A Practical Guide to Cloud Strategy from Tyler and AWS

Tyler Podcast Episode 123, Transcript

The Tyler Tech Podcast explores a wide range of complex, timely, and important issues facing communities and the public sector. Expect approachable tech talk mixed with insights from subject matter experts and a bit of fun. Each episode highlights the people, places, and technology making a difference. Give the podcast a listen today and subscribe.

Show Notes:

In this episode of the Tyler Tech Podcast, we unpack a common and often misunderstood topic in public sector cloud computing: what GovCloud is, how it differs from standard cloud environments, and when each is actually necessary.

Recorded live at our annual Tyler Connect conference in San Antonio, this insightful discussion features Russell Gainford, chief technology officer at Tyler Technologies, and Gerard Gallant, senior program manager at Amazon Web Services (AWS). Together, they explore how state and local governments can navigate evolving compliance needs and make smart, secure, and cost-effective cloud choices.

Throughout the episode, Russell and Gerard clarify the distinction between security and compliance, explain why assumptions around GovCloud can lead to unnecessary complexity and cost, and highlight AWS’s Nitro System as a game-changing innovation in data protection. They also touch on the broader importance of continuous education in cloud decision-making, particularly as agencies modernize infrastructure and embrace emerging technologies.

Tune in to hear how public sector leaders can confidently choose the right cloud environment for their mission — grounded in actual requirements, not just labels.

This episode also highlights “Resilient by Design: How Technology Supports Government,” our free e-book that explores how public sector agencies can strengthen their resilience in the face of disruption. From cloud infrastructure and automation to secure payment systems and crisis response tools, the e-book features real-world examples of how technology helps governments maintain continuity and serve their communities more effectively.

• Download: Resilient by Design: How Technology Supports Government

And learn more about the topics discussed in this episode with these resources:

• Download: Resilient by Design: How Technology Supports Government
• Download: Cloud-Smart Strategies for IT Infrastructure Modernization
• Blog: Boosting Resilience: Cloud Solutions for Modern Government
• Blog: Partnering With Communities to Build Resilience
• Blog: Resilient Communities Rely on Modern Public Safety Solutions
• Blog: Increase Community Resilience With Modern Payment Systems
• Blog: How Cloud-Based Solutions Expand Access to State Services
• Podcast: The Cloud Advantage: Powering Public Sector Resilience

Listen to other episodes of the podcast.

Let us know what you think about the Tyler Tech Podcast in this survey!

Transcript:

Gerard Gallant: It’s important to understand the difference between security and compliance. Two very different terms. Sometimes they get mixed together and some people think some organizations think they’re the same, but in reality, they’re two very different things.

Josh Henderson: From Tyler Technologies, this is the Tyler Tech Podcast, where we explore the trends, technologies, and people shaping the public sector. I’m your host, Josh Henderson. Thanks so much for joining us. In this episode, we’re diving into a common cloud computing question in the public sector. What is GovCloud, and when is it actually necessary? And to help us unpack the differences between cloud environments and why compliance and not assumptions should guide decision making. I’m joined by Russell Gainford, chief technology officer here at Tyler, and Gerard Gallant, senior program manager for Amazon Web Services.

Together, we explore how public sector leaders can make informed, secure, and cost effective cloud choices that align with their specific needs and responsibilities.

Let’s get right into the conversation with Russell and Gerard, which we recorded at our annual Tyler Connect conference this year in San Antonio.

Alright, Russell, Gerard, thanks for joining me today on the podcast. It’s great to have you both here.

Russell Gainford: Thank you for having us.

Gerard Gallant: Good to be here.

Josh Henderson: Now today, we’re diving into a topic that brings up a lot of questions across the public sector: this distinction between GovCloud and what is often termed commercial cloud, and more importantly, when one is actually needed over the other. I know there is some history here as AWS has grown over the years, Gerard, but I wanted to start by asking you to define these terms, GovCloud, and what has been known as commercial cloud.

Russell Gainford: And maybe I’ll just interject. Given that Tyler is 100% focused on the public sector, I’ll just bring up there is a shift. That terminology of commercial cloud is really not the go-forward focus within AWS.

And when we talk with our customers out in the field it’s AWS Standard Cloud. There’s a history of why it was called that way. I’ll let Gerard expand on that.

Gerard Gallant: Back in the day, when cloud computing started, there was a rush of big commercial entities that went to the cloud – think about the Netflix’s of the day. Think, you know, you name it, the big companies that started back in 2006 when we launched AWS.

So, there was a thought that, oh, it was a commercial cloud.

