HMRC's switch to AWS killed a small UK cloud business UK cloud minnow DataCentred went under after HMRC – its largest customer – pulled the plug on a services contract in favour of a deal with Amazon, the corporation recently accused by MPs of tax avoidance. Manchester-based DataCentred signed an agreement with the UK tax authority two years ago via the G-Cloud framework: its …
This post has been deleted by its author
Most people file their tax returns in the last week of January
It's not beyond the wit of man to devise a scheme that would spread the load through the year. The HMRC could save considerably more money by devising taxation schemes that were easily automated, rather than putting out to tender the automation of the present labyrithine tax code.
Perhaps the Treasury could show some of that "fxlexibility and imagination" they're demanding from Michel Barnier.
I'm sure HMRC do run their own datacentre kit
But for any large organisation, a hybrid of physical data centre kit and cloud provisioned services will give the most flexibility and resilience.
HMRC see a peak every year when personal tax submissions are due. Keeping a number of extra servers on standby for 11 months for a 1 month peak would be stupid. Better instead to (automatically) spin up a number of cloud hosted servers for the short busy period. The extra capacity can be (automatically) switched off and forgotten about as soon as they are no longer needed. On premise kit can deal with the load for the rest of the year.
"The extra capacity can be (automatically) switched off and forgotten about as soon as they are no longer needed."
And when that's done what happens to the sensitive personal financial data left on the storage devices? Is it left for the next customer to pick up of they do an od over their newly spun up devices or is it completely overwritten with junk? And if it's supposed to be overwritten who verifies this?
The machines are still in HMRC's buckets. Ultimately you'd expect those machines to pump the stuff they get fed directly into HMRC's systems at home base rather than 'store-and-forward-later'...
Once they are destroyed, they *should* be overwritten with junk and reassigned. At least I'd expect *any* cloud provider (AWS, Google, Azure, OpenStack Providers X, Y and Z) to do that properly.
And when that's done what happens to the sensitive personal financial data left on the storage devices?
Surprised at the number of downvotes on this!
Quite a reasonable concern that the data is going offshore, and we know that the best systems have failures, so highly sensitive data could be left around (even if there's a mandate the disks are physically destroyed, some (many?) will "wander").
Have one of these to take your mind off the weird downvoters! (cue some more for my tally as well :) )
>The extra capacity can be (automatically) switched off and forgotten about as soon as they are no longer needed.
You can turn off the power to your own devices too, if you don't need them - it isn't against the law.
With openstack you can at least move between providers. Using proprietary APIs is bad strategy, even if it provides savings at a tactical level.
We're involved in that integration, and in a performance test a single one of our (not massive spec) physical boxes once took down the test Government Gateway (the old Microsoft cluster that took payment submissions etc) :) I think there are two or three of those boxes in total for all the tax submissions, which act as a buffer between submissions and processing. Really not that big a deal in terms of cost to keep them running all year round.
I'm sure HMRC do run their own datacentre kit
You'd think so, wouldn't you? No, HMRC Infrastructure Services need a GPS system in order to be able to find their rears with both hands. 5 years ago we were all being told by HM Treasury (as it was then), "No, you may not use AWS as they are subject to USA PATRIOT Act regulation".
Looks like that's changed then. Of course all our tax details are perfectly safe and not being stored on an insecure S3 bucket at all ..
The extra capacity can be (automatically) switched off and forgotten about as soon as they are no longer needed.
Just a thought.. What does that mean for data protection? I'd hazard a guess that people's tax (especially for businesses) is extremely sensitive information.
Should it be going to a foreign government, especially one not exactly known for keeping its nose out of other people's business?
This post has been deleted by its author
"Question: Given scale and predictable workloads based on long-established tax-cycle would HMRC not be better running their own datacentre kit?"
Excellent question, but often no, for a bunch of reasons.
1) While predictable, HMRC workloads are extremely spiky. Self assessment being the canonical one, with 40% of submissions being done the day before the deadline. Likewise many processes are fundamentally batch, with huge once-a-month ETL and reporting jobs happening to drive much of the machinery of society. Last time I checked HMRC's average infra utilisation was on the order of 2% as a consequence.
