Thoughts on recent NZ IRD advice on using Cloud Computing services

My Twitter trigger finger went off at record speed earlier today:

NZ IRD gets Cloud Computing WRONG WRONG WRONG http://bit.ly/e1d8s0

…this in reaction to an open advisory notice from the New Zealand IRD (Inland Revenue Department) on using New Zealand businesses “using Cloud computing services to store business records in electronic form”.

The key phrase in this advisory is:

The failure to keep the books and documents in New Zealand as required by the Inland Revenue Acts is an absolute offence under section 143 of the TAA. A person convicted of this offence is liable to a fine.”

In my opinion, although the advisory does raise some serious issues about disaster recovery, business continuity and data sovereignty, it’s clear to me that the law – or at least this interpretation – needs to change urgently. Otherwise NZ inc. will be unable to reap the substantial economic benefits of a 21st Century IT model, and will carry this backward-looking legislation like a dead weight while everyone else in the world runs on ahead…

It seems to me that the IRD’s position boils down to a largely mistaken understanding of technology risk: it assumes that data placed in trust with an (almost inevitably higher priced) on-shore provider is less at risk of loss or security leakage than data placed in trust with an industry-leading international vendor. As a technologist who has been working in the cloud space for over 4 years, my professional opinion is that this is plain wrong: the IT and security maturity of international scale vendors far exceeds the capabilities of our domestic players, who even now sometimes have extremely scary moments. I also think that these international vendors are far better at understanding their own commercial risks around reputation management and know that if they screw up, they’re dog food.

Therefore, any risks that the IRD is thinking of must be non-technical, non-commercial and hence political in character:

Yes, NZ Inc. would be at high risk if both (sigh…) the internet pipes were shut off by overseas governments / terrorist organisations. But then so would NZ Inc if there was a shipping blockade or international sea pirates. At a base level, what fundamental difference is there between shipping containerloads of milk powder internationally (subject to shipping and customs inspections) and shipping cable fibre loads of data back and forth (subject to CIA inspections, natch…)? – other than the value of the items being shipped, carbon emissions involved and ongoing ecological vandalism caused by intensive farming, but hey….

(See also recent commentary from IDC on how this DIY IT position is unsustainable even in the public sector, the NZ Government’s own open-ended advice on using offshore ICT providers and a recent article that quotes a DIA manager saying “the government may have to make sacrifices in such treasured concepts as privacy and sovereignty, so that public sector organisations can take advantage of the “convenience” of the cloud” Some consistency is required!)

Several other counterarguments spring to mind immediately:

- Firstly: precedent – I seem to remember from my time working for a large multinational that all of their primary financial record keeping systems for all of Asia Pacific (including NZ) were certainly not based in NZ – in fact, their superstar CIO was proud of trumpeting the cost reductions from globalization of their IT consolidation from 90 datacentres down to only 6 worldwide.
How does a small NZ business renting a SaaS solution to get the same economies of scale as a major multinational differ from that multinational in terms of data domicile? Not a lot.

- Secondly: With hardly a week going by without NZ’s new government signing another free trade agreement, this is surely a directly discriminatory policy against NZ businesses getting the best value service from offshore.

Rod Drury and co at Xero were onto it immediately (impressive internet media management as always) with this delicately worded blog post: Working with the IRD on cloud computing. Given that Xero are market leaders in this space, and also that they host with Rackspace in the USA, their whole business model (and that of all c.20,000 of their NZ customers) was suddenly deemed illegal by some bureaucrat, no wonder.

Fundamentally: IT and data management risk are just normal business risks to be managed by commercial businesses. The IRD seems to be saying that in fact, they know how to manage IT risk better than business owners and professional IT managers. That is wrong.

Prevailing theme from 2010: The accelerating rate of technology change becomes clear

It’s nearly the end of 2010 (2010!) and I’ve just returned from a short break tramping (hiking) in the beautiful Abel Tasman National Park in New Zealand – great weather and nothing but sunshine, nature, sea and a 20kg+ backpack for company for 3 days. (OK, there were quite a few German tourists on the trail as well but other than that…) Highly recommended part of the world if you’ve never been.

Anyway, getting away out of it is a great opportunity to take the mind up out of the day-to-day and reflect on the bigger picture. I managed to spend a fair bit of time thinking about the wider trends behind what’s we’ve been seeing in our business over the last year, what our customers have been seeing, and what the implications are likely to be going forward.