It was a cloud for commercial entities only. And that evolved over time as we introduced our government regions, which I’ll describe in just a second. That kind of evolved over time that it really wasn’t just commercial entities. It was a lot of other entities that were using our quote, standard regions, not our government regions, to meet their mission, to put their applications, their data, and their solutions in.

And really, the big change was when we introduced the government cloud, the government cloud has a name called government cloud, but in reality, a government cloud is for sensitive, controlled, unclassified information. And it’s really defined by the compliance programs that are in that cloud versus what is available in our standard region. So, you choose based upon what you need from a compliance perspective versus a location. A government cloud is a separate – logically and physically – partition. And it is serviced and controlled by U.S. citizens on U.S. soil. If you need that, and there are certain programs that you need that, then you have to be in government cloud. If you don’t need that, there’s no reason to be in government cloud, which we’re going to talk through in more detail.

Josh Henderson: We’ll get into it for sure. Thanks for outlining that, and for making the distinction here at the beginning of the conversation.

So, to dig in a little bit further into the topic, from both of your perspectives, what’s driving all the confusion around GovCloud versus standard cloud? And why do you think this has become such a common point of misunderstanding?

Russell Gainford: Well, we see it all the time. And to be quite honest, I’ve been in this cloud world for a long time now, so many years. And if I took a step back from that and approached as one of our customers and a CIO or anything else, and you said, well, someone asked me where would you like to put this product that we put together for you, and would you like to put in the commercial cloud, or would you like to put it in the GovCloud? My immediate answer would be I wanted it in the GovCloud.

Now having gone through several years of really understanding that history and what the government cloud region is and the levels of high classification security that are required in there, those compliance requirements, which is usually a much smaller set of common workloads.

Now my answer would be that I want to be in the standard cloud.

Gerard Gallant: I would say just the very name to add to what Russell said, the very name GovCloud.

GovCloud is a name of a region. In AWS terms, it’s a name of a region, but there are education entities in there. There are financial services entities in there. There’s a bunch of different entities that are not government organizations.

So, I think the name has led to some confusion, and we’re trying to help people understand. Choose the cloud based upon the programs that you, the compliance programs you have to meet. If you’re HIPAA, if you’re IRS 1075, if you’re PCI compliant for payments or CJIS or, you know, FedRAMP. Choose the cloud that, based upon the program you need regardless of its name that we’ve called it.

Josh Henderson: Now, Russell, I’m hoping you can talk a little bit on the differences that show up in public sector conversations surrounding these two terms. Are there particular areas where you’re seeing things getting lost in translation from your perspective?

Russell Gainford: I think it comes down to helping spread the knowledge. And I would also just like to point out that this isn’t just the history of AWS, this terminology thing. And that other hyperscaler cloud providers have these terms that also lead to the same sort of symptoms of different industries that maybe aren’t public sector going in and vice versa where things are going in that maybe the compliance isn’t required. So, it’s more about why these things were created.

It was for this very high level of compliance that was needed for the top tiers of public sector, and that leads people to name it by default, GovCloud, and then you start, you know, ending up in this situation in the mix here. But so, it starts with the education and understanding, but also not knowing that there’s a downside to it, and that the downside needs to be managed with the tradeoff. So, of course, if you ask myself or anybody else as a leader when you’re doing something, you know, I can give you this, and it’s the most secure lockdown environment that does all these different things to provide this extra level of protection.

I’m going to say I’d like that. Now what you have to balance is, is that really needed for your compliance requirement levels, and what are the costs and the downsides of doing that so you can make an informed decision? And so, I think that’s where we’re now really embarking on this education of understanding what really needs to be in there, and why does Tyler as an organization make the decision and distinction, based on working with clients, on which cloud we use at which point.

Josh Henderson: Now there’s a common assumption that GovCloud is more secure. And, Gerard, you mentioned a couple of compliance standards earlier on. But what can you tell us about why that’s not always the case?

Gerard Gallant: It’s important to understand the difference between security and compliance. Two very different terms. Sometimes they get mixed together and some organizations think they’re the same, but in reality, they’re two very different things.

Our government cloud and our standard cloud, our standard regions, achieve the same level of security. The same technology exists in those two regions in the U.S. In fact, it exists across the world.

Technologies such as the AWS Nitro System, which is our virtualization infrastructure, all your encryption and transit encryption at rest, they are the same. So, the security, you can achieve the same level of security in our government regions and our standard regions. And it’s a misnomer to think, although people think I am a government client, it must be more secure.

That is not the case in our world. It is the same security. We go back to what is the compliance objectives you’re trying to meet. It’s a different definition than security.