2) While for most organisations cloud is much more expensive than tin, for HMRC and most CGDs it's the opposite. Fujitsu's 'managed service' pricing scheme would make you cry with anger, and the lead times for new infrastructure are often quoted in the months or more. Absolutely kills any organisational agility.
3) There are absolutely no in-house infrastructure skills, it all long-since having been pushed out to ICL/Fujitsu so it makes sense to buy as much of it as a service as is possible.
Plus, frankly, for any modern organisation it just makes sense to at least have the option of using the utility clouds. Hybrid, multi-cloud strategies are emerging as the dominant pattern amongst the organisations I'm working with because they make loads of sense.
While it doesn't affect any of the other aspects of the answers (and being able to transfer the "hardware risk" onto a 3rd party probably does make sense for HMRC), it is worth noting that long term HMRC are looking to flatten the SA filing spike with their MTD proposals - all business taxpayers are being moved to a scenario of quarterly updates in real time (which will in itself increase the average workload) meaning that for a fair proportion of them they'll have all the tax info ready to file for the year within a month of year end, ie by early May.
The 31 Jan deadline will still be there (for those who have other affairs, or multiple trades with non-concurrent accounting dates) but will be less relevant in many cases.
Separately for non-business taxpayers HMRC want everyone to manage things in real time anyway via their Personal Tax Account, and mechanisms like Dynamic Coding for PAYE and Simple Assessments for those with non-PAYE sources of income should reduce the number of full SA returns due on 31 Jan anyway.
Note - although the Income Tax (ITSA) rules aren't mandatory, and won't be before April 2020 at earliest, HMRC are rolling out the underlying tech to VAT returns from April 2019. Unfortunately, what we don't yet know is how many businesses will be able to use the VAT transaction records to drive an income tax submission; but to the extent that they could, it'd facilitate earlier filing for ITSA.
Unless you go for an Italian style 17 page Dichiarazione IVA, you are not going to be able to use it to calculate income tax liability.
The Italians do arrange their affairs that way. It is an annual form, filing deadline is 28th February. It determines your VAT liability and your Income Tax liability. You still have everyone filing it in the last few days of February. If you make it a quarterly return, you have four peak days per year instead of one, but still the same number of people filing it on each peak day.
When making tax digital comes in, you will still have to log into your account, check the pre-populated figures, add anything that is missing, and confirm that it is correct. It might make life easier for some tax payers, but the computer will have to do more work in retrieving all the figures from elsewhere, and people will still leave it to the last minute to do the confirmation.
You're quite right about the 4 peaks instead of one - the only real difference is it means you're using the capacity all the time instead of just once a year...
As to the issues round using VAT (transaction based tax) info for ITSA or CTSA (profits based taxes) it'll depend on HMRC's cunning plan to get all "records kept and preserved digitally" and how well they can integrate that into the 3rd party software that HMRC apparently expect taxpayers to use in place of their current beloved spreadsheets. Since they can't practically outlaw the use of spreadsheets, the conversion rates to integrated packages will probably be lower than they'd like. As for those (800k or so) taxpayers who can't or won't use "technology" to communicate with the authorities, we're not quite sure what HMRC's plans are.
In any event, the current draft ITSA regs set out reporting periods that are fundamentally incompatible with the vision of the MTD for VAT Legislation Overview to retain existing Prescribed Accounting Period rules for VAT. Until they sort that out, there's not that compelling a case to align your record keeping/submissions for the different heads of tax anyway - especially if they're not going to mandate any other MTD for Business until VAT has been shown to be a success. [Although that is 'shown to the satisfaction of HMRC & Ministers', which may not be the same thing as 'is']
Don't push for a damn quarterly return, it only benefits mega-corps. If I'm assessed per quarter it'd destroy my business and as a result I would turn to writing malware and attacking government and corporate infrastructure. The government has the table slid towards themselves on tax matters for normal people anyway, they need to punch the fat corporates in the mouth and start demanding their lunch money as well.
Isn't the sort of information handled by a tax agency potentially quite sensitive?
What sort of cognitive mishap made them - and many others - think it's OK to run this on someone else's computers, shared with God-knows-who?
Even if we ignore the whole issue of hypervisor breakouts and infrastructure compromise (especially Xen - as used by AWS - doesn't exactly have a stellar track record here), is there even ANY degree of control at all by the customer over who can actually access the servers and data?
