HMRC boss defends shift to AWS, says they got 50% knocked off HMRC's Permanent Secretary has defended the UK tax authority's decision to ditch a British cloud slinger in favour of tax-efficient multinational Amazon, citing bumper savings. As exclusively revealed by The Reg, the taxman moved its data out of Manchester-based Datacentred six months ago. HMRC was the firm's biggest client …
@Tom 64
...is paying a tax-dodging foreign company.
The following happened when Gordon Brown was Chancellor
"Inland Revenue's property sold to company in tax haven"
"AWS took a large loss on this"
Apparently data is worth something, AWS getting HMRC's entire dataset would be pretty valuable as far as random datasets go. Even if Amazon don't want the data themselves, I'm sure lots of organisations of varying degree of shadyness would like to buy it. Win win for everyone but the tax payer.
"or AWS took a large loss on this"
Yep, you wouldn't believe the "free credit" and discount you can get from Amazon if you're serious about using their services, they'll practically give you a year's free use of their services if you're deadly serious about signing up with them. Although personally I think it's like a drug dealer, it's all rainbows and happy visions to start with but once the honeymoon period is over I can imagine the freebies are long gone and you're going to be fronting up for a lot of services you've been playing with and can't easily extract yourself from.
"and the price reduction on this was more than 50 per cent for us."
"AWS took a large loss on this"
That's only part of it. Sure, for reasons of reliability, scalability etc it does make sense to rely on a big cloud provider, but it's not all about money. HMRC put themselves in a position where their critical infrastructure depends on a company who it shuuld be looking very closely at for playing "jump-the-tax-loopholes".
Incidentally, it strikes me as curious that Amazon along with Google, Apple, Starbucks and a few others are often mentioned as great tax dodgers but Miscrosoft rarely gets a mention...
"So either cloud margin is stupendous (which seems rather unlikely bearing in mind the large amount of competition)"
That's the thing thought isn't it, exactly how many firms do you think were certified to hold HMRC data? Given that AWS and Azure only just got certified there probably wasn't much in the way of competition before.
Or to put it another way, this is a government contract, do you really think that HMRC were paying normal commercial rates?
ROFL
I soon won't matter what that [redacted] says. Once the USSC says yes to the Feds then it will be open season on all data held by US companies anywhere in the world. They'll be able to collect it all and Amazon/MS/Google/Oracle/Rackspace/Apple/whoever won't be able to stop them.
Uncle (sic) Sam is indeed the top Big Brother these days. Google and Facebork are mere also rans.
The only difference is that the clock won't strike 13 as US times never go beyond 12.
"Uncle (sic) Sam is indeed the top Big Brother these days. Google and Facebork are mere also rans."
Perhaps. But they do have the excuse of stopping bombers, organized crime, and other criminal activities. Whereas Google, facebook et al, slurp up your life firstly the better google up your bandwidth in order to try to sell you shit you don't need, and secondly to manipulate your opinions and dull your senses.
The CIA do not need a court approval to spy abroad they will just ask MI5/6 to install the necessary equipment and then start monitoring. The UK Government will be happy because when they ask MI5/6:
- have any foreign governments accessed the UK AWS data centers? the answer will be NO!
- are you accessing data held in the UK AWS data centers? again the answer will be NO!
This is a crucial point. US judges can order US companies to release data even though it is held on servers entirely outside the US and have done so in the past (search for Microsoft Dublin).
- 50% savings are good
- Outsourced infrastructure good
- UK tax payer data at the mercy of the US Trumptatorship - sad. Very, very sad.
Also, is this just IaaS, or are HMRC locking themselves in to the entire proprietary Amazon application stack, in which case two suppliers just narrowed down to one. Bend over the barrel HMRC .... this is going to hurt. That 50% was just an introductory offer.
"US judges can order US companies to release data even though it is held on servers entirely outside the US and have done so in the past (search for Microsoft Dublin)."
Microsoft refused to release that data and subsequently redesigned their security so that remote access to local data requires local approval. So it doesn't matter anymore what a judge in the US says about data in Ireland. If a request isn't legal in Ireland, it's not happening...
Unlike Google who's security isn't as good (presumably largely because they are built on *Nix and you can't block root access to a file system like you can block admin access in Windows as *Nix doesn't have a very good ACL / security model in comparison) and they CAN access remote data from the US...
" If a request isn't legal in Ireland, it's not happening..."
Maybe. Unfortunately Ireland is not the UK. Remember, the UK like the US is part of the "Five Eyes" intelligence group and it's a good bet that if one of the members wants data held by another member it will be passed on.
Being a smaller, non-aligned country certainly has its advantages when you want to say no to the likes of the US.
The Microsoft Dublin case isn't over - its just been accepted by the US Supreme Court. It also only concerns interpretation of the US Stored Communications Act. The US has an arsenal of legislation that enables it to grab data from overseas - not least FISA (Foreign Intelligence Surveillance Act) 702 which Congress is reauthorizing to 2025
"They can fine Microsoft all they want, but it's no longer physically possible without approval from a local data custodian in Ireland."