And are those compliance definitions met in a U.S. region? It’s important to note U.S. region because most compliance programs in the U.S. have a data residency requirement, so data must stay in the United States. Can they be met in the U.S. by one of the other regions that we have in our standard region, or in our government region?

The security is the same, and you achieve that by implementing those controls like Tyler has done throughout its complete stack.

Russell Gainford: And maybe I’ll ask as a follow-up because I think it this was a real education moment for me early on in in our AWS journey.

Maybe explain a little bit more about Nitro, and how it’s changed over time. And what kind of difference that makes from that security perspective?

Gerard Gallant: That that is a great question Because if you look at other hyperscalers as an example, one of the core differentiators for AWS is our lack of access to data. So, we achieve no access to data using a virtualization infrastructure that we custom-built and that is custom hardware. And that virtualization infrastructure called the Nitro System, what it does is it takes very sophisticated software that is very large, sometimes buggy, and we ripped it apart, and we put the various layers of that software on hardware chips. So, think of a virtualization infrastructure that controls, it virtualizes storage, virtualizes compute, virtualizes memory. You’ve got a pretty sophisticated piece of software.

When you break that apart and you put that on hardware chips, a storage, hardware chip, it’s an ARM processor called a nitro chip.

When you put networking on one of those, all of a sudden you get repeatable 100%, cryptographically proven processes.

And your software stack that manages all that shrinks significantly, so your attack vectors go way down. And when you build it like we did, we built it such that no operator had any ability to interact with any data in any way, shape, or form. No log data, nothing.

What that does, and that’s available, by the way, in every region in the world, including our standard regions and our government regions. What that does is it elevates the security to put the security of the data in our customer’s hands, not in the cloud provider’s hands. Critical, critical, piece of information for – particularly in public safety – for evidence or chain of custody, as an example. You don’t want ancillary parties having access to that data. And the Nitro System is an investment we made over a five-year period culminating in 2017, and we rolled it out across the world, most importantly in our U.S. regions. So, anytime you use compute or services that rely on compute, that all runs on our Nitro System.

Russell Gainford: And to me, I wanted him to explain a little more because that was the moment for me when we started to say, wow, everything’s coming out now. It is based on Nitro. Everything we’re spinning up is based on Nitro.

And that provides that lockdown of data, no visibility for the staff, and so, essentially, you do have that. The security in the GovCloud and standard cloud are the same, and now you’re looking at compliance requirements. Nitro enables that where others can’t.

Gerard Gallant: And I would say, just to go a little bit deeper on that, there are some compliance programs, CJIS being one, where operators having some level of access to that data require those operators to be fingerprint-based background checks.

Anyone who’s familiar with the CJIS world, we that’s a known requirement. When you remove your operators from data like we did at AWS starting in 2017, you remove the requirement that those operators need to be federally background checked for CJIS purposes. And that’s a huge thing because what it means is now not only do you increase your security by having no cloud provider having any access to that data, you also decrease administrative burdens on states to, you know, continue to background check these people that they met, probably have never seen, their name on a sheet of paper, and our approach is very different, as you know, very different. It relies on technical controls to lock our people away from that data and allow our customers to have their full control over data in process, in transit, and at rest, which we think is a very, very secure way of cloud computing.

Russell Gainford: And it’s great when we talk with our clients and, maybe new prospects and leadership, to even be able to retell the talking points of that AWS story because it puts everyone at ease right away.

There is no access to it. This is the approach AWS has taken. We are directly working with you, and you’re subscribing to a software through us. And when it’s not some three party, you know, interaction and there’s concerns of trying to background check these people. So, for CJIS it was like, oh, there’s a deep breath both for our client base as well as for us.

Josh Henderson: Stay tuned. We’ll be right back with more of the Tyler Tech Podcast.

Jade Champion: You can’t always prevent disruption, but you can prepare for it.

Josh Henderson: That’s right. And in our latest e-book, we explore how government agencies are building resilience into their operations from cloud-based systems and automation to tools that improve response and coordination.

Jade Champion: You’ll discover real world examples like how an emergency app helped residents in Louisiana stay informed and how secure payment technology supports service continuity during a crisis.

Josh Henderson: It also walks through six practical steps to help you assess risks, modernize infrastructure, and strengthen your ability to adapt.

Jade Champion: Download your free copy of “Resilient by Design: How Technology Supports Government” at the link in the show notes.

Josh Henderson: Because every government needs a road map to resilience, and it starts with the right technology.

Now let’s get back to the Tyler Tech Podcast.

And now to stick with the client base, Russell, I wanted to put a scenario your way. So, what if because we work with public sector clients, what if somebody just assumed that they needed GovCloud?

What how do you help clarify that standard cloud can often meet the same needs that a GovCloud would?

