “pay as you go” costs. Designing for sustainability has never been more important as many of your costs will now need to be covered through your ongoing operating costs via external contracts, rather than being hidden in ongoing staff costs.


So, migrating from legacy may not be as straightforward as “lift and shift”. While you had to build capability first time round, it may be an increasingly viable option to look at buying a product or service that can offer features you could not build yourselves or would not be in line with policy or information security constraints.

If you do decide to migrate, you need to understand that you need to take onboard a fundamental shift around how you design, build and pay for capability in a cloud-based world. If you don’t, you may just move all your existing problems to the cloud!


Considering Conway’s law

Conway’s law states that any system will reflect the communication structures of the organisation that builds it and is worthy of consideration in the context of moving to cloud. With national programmes looking to enable more consistent ways of working and data sharing, it’s tempting to assume that the roll out of cloud services could be managed from the centre. However, if we apply Conway’s law, we can see that this would impose unnatural constraints on local and national policing structures–imposing central control across organisations that are used to planning capability based on local or specialist needs. To successfully support UK Law Enforcement’s journey onto the cloud, national programmes must look to support local independence and innovation but can still provide a helping hand.


Five pillars for standardisation


We have identified five pillars where national programmes can work to ease local forces and specialist units in making the transition to cloud. The approach we advocate is the provision of standards, commodity services and support across these pillars, which should lower the cost both of adopting products and migrating previously locally managed systems. This is as much a culture change as anything else – to focus on the delivery of enabling standards and enabling more effective work at a local level rather than delivering one size fits all at a national level.

Firstly, national programmes should look to provide standard services for identity management. While this is now a commodity service and there should be no need to design and build your own, having a national approach to consistent identity management doesn’t just make sense in supporting security standards, it also helps support collaboration across organisations.


Similarly, information security and guidance around dissemination of information is another area where there should be standard, agreed requirements which can then be used to accelerate local deployments and developments. A consistent approach will also reduce risk and simplify compliance from product vendors as well as in bespoke development.


Thirdly, just as the area of data science and analytics has seen an early move to the cloud, driven by commonality of requirements, there is similar commonality around workflow, case management and coordination processes. However, despite common requirements to track cases, demonstrate a full audit trail and supporting working across multiple teams, this is an area of applications where locally developed and supported systems are extremely common – based on “the way we do things here” and there is often reluctance to standardise. Rather than one size fits all, we would propose that national programmes can accelerate delivery through promoting common design patterns where there are common ways of working, but also enable customisation to support local differences.


Next, comes the challenge of both mastering and sharing data effectively – one which has been challenging for many years. Rather than advocating a national push to a common, central data store, we believe that by focusing on national standards and interfaces to promote interoperability, there is scope to promote greater data quality, information sharing while retaining governance of its storage and ensuring appropriate handling constraints are applied. We have seen significant benefits from adopting the Information Exchange Standard (IES) data handling standard and the use of Enterprise Data Headers to provide structured, verifiable metadata can offer the assurance needed while supporting greater automation in data sharing.


Finally, we have already touched on one area where national coordination can make a significant difference – the supply chain that underpins the use of cloud services. We have already covered the need to manage risk across the supply chain, and national assurance of suppliers in achieving cyber security standards is a useful enabler to give confidence around their use. However, there is also a need to work effectively with suppliers to ensure that the products offered into this market can support national standards and interoperability – ensuring that ‘buy’ can exist as a choice alongside ‘build’.


It depends…..


Coming back to our initial question, will cloud computing help UK Law Enforcement escape legacy lock-in? While the adoption of cloud computing should not be seen as a silver bullet to addressing the limitations of legacy systems, taking advantages of the benefits of cloud computing and the services provided is an essential element of your journey.


However, you have to take a step back and look at what you are trying to achieve – is it simply a faster, cheaper horse or is it a transformation of your capability to tackle tasks you have never had the bandwidth to take on before? Don’t underestimate the change required in ways of working – and the need to design for sustainability and get operating costs under control with the same rigour traditionally applied to capital spend.


We’ve also considered the role that national programmes can take to accelerate new capability adoption or development at force level. We have taken the view that this should be to help put in place the foundations, encourage diversity in the marketplace and support independent innovation at force or agency level. Finally, interoperability is key to unlocking the benefits of cloud capability in driving more effective collaboration and ensuring that one set of operational silos isn’t replaced with another – but simply in the cloud.