Is this actually the case? The only thing I've read on these lines is about this arrangement being put in place in relation to the new DC in Germany. It's possible they've rolled this out elsewhere and I've missed it.
"Unlike Google who's security isn't as good (presumably largely because they are built on *Nix and you can't block root access..."
That's an amazing pile of ground axes and bad assumptions you've got there. Bravo.
Out of interest, what is The MS equivalent of a Container, and how many reboots does it requires to use?
You mean something like this https://azure.microsoft.com/en-us/overview/containers/ ?
Yes, except on your own PC, like chroot on Unix, jails in BSD, Zones in Solaris...
I've been given a commercial binary to run which I don't trust. I'm putting it in a Zone, and confining its cpu/mem/network/filesystem access. What do you do?
"*Nix and you can't block root access to a file system like you can block admin access in Windows as *Nix doesn't have a very good ACL / security model in comparison) and the"
You fail at UNIX, OTOH you excel at talking smack and making stuff up. Just a few pointers for you:
1) root is not an "Admin Account", and it shouldn't be used as such - we've known better for several decades now.
2) chroot was available in UNIXland at least a decade before WinNT was even on the drawing board (Win 3.1, 3.11, 95, 98, ME et al didn't really have anything like that). Better and more comprehensive mechanisms have been implemented many times over since over the past *three* decades as well.
3) As for MS "redesigned their security so that remote access to local data requires local approval" - they have been doing that off and on since NT was released and quite frankly the CVE reports speak volumes for their fallibility when it comes to securing a machine running Windows.
Being cynical I doubt you'll be taking any of the above to heart given that you are probably just shilling or trolling - where the truth or rational arguments aren't actually relevant.
Nope small companies just can't compete at cloud level.
They would have to build several DC's with all the costs, have to buy all the equipment in at near normal pricing and then pay the staff.
They may have 10 staff looking say after 100 racks, where as Amazon may have 10 staff looking after a 1000 racks.
Nope small companies just can't compete at cloud level.
They would have to build several DC's with all the costs, have to buy all the equipment in at near normal pricing and then pay the staff.
Well given the number of data centres HMRC currently operate, Amazon will be having to build several new DC's in the UK to satisfy the HMRC requirement: "We need resilience in data centres and we need someone who can hold that data for us."
Which raises the question whether part of the deal is that Amazon takeover a few of HMRC's datacentres.
It's only a bad thing if you can prove it. Which can get tricky when commercial sensitivity trumps disclosure. Or it should be a simple decision because AWS doesn't (for tax purposes) make any money in the UK. And if it's bought this business at a loss (Finance can do that), it would be an even more tax efficient deal. And if anyone complains, well, a 150% increase to put the deal on par in an equally efficient (not tax avoidance) manner wouldn't be in the public interest now, would it? And competitors are free to use the same tax strategies as Amazon, because HMRC believes in a level playing field, and treats SMEs and multinationals with armies of lawyers the same way.*
But both carefully selected partners share similar flaws, ie US disclosure requirements, and getting your systems & data into AWS/Azure is easier than getting it out again. So much for government 'open source'. The IRS will no doubt be happy if they can subpoena UK tax records from Amazon US though, especially for an US nationals living & working here who're trying to escape their clutches.
*Yes, that was sarcasm..
Yesterday, someone commented that the HMRC should build a centers that can handle more than its maximum volume at peak times and lease usage to other gov agencies. I thought that was a great idea. That would enable Gov to ensure smaller companies got support contract and control where the information is held and how its shared. Of course, that would preclude Pols and Bureaucrats landing jobs with AWS or its support companies when they retire. Otherwise, great idea.
he said: "No, there are two... and the price reduction on this was more than 50 per cent for us. There was a clear value for money [justification] of moving down this route."
Now there is one and they can bump the price because the other has gone bump.
He could have worked with the original supplier to see if they could match the price but lets be honest Amazon could give it away for free if they wanted.
"He could have worked with the original supplier to see if they could match the price"
That's not how procurement works.
Also let's get real. Datacentred were a two-man shop who had leased a *single* datacentre so old that even Fujitsu thought it was too expensive to operate. They had a turnover of about £1.5m quid.
We shouldn't be scrutinising HMRC's switch away from this organisation to the current world leader in hosting services. We should be asking why services were procured from such a clearly unsuitable organisation in the first place.
This is not true. DataCentred employed 8 engineers to work full-time on their OpenStack and Ceph cloud platform.
HMRC's MDTP had been running 50-50 on DataCentred's OpenStack and UKCloud's VMware-based service for a good couple of years and handled peak SA workloads without a hitch:
https://www.gov.uk/government/news/another-record-breaking-year-for-self-assessment
HMRC at one point were so pleased with what they delivered that their Delivery Service Manager gave a talk about it at an OpenStack Summit:
https://www.openstack.org/videos/austin-2016/british-tax-authority-hmrcs-openstack-journey
Well, this isn't entirely accurate. Most of the MDTP runs on Fujitsu kit in Fujitsu DCs via FAST or on tin - neither UKCloud nor DataCentred were rated sufficiently high enough for anything other than some of the less important web frontends or for emergency failover duty.