Cloud uptake by in-house IT

When I set up Memia in mid-2008, I was pretty convinced that cloud technology was on the cusp of rapid mainstream commercial uptake by in-house IT departments. However, as it turns out – in our home market at least – the inertia of the embedded on-premise model and residual concerns on security, reliability and usability have slowed down the pace of adoption I expected. Whereas we’ve seen our early adopter customers gain major improvements in reliability, productivity and collaboration – all at a fraction of the cost of traditional do-it-yourself IT – they are still the minority who have dipped their toe in the water. CIOs, generally a risk-averse bunch, are still waiting for greater industry uptake – and, dare I say it, have a vested political interest in keeping an army of “IT guys” feeding and watering servers rather than culling their empire. Plus, many larger IT organisations have 3-year-plus sunk investments in IT infrastructure which they’re not going to write off immediately due to accounting rules. As a result, my experience over the last year has been that SaaS and cloud have only really been compelling for micro and small businesses where there is a compelling focus on cost. That said, the impression I’m getting now (coming out of the recession) is that cloud computing and SaaS is now a broadly accepted paradigm in many medium-sized organisations and next year will see many more CIOs taking the plunge – whether they are pushed into it by their boards or not.

Cloud impact on Systems Integrators

Meanwhile we are observing many of the “Services 2.0″ predictions made by Narinder Singh of Appirio (2 years ago!) back in Dec 2008 coming true with uncanny accuracy: where previously on-premise Systems Integrators would have aimed for $10-$15 of services revenues for every $1 of software licences, the new model allows for only $2-$4 – if that. The old labour-intensive, sales-intensive one-off custom integration model just won’t be sustainable going forward. SIs have to turn into scalable SaaS businesses themselves selling “integration as a service” if they’re going to survive. Again, my impression is that today’s established SI’s are sleepwalking towards a revenue cliff and haven’t quite understood the new disruptive cost models and capabilities of the competition. I’m constantly amazed hearing about local organisations who are building their own data centres and server farms even NOW! Guys, have you *seen* Amazon’s pricing? What is it that you can do better??? The infrastructure game is a race to the bottom which will be won by the players with the biggest economies of scale and the best technology. The only question is when, not if. I give it 3 years max.

ISV Migration to the Cloud

Meanwhile in the ISV space again we’re seeing a considerable interest now in the SaaS model. Working with our ISV customers over the last year has given us a detailed understanding of the new risks, challenges, pitfalls and yet major opportunities of moving to the SaaS model. Basically, if you want to run a long-term, scalable software business then you *must* offer a multi-tenanted SaaS offering as soon as possible, period. However, the trick is to know how to do this while keeping your existing on-premise customers and without cannibalizing your existing market.

The key “table stake” of playing in this space is to get your technology strategy right: to support both on-premise and multi-tenant SaaS simultaneously using the same codebase, to support multi-channel mobile access, and to build a new 24/7 IT operations capability. And yet this is really difficult to achieve. CTOs are increasingly nonplussed as the landscape is changing so dynamically and at an ever faster rate, with technology adoption cycles and investment lifespans getting ever shorter. A year ago, who would have anticipated the rise of Android to shipping over 200,000 units per day? The trend for bring-your-own consumer devices (iPads, iPhones) into the Enterprise? Microsoft’s apparent dead-ending of Windows Mobile and Silverlight? (Where IS Microsoft going, anyway…?). Perpetual “nearly there” HTML5 support? Google’s lurking in the background of the Enterprise space and who knows what they’re doing either…

Just how does a CTO in 2011 correctly understand what’s going on out there, and then plan technology strategy accordingly?

The Accelerating Rate of Technology Change

The biggest impact on my thinking this year was reading Ray Kurzweil’s The Singularity Is Near back in May. Even though it was written back in 2005, and in many ways should now be superceded, it is an extraordinary, outspoken, visionary book which is highly relevant to today’s technologists. The key theme underlying the book is simply this: technology change – according to many objective measurements – is not linear but accelerating exponentially. Just because our cultural inheritance brings us up to assume that things will continue to change at the same rate as currently, the fact is that they are getting faster. And faster. Put another way, there will be as much technological change between 2000 and 2014 as during the whole of the 20th Century. There will be the same amount again within the next 7 years after that.

