Key Considerations for Public Cloud in the Public Sector
21st October 2014
Author John Baddiley
The recent past has seen a marked increase in public sector agencies investigating and implementing cloud-hosted services. In pursuing this path, the biggest questions that agencies have had to address are ones of information security and data sovereignty.
Internal Affairs has recently developed a cloud assessment risk management framework that helps agencies ensure that services are selected and implemented in a consistent and safe manner. This framework is described further in the DIA document Cloud Computing : Information Security and Privacy Considerations.
The use of public cloud services is at a relatively early stage for the public sector. This post addresses three of the questions that Davanti have heard regularly from our clients.
CAN GOVERNMENT AGENCIES HOST INFORMATION IN THE CLOUD?
The Government ICT Strategy and Action Plan sets a strategy of increased use of cloud-hosted services, especially those that allow consolidation of delivery across government agencies. When considering this question, the most important factor is whether the solution will meet your business requirements. Be clear about your functional and non-functional requirements, and ensure that the cloud service can adequately deliver upon all of these. The next aspect to consider is whether your information can be hosted safely. Correct classification of information is critical; too low and your information risks being compromised, and too high can introduce unnecessary cost or stop the implementation. Finally, the services must be accredited to ensure that they meet government and agency requirements for suitability, manageability and information security. Agencies should undertake regular assessments of these accreditations; risks change over time, and a solution or control that was appropriate last year may no longer be this year.
CAN GOVERNMENT AGENCIES HOST INFORMATION AND APPLICATIONS OFF-SHORE?
The cloud hosted services available internationally far outnumber those within New Zealand. Many agencies will identify applications and services available off-shore that will provide significant business value. However, off-shoring services means that agencies need to ensure that information is accurately classified, and that the necessary information security controls are identified and implemented. With appropriate controls, information up to “IN CONFIDENCE” ratings should be able to be hosted internationally with appropriate controls. No information above “RESTRICTED’ level may be hosted in public cloud services (whether on or off-shore).
WHAT OTHER CONSIDERATIONS SHOULD AGENCIES BE AWARE OF?
When using any cloud service, there are many factors that agencies must take into account. Davanti believes that amongst the key factors are full-stack compliance, business continuity and service management. Agencies must have assurance that the entire technology stack is compliant with maintaining information security and privacy controls, not only the layer that the service is providing. For example, if purchasing a Software as a Service offering, the agency must have assurance that the infrastructure layers that the SaaS solution is built upon are appropriately secured. Agencies must also be clear about how the use of the service will impact business continuity plans (BCP). For example, what would happen to the business function if the service is unavailable, or is withdrawn from service? Finally, agencies must understand how the service will be managed and monitored, how it will integrate with internal systems and applications, and how breaches and other incidents will be managed.
Public cloud services offer many transformational opportunities to public sector agencies, but their selection and implementation must be undertaken in a manner that does not expose agencies to unmanaged or unknown risks. That said, agencies are able to make use of public cloud services, including those hosted off-shore if they follow an appropriate selection and risk management process. The process should include:
- Alignment with business functional and non-functional requirements
- An information classification for the information to be held or processed by the service
- A clear identification of the risks and appropriate controls
- An understanding of the businesses continuity implications of the use of the service
- Planning for how the agency will deal with a breach or other incident in the service
- A clear plan for service management and integration.
The process to ensure that this information is captured is not an onerous one; if agencies are consistent in the execution of a selection and assessment process all necessary information can be identified without significant impact to project timelines or budget.
John Baddiley is a Senior Business Manager in our Wellington team with a focus on technology and how it enables the Digital Enterprise. John has over 20 years’ experience in the IT industry, and leads our Enterprise Architecture and Cloud Computing capabilities. His customer and business focus has enabled some of New Zealand’s largest businesses and public agencies to accelerate change and stay ahead.