I've no idea where you've got the 50-50 figure from - one of the principal reasons DataCentred has been dropped is they've almost never been used. Note that UKCloud are still a key supplier (for now..). DataCentred were almost never used because they struggled to meet any of the engineering requests that came in - secure networking requests in particular were pretty much ignored because of their lack of technical staff. (8? You are 'avin a giggle)
They had basic Openstack and basic Ceph but not much else. Surprisingly little of the MDTP runs on Openstack and nothing else in HMRC leverages Ceph because Ceph is absolute pants.
As a result they were left unfit for purpose and charging 2-4x more than an off the shelf solution from AWS, Azure or anyone else.
To reiterate, we should be asking why these guys were ever contracted and why it took this long to ditch them, not why they've lost out now. HMRC were swayed by their promises of "200 technical jobs" and "eight new datacentres". What they were actually selling was Dr Mike Kelly and his 3 old racks of spare Fujitsu kit.
My opinion is that EqualExperts bear a lot of the blame here - they're as bad as GDS for selling snake oil. Which shouldn't surprise you given they're basically the same organisation.
Setting aside your strawmen, let's focus on a few facts:
MDTP is HMRC's PaaS layer to legacy data and systems that themselves sit in secure facilities. You can read more about its architecture, code, and the microservices currently deployed here: https://hmrc.github.io
The application and middleware sat, until recently, 50-50 across UKCloud and DataCentred's cloud deployments, with the front-end distributed via a CDN. The data accessed by MDTP sits in secure facilities, but to say that the service itself lives in these same sites is patently false.
I genuinely have no idea where you have the notion that support requests were dropped or that you dispute my claim with regards to the number of technical staff they employ. The former sounds like an amusing anecdote made up by a competitor, and the latter you could fact-check for yourself quite easily via LinkedIn.
The same goes for their utilisation, but it's my word against yours for that one. Of all the reasons for them to be dropped though this is not one of them, and could not be further from the truth.
There is so much untruth in this comment I don't even know where to start. How about reading HMRC's own product owner in interview and on stage at the OpenStack Summit https://www.openstack.org/videos/austin-2016/british-tax-authority-hmrcs-openstack-journey and http://superuser.openstack.org/articles/hate-the-taxes-not-the-online-platform-hmrc-s-journey-with-openstack/
Most of the time DataCentred were actually handling closer to 100% of the frontend traffic. There were never dropped support requests, or indeed any requests for 'secure networking' in this context - in fact DataCentred were consistently praised by the team at HMRC for their support and technical assistance, and DataCentred's engineering team are well known in the OpenStack community worldwide for their technical eminence in the field. As a previous poster pointed out, a simple LinkedIn search would prove your statement about engineering staff to be patently untrue.
This is not completely true -> "HMRC's MDTP had been running 50-50 on DataCentred's OpenStack and UKCloud's VMware-based service for a good couple of years and handled peak SA workloads without a hitch"
The SA Peak in January 2016 was completed using both Legacy Portal and the flakey MDTP service.
The SA Peak for January 2017 was SUPPOSED to have just been on the MDTP portal, but as it kept falling down traffic was constantly being switched back to the legacy portal. You could see that happening when making submissions. If it wasn't for the tried and trusted legacy then the SA Peak would have failed.
Do not trust cloud apps?
https://www.theregister.co.uk/2015/06/05/hmrc_is_going_google/ indicated parts were using google-apps already.
https://www.theregister.co.uk/2017/09/18/hmrc_cdio_to_recuse_herself_over_microsoft_decisions/
Indicates a lot of O365 use and a lot of online storage.
'Asked if Amazon was the only company who could handle HMRC's cloudy needs, he said: "No, there are two... and the price reduction on this was more than 50 per cent for us. There was a clear value for money [justification] of moving down this route."'
It's a loss leader, get them in and then hike the price up.
'He said the data would be held in the UK and would not be shared with the US. '
How can you be so sure?
No-one in their right mind, though, would put a data centre in, say, Bermuda, BVI, Cayman Islands, Puerto Rica etc. unless it was absolutely necessary and the centre, the power supply and the network cables were hurricane and tsunami proof. Not forgetting human access to the area by boat or plane and indeed permanent residential properties for on-site engineers etc.
Yes, seen this many many times before.
I'll post this one anon but I once worked for an agency who made a single page website for an NHS department. I believe they paid about 10k for it. The majority of the work - which we were told in advance on the quiet - would not be building the site, but filling in loads of tedious forms about the "security" of the datacentre on which said site would be hosted.
We recommended a particular host to them and they rejected it. This was repeated a number of times. Eventually they ended up hosting it with one of the largest hosts in the world. They did this because "we need someone who has top of the line security practices".
All it comes down to is how a provider is perceived. And I'm guessing Amazon can swing their metaphorical ballbag a bit more than some unheard of northern company. That's really all it comes down to. So if or when a security breach happens, they can just pass the buck to their hosts. Or say, well we did have a procedure in place... which was to speak to the hosts, who apparently have a procedure...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