Absorbing this fundamental understanding has a profound effect on how one thinks about the future. Whether or not you can bring yourself to agree with Kurzweil’s extrapolation of the Technological Singularity (when machine intelligence capability exceeds all human intelligence capability), as happening around 2045, he still maps out the many potential changes in IT, robotics and nanotech over the next few decades which have to be taken account of when developing tech strategy now. (Amazing meme: 1 human brain = approx. 10¹⁶ computations per second (cps). In 2045 there will be approx. 10 billion (10⁹) humans on the planet => 10²⁵ cps in total. If Moore’s law continues at it’s current rate, this would be the equivalent of just $1000 of computer processing capacity!)

So, the major landscape changes we’ve been seeing over the last years can be understood as just the continuation of aeons of accelerating change. Fundamentally: CTOs need to underpin their thinking with this knowledge, and understand the corollary that product investment lifespans and adoption cycles will be ever shorter going forward.

At Memia, this thinking has really permeated our way of looking at strategic engagements, and we have come to feel at ease with exponential technological change. Nay, wildly optimistic at the opportunities it brings! In 2011 we will be re-focussing our consulting offerings to work with our customers to develop robust strategies which fundamenally take account of the dynamic and ever-faster-changing technology landscape.

Exciting times.

Rebuilding Canterbury #2: Buildings of the future

(Off-topic again following our recent Earthquake!)

So, the resurrected Mayor Bob Parker announced last week an Architectural task force led by “Architectural Ambassador” the eminent Ian Athfield: see http://www.stuff.co.nz/the-press/news/canterbury-earthquake/4129202/Row-grows-over-rebuilding

My personal thoughts:

- I love futuristic architecture (see the video above). I used to live in central Edinburgh and loved the historic buildings there too, but I always felt that the “heritage” of a place often stifles innovation and preserves an obselete past in aspic. The fact that everything is built to be (relatively) temporary here in NZ is actually quite enabling. (Unfortunately the down-side of this is too many lowest common denominator strip malls and big-box retail sheds…)
- We need one or more landmark “phoenix” buildings which commemorate the earthquake event and the optimism that we now feel in Canterbury to rebuild with confidence. We should leverage Christchurch and NZ’s eco-image as well, and deliver a world-class eco-building cluster as an example for the rest of the world. In fact, let’s make the Chch CBD an architectural theme park! Let’s get our own Sydney Opera House out of this.
- The CBD needs more technology businesses: instead of building an “innovation park” out on some anonymous industrial estate near the airport, let’s make the whole CBD an innovation zone, and a new type of technology campus in itself: let’s get citywide wi-fi, hot desks and rent-by-the-hour office facilities. The majority of cloud-based tech businesses which we deal with these days need only a desk, a wireless internet connection and a good laptop. (And educated capital, natch, but that’s another post…)
- The ability to renew some of the uglier older buildings in town (now that the Post Office has been transformed into CCC’s new HQ: in my opinion that building, amazingly regenerated inside, really gives the city a renewed confidence), check out the practice of adding Building Skins http://buildingskins.blogspot.com/
- Ultimately everybody realises that this is an opportunity to add to Canterbury’s international brand as a modern, thriving and vibrant (ok, niche) business centre, and to continue to provide commercial and community facilities which attract more inward investment and skilled migration. Lots of landmark buildings please Mr Athfield!

Rebuilding Canterbury the smart way #1: Libraries

So…. going off-topic a little…I’ve been thinking about our future here in Canterbury after Saturday’s earthquake, and about what the positive opportunities are to invest wisely in our future.

First off: libraries. My wife is currently a student at University of Canterbury, whose libraries were devastated by the quake as shown in these shocking pictures: http://www.canterbury.ac.nz/photos.shtml

So the questions I’d be asking are: how much money is available to rebuild a library, and how should it be best spent?

Option 1:

• Renovate or completely rebuild the building
• Buy a load of new shelves
• Purchase a library-full of replacement books
• (Not to mention chop down forests, use litres of ink, ship the books from A to B and pay someone to catalogue them and stack the shelves….)
• AND: the knowledge in the book is out of date the moment it’s set to paper

Option 2:

• Ensure that all study materials are published online from now on
• Provide campus-wide free wifi
• Subsidise all students to buy a tablet with e-reader software (see http://www.androidtablets.net/ for some examples)
• AND the knowledge is updated without needing a reprint, plus everyone gets accessible wireless internet access to carry around with them.

So if you’re in charge of the business case for rebuilding UC’s libraries, think forward rather than backwards! Books are just too obselete now to support a modern learning environment, and commodity technology is well ready to replace them.