>Maybe HMRC should be running their own cloud and selling off the excess capacity to other government departments.
I thought that was the original idea behind G-Cloud, before the Cabinet Office realised why government departments ran their own IT...
Also by having a third-party operating the cloud, it is harder for the civil liberty crowd to claim government departments are secretly sharing data...
"I thought that was the original idea behind G-Cloud..."
Nope. Never was, never will be. G-cloud is just a bad name for a standard pricing book available to all government bodies. Essentially it's a mechanism for the common boilerplate/qualification paperwork to be handled by CabO rather than every CGD doing it for every RFP.
Question: Given scale and predictable workloads based on long-established tax-cycle would HMRC not be better running their own datacentre kit?
Good heavens, no, because then it would be too easy to see that they're handing off data to US agencies. By using Google and Amazon, that is all so much more covert - true automation at work.
/cynic
Let's put this into perspective. I am definitely not a math wizard, but if their revenue was £1.2 million in 2016, isn't 85% of it just over £1 million. Compared to what HMRC and many other government organisations spend on successful and failed IT projects, this doesn't seems expensive at all.
"However, The Register can reveal that six months ago the company was informed the tax collector would no longer use its services as it had revamped policy from being cloud agnostic to becoming an AWS fanbois"
This isn't strictly true. What's changed is AWS and Azure now have environments rated to OFFICIAL and OFFICIAL-SENSITIVE on the G-cloud pricing book. That means they can now be used by central government departments.
Previously Government was limited to niche, shockingly expensive players like this little lot and the likes of UKCloud and RedCentric. If you knew the amount of infrastructure involved in the >800k deal this now sadly departed minnow had you'd want to vomit with how stupid the pricing was.
So it's not necessarily that the big boys are preferred (though DWP at least do have an aversion to Azure due to being burned by downtime), it's just that they're so much cheaper than everything else on the market that no one else is going to get a look in.
And, frankly, should they?
What's changed is AWS and Azure now have environments rated to OFFICIAL and OFFICIAL-SENSITIVE on the G-cloud pricing book. That means they can now be used by central government departments.
So what happens when the U.S.A. Supreme Court decides that law enforcement officials can access data on USA corporation owned servers in other countries ... how long before the USA slurps up all UK tax data on some pretext.
how long before the USA slurps up all UK tax data on some pretext.
Not sure if that really is the main reason to be worried; as a 'sovereign' state, I'd be more concerned about their ability to deny access to my data and hence the 'sovereign' government's ability to collect taxes.
"Are these environments really capable of meeting the GDPR requirements"
It's a bit noddy, but GDPR places no requirements on environments, but on holistic business processes, of which the underlying environment is just one small piece.
Government also plays by a slightly different set of rules when it comes to GPDR (e.g. they're not allowed to use Consent as a Justification).
O/O-S are Information Assurance standards, which are different beasts entirely to data protection legislation.
Not entirely true. Anybody who has used AWS at scale knows that you need a PhD to figure out the billing, which never even comes remotely close to what you initially had thought! Billing is so bad, that there are even companies that have been set up who help you understand your billing.
But I believe you are missing the point of the article. In effect you are giving a whole bunch of tax money to a company that A) doesn't pay it's taxes because of complex arrangements (loopholes) in the law and B) It is widely known that Amazon doesn't treat its employees properly. So is this the type of company you want creating jobs in the U.K.?
Finally, let's be honest on why some central government departments are using AWS and it has nothing to do with pricing or data being classified at Official or Official Sensitive. Most CxOs are in for a 2 year stint and have been padding their resumes with AWS "transformation" projects, because they are on to their next job soon.
For me, its less what/whos the cloud is, more that the clouds provides an emulation of a stock x64 hardware.
I dont care about having to learn and throwaway cloud provider tools for admin-ing the VMs.
I *do* care that I get a good emulation of whatever Plex86 spoof, and are able to remotely admin it.
Nope.
I do web stuff in Python.
All that a clubd.VM/hyper visor is, is a spoof of Plex - x64,whatever enet, spoof controller.
I emulate the same spoof hw on my devlopment machines I know tat the OS will have been installed in the same way.
Then the hosting hardware can move from x64, toe PowerPc to whatever. I dont care. Im not tied to a physical hardware platform.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