Russell Gainford: It’s through education discussions like this because it has changed over time. And now that now that we’re at this point, it’s about explaining why we make the decisions because they’re backed by logic and what the market is doing. Security is not static. And so, these enhancements are taking place.

So, it’s not a one-time training. And if somebody sat down, for example, in CJIS and eight years ago, they sat down on AWS, it would have been talking a lot about, GovCloud. And then security’s advanced, and these capabilities are now there, and we’re using Nitro hypervisor technology.

So, it’s about it’s a continued education. The cloud is moving so rapidly, the innovation is so rapid. So, it’s having discussions on why we’ve made the decisions. And, when we have those discussions, most people are like, okay.

Now I understand the background. Now I understand why you made the decision. Now I understand it’s really standard cloud and not commercial cloud, and there’s tons of public sector entities running in it, and then that helps make the decision. And some of them were going the other way of saying, hey, we are going to have to move something into GovCloud here because you want that FedRAMP high or you want some additional compliance that’s currently offered only in that region.

Gerard Gallant: I would add, not only just continuing to educate on security, but being plugged into the compliance programs that evolved over time. So, Russell said eight years ago, I would say five years ago, if we said you could run criminal justice workloads in standard region, I would have been laughed out of the room. But as compliance programs have evolved, in particular CJIS now, being a moderate impact level data as part of the modernization of the policy, and as people have better understood the cloud and security in the cloud.

Seven years ago, when I started at AWS, we talked about encryption and eyes glazed over. Customers didn’t understand encryption because on-premise, it’s very difficult to do. It’s expensive. It takes a lot of horsepower.

In AWS in particular, people understand encryption now. They understand it’s going to get me a greater level of security. It’s going to protect me from ransomware. So, with the overall knowledge level of cloud and I will say the pandemic helped enforce what cloud could do for customers because people had no other choice at that point in time.

So, the knowledge, it’s just a natural progression. Knowledge has increased over the last five, six years, and with that came more informed decisions of what was secure, how do you secure, how do you encrypt, and all of that. We’re all kind of growing and learning together, and it’s it is a continual education, like Russell said, to continually help people understand, pick the cloud that’s best for your compliance program.

Russell Gainford: How quickly we forget COVID-19 And the pandemic and the days that, you know, people had to turn things off and had to go remote. And many of our clients in public sector had to work from home and things change.

We usually take a very pragmatic, cautious approach working with our clients, because that’s what our clients do in public sector. They have a lot of responsibility that’s entrusted on them, and they’re very pragmatic about how they approach the new technology, making sure it’s right for them, that it follows all the guidelines and everything that’s stated.

That was one of those things where when there’s a crisis, decisions are made. And I think the ability of the public cloud to quickly ramp up and help people get remote, help students be able to study at home, those types of things, is pretty remarkable and often not looked back on and how quick that actually happened.

Gerard Gallant: Absolutely. You look at some of the unemployment insurance systems that were failing miserably after, you know, the pandemic was declared, and those systems came back online. Those call centers came back online because of the use of public cloud. Because of the use of standard regions to bring those things on very quickly so that operators could actually answer phones.

Josh Henderson: So, knowing all of this that we’ve talked about here today, how do we help our teams and our public servants make smarter, more confident decisions when it comes to cloud environments or what they’re choosing to be their cloud environments?

Russell Gainford: Well, from our side, what we typically provide our solutions in the cloud that meets the compliance needs that are needed. If it requires a certain level of compliance, we are going to offer a solution there. And if it doesn’t, then we’re going to have a conversation on what it means for, the type of data that’s in that environment and the compliance that’s required. So, then it it’s about education partnership.

We’re partnering with our clients to take them to the cloud when they’re ready. And when they’re there, we’re explaining exactly why we’ve made these strategic decisions in collaboration with AWS, as we move forward. But it’s also about educating about the downsides.

And when I’m not trying to say downsides of GovCloud. It does amazing for what it does. We have lots of workloads that are in GovCloud, but it does come with the more value of those compliance standards. It does come with a higher cost, a cost that that eventually has some level that’s passed on with customers.

It also has less workloads on it than some of the standard clouds, and so you get a level of scale in there that’s in there. And it’s also with the compliance requirements; it does take longer for new innovations to come out in that cloud.

They are delayed, depending on the type of feature, for a certain period of time. So, those are the downsides on it. So, with the benefit of I’m in an area that can meet this very high level of compliance, there are downsides for it. And it’s explaining why that is and why we think for those types of workloads we run in standard, that is the best decision for our clients because, as Gerard said, the security is exactly the same. It’s just about reaching that compliance.

