Cloud Computing Guidance
The Government ICT Strategy and Action Plan to 2017 seeks to improve service delivery and deliver substantial savings across government, with cloud computing as a key enabler.
The Government’s approach to cloud computing [CAB Min (12) 29/8A] was introduced in August 2012 by the Minister of Internal Affairs, Hon Chris Tremain. The approach established a ‘cloud first’ policy and an all-of-government direction for the use, development and deployment of cloud services.
The Cloud computing business model allows agencies to consume ICT as a service which leads to smarter investment and savings across the public sector. Under the ‘cloud first’ policy state service agencies are expected to adopt approved cloud services when faced with new procurements, or an upcoming contract extension decision.
Benefits of cloud computing
- Cloud computing solutions are scaleable: agencies can purchase as much or as little resource as they need at any particular time. They pay for what they use.
- Agencies do not have to make large capital outlays on computing hardware, or pay for the upkeep of that hardware.
- Cloud computing provides economies of scale through all-of-government volume discounts. This is particularly beneficial for smaller ICT users.
- Agencies can easily access the latest versions of common software, delivering improved and robust functionality, eliminating significant costs associated with version upgrades.
- Having all agencies able to access the same programmes, and up-to-date versions of those programmes, will reduce productivity losses caused when applications are incompatible across agencies.
Cloud computing risk and assurance framework
In October 2013 Cabinet agreed to a cloud computing risk and assurance framework [CAB Min (13) 37/6B] for government agencies. All State service agencies are expected to follow the process in line with Cabinet direction.
The key points from this framework are:
- Decisions on cloud computing services require case-by-case consideration, by agency chief executives with GCIO oversight, of all cloud computing decisions, whether hosted onshore or offshore, that balances the risk and benefits appropriately
- Agency chief executives are ultimately responsible for decisions to use cloud services.
- No data above RESTRICTED should be held in a public cloud, whether it is hosted onshore or offshore. Agencies in the State services are expected to follow a uniform and robust information management process that includes:
- If the system is likely to be a cloud service, agencies are expected to use the guidelines in the Cloud Computing: Information Security and Privacy Considerations to ensure appropriate and consistent consideration of cloud computing issues (including privacy and security).
- classifying the information
- undertaking a risk assessment using the agency’s own processes, if they have them, or those supplied by GCIO in the Risk Assessment Processes: Information Security;
Agencies are expected to use this process when considering the use of all cloud services. The only exception will be when agencies are taking up ICT Common Capability cloud services developed for all-of-government by the GCIO. The lead agency developing the cloud ICT Common Capability will undertake the initial assessment and the process will not need to be repeated every time an agency joins the common capability.
Cloud computing and ICT Assurance
All cloud computing decisions need to be made in the context of a system-wide ICT assurance process developed by the GCIO, which is mandatory for most agencies within the ICT Functional Leadership mandate.
The GCIO will provide assurance on cloud risk assessment for all-of-government cloud and agency cloud solutions. The assurance will concentrate on high-risk factors such as significant data being held offshore and will include an assessment that the correct guidance and risk-based processes (Cloud Computing: Information Security and Privacy Considerations document) have been applied and followed.
The GCIO, where necessary, will direct agencies to amend, change or adapt their cloud service use.
There is a clear expectation that agencies will join common capability cloud solutions if they exist rather than sourcing individual cloud solutions.
The robust risk-based processes will apply retrospectively to all cloud services currently used by State Service agencies. The GCIO will develop a programme and timeframe for this to occur. This programme will take into account risk and availability of resources to ensure that State sector agencies’ existing cloud decisions comply with the framework. For example, information that is already publicly available will likely be low-risk and not need reassessment.