Gerard Gallant: And I would add to that, customers now generally better understand because there’s so much more work done in the cloud. They understand what is it that they need to meet. What is the compliance program they need to meet? Is it CJIS? Is it HIPAA? Is it IRS 1075? And I will say, with multiple hyperscalers out there, public cloud platforms, it is important to note that there are differences between those platforms.

So, if you are on cloud a, you may not be able to meet CJIS in a given cloud. With AWS, it’s important to be very cloud specific so you can choose the region that best suits your workload.

And that does vary cloud to cloud. And that can lead to some confusion with customers. If cloud a says, oh, you’re going to have to do this in a government region, but cloud b says, no, you don’t need to do that. And so, it’s all about educating and knowing what lane you need to be in so that you make the best decision. And Russell and I have spent a lot of time talking through what is the best approach to help customers understand. It really comes down to what do you need. That’s what do you need.

Russell Gainford: That’s a great point.

Gerard brought up it’s not the same with all the different hyperscalers. And so, AWS has Nitro. They have the way that they’ve architected it, but it might be a different conversation if they’re on another cloud and not, you know, we’ve heard our CEO say this, the success we’ve had with our collaboration with AWS.

It’s rooted in the foundation of compliance and security and then built up from innovation on that. So, it’s not just about educating. It’s explaining that AWS is our cloud provider. And with that, this is how we approach the different types of clouds that are in there.

And sometimes we do hear questions, and we do answer on other clouds that clients may be using because we’re about partnering for their whole cloud journey and not even just their Tyler products.

But we have to center in on our approach here with AWS and why we make those decisions because it is different with some of the other hyperscalers.

Josh Henderson: That’s great. So, as we wrap this conversation up, we’ve covered a lot here today, obviously. But if there’s one or two takeaways that we would want listeners to take with them from this conversation, what would that be?

Gerard Gallant: I would say, choose with your application partners the region in the United States, whether that’s a government region or standard. Choose the one that meets your requirements.

Don’t assume that if something is named gov, you need it.

Understand what is it that you’re trying to achieve. Go back to your business objectives. I am trying to achieve IRS 1075 compliance. I am trying to achieve HIPAA.

Where can I do that for the same amount of services and the same, you know, the same breadth of services? What is my best decision? And don’t, from a customer, don’t let someone tell you that a gov region is more secure. If I can do one get one thing out there, a gov region is as secure at the same level.

Don’t assume because it’s labeled gov, it’s better. Now I will say, just to be clear just to be clear, there are cases you will need gov. If you need FedRAMP high as an example in AWS terms, which very few state and local agencies would ever even think about. But if you’re a federal entity and you need FedRAMP high, in AWS today, you have to be in gov.

If you’re an arms trafficker and you need an ITAR boundary, you have to be in gov. But for the most of our state and local workloads, whether that’s in ERP, whether that’s in public safety, whether that’s in justice, whether that’s in courts, corrections, I got a lot of them right, you know, those types of workloads don’t have compliance requirements that require a government region. That was a long answer to a short question, but don’t assume gov gets you more security.

Russell Gainford: And just to back up to what he said from the beginning. The security is the same in these regions. It comes down to compliance. So, in your mind as you’re thinking about it, think about the compliances that I need, where is the best place for it to run? And if I don’t have any, understand that there are tradeoffs to run in the region that does support the highest level of compliance because it’s needed because those compliance levels require it. And work with, and partner with, your representative at Tyler because we want you to be fully briefed on this so that you when you’re talking to your constituents and, your councils and everything else, you understand the differences and where things are running and why those decisions are made because they are very thoughtful decisions, and they’ve evolved over time.

But that separation of security and compliance is really important.

Josh Henderson: Well, thank you both for this conversation. I have no doubt that it’ll be helpful for folks moving forward. And, yeah, I really appreciate you taking the time.

Gerard Gallant: Yeah. Thank you.

Russell Gainford: Thank you for having us.

Josh Henderson: As we heard today, choosing the right cloud environment isn’t just about terminology.

It’s about understanding your compliance needs, weighing tradeoffs, and making informed decisions rooted in both security and mission goals.

Russell and Gerard shared valuable insights on the real differences between GovCloud and Standard Cloud, when each is necessary, and how ongoing education can help public sector leaders navigate cloud strategies with greater confidence. And if you’d like to explore more on this topic, check out the show notes for additional resources. And we’d love your feedback. Fill out the listener survey linked in the show notes or reach out anytime at podcast@tylertech.com.

Be sure to subscribe, rate, and review the show so you never miss an episode.

For Tyler Technologies, I’m Josh Henderson. Thanks for listening to the Tyler Tech Podcast.