1 CHECKLIST FOR THE CLOUD ADOPTION IN THE PUBLIC SECTOR
3 CHECKLIST FOR THE CLOUD ADOPTION IN THE PUBLIC SECTOR
4 1. Introduction Although the use of cloud services can offer significant benefits for public sector organizations, a lot of European stakeholders seem to be reluctant when it comes to migrating to the cloud. How secure will be my data and applications? Will I have constant access to them? What if I change my mind regarding the storage solution? What will it cost? What is a Service Level Agreement, and do I really need it? Where can I get support? These are some of the typical questions public sector stakeholders are putting on the table. With this brochure we would like to make you familiar with the wonderful world of clouds. In the following you will find not only the questions, but hopefully, also answers that will help you make up your mind!
5 2. Infographic
6 CLOUD MODELS CLOUDS DEPLOYMENT MODELS PRIVATE CLOUDS COMMUNITY CLOUDS Typically owned by the enterprise using the infrastructure, or leased from a provider of infrastructure. Managed in house. Share infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.) Example: ebay PUBLIC CLOUDS HYBRID CLOUDS Combined deployment of private and public Clouds. Outsourcing resources to public cloud to achieve a maximum of cost reduction.maintaining control over certain areas, such as sensitive data, through local private Clouds. Provided by enterprises giving Cloud functionality to others. Offer the capability to exploit the Cloud features for user own purposes or allow other enterprises to outsource their services. Examples: Amazon, Google Apps, Windows Azure.
7 SERVICE MODELS INFRASTRUCTURE AS A SERVICE (IaaS) Provides virtual storage and/or computing resources to the user. Examples: Amazon S3, SQL Azure, Amazon EC2, Zimory, Elastichosts. PLATFORM AS A SERVICE (PaaS) Provide platform typically including operating system, programming language execution environment, database, and web server on which applications and services can be hosted and developed. Examples: Google App Engine, and Windows Azure (Platform). SOFTWARE AS A SERVICE (SaaS) Users are provided access to application software and databases. Cloud providers manage the infrastructure and platforms that run the applications. SaaS is sometimes referred to as "on-demand software" and is usually priced on a pay-per-use basis. Examples: Google Docs, Salesforce CRM, SAP Business by Design, etc. LICENSING MODELS PROPRIETARY Software licensed under exclusive legal right of the copyright holder with the intent that the licensee is given the right to use the software only under certain conditions, and restricted from other uses, such as modification, sharing, studying, redistribution, or reverse engineering. Usually the source code is not available. OPEN SOURCE SOFTWARE Software with its source code made available with a license in which the copyright holder provides the rights to study, change and distribute the software to anyone and for any purpose. It is very often developed in a public, collaborative manner.
8 3. The Checklist 3.1 / Migrate or not migrate? That is the question
9 THE CHECKLIST 3.1 / MIGRATE OR NOT MIGRATE? THAT IS THE QUESTION Q01. Are there any suitable cloud solutions available in the market (concerning your security, compliance, and performance needs)? Is there any competition among the providers? The existence of appropriate products on the market is the first question that should be answered if the migration to cloud is considered. It is more than obvious that the lack of suitable solutions makes migration impossible. The offers by various vendors should be also analyzed the competition between sellers allows avoiding vendor lock-in and ensuring reasonable prices of delivered services. Q02. Is the maintenance of IT systems a significant position in your budget? Many IT department managers of public institutions are ranking highly the cost-saving achieved, as one the most important and tangible benefits resulting from migration of services to the cloud. Utilization of cloud computing technologies reduces also the need for the IT team to maintain infrastructure, giving them more time to focus on strategy and innovation. Q03. Do you plan to upgrade your IT systems in near future? Plans for upgrading IT systems typically means that existing IT infrastructure no longer fits the institution requirements, and that the institution already allocated some budget for the upgrade. Usually, this is a good time to create a long-term strategy concerning IT services development and assess the pros and cons of cloud technology adoption.
10 THE CHECKLIST 3.1 / MIGRATE OR NOT MIGRATE? THAT IS THE QUESTION Q04. Do you have to maintain oversized systems so as to be prepared for periodic surges in use? Would you be able to free up resources if you moved those systems to the cloud? Cloud technology is a good choice for public institutions, for which the average load of IT systems is not so high, but they have to handle a periodic flood of requests (e.g. pupil/student recruitment system). Reconfiguration of IT infrastructure or renting extra IT resources for a short period of time helps to avoid bottlenecks without the necessity of maintaining oversized infrastructure. Q05. Do you have limited funding that prevents you from making a large capital investment in your IT? IT systems based on Clouds have usually very good configuration abilities; as such, their upgrade and extension could be a slow process that doesn t surcharge the institution s budget. Thus, cloud can be a really good option for Public Administrations to reduce the cost of buying new equipment every two years in order to be up to date. Q06. Could you benefit from resource sharing with similar institutions as yours? Some of the institutions have very specific needs concerning IT resources, including restrictive privacy regulations (e.g. Police), while the others don t process very sensitive data and have common (or very similar) requirements (e.g. schools). Such institution could share their resources to reduce costs of IT infrastructure maintenance.
11 3.2 / Service models [IaaS / PaaS / SaaS] Q07. What kind of services do you use? If there are no common requirements coming from institution members, who utilize different working environments, a virtualization technique (e.g. based on OpenStack or OpenNebula) could be leveraged to optimize utilization of the basic resources of in-house IT infrastructure. The ability to scale services according to the users' requirements could be also ensured by using such IaaS resources as well as processing and storage of public clouds offered by commercial vendors (Amazon EC2/S3, Microsoft Azure, ElasticHosts, etc.). If people working in public institutions share similar requirements concerning their working environment (i.e. an operating system equipped with particular libraries and applications), such resources could be provided using the PaaS model. A well-defined (and more or less common for users) set of applications/services allows deploying a SaaS model. This model is based on the Applications on demand paradigm, whereby users are provided with ad-hoc access to application software and databases. 
12 Q08. How skilled are your institution members (IT services users)? The public institutions employees do not have to be experts in the field of IT technologies. Thus, their skills are a very important factor in influencing the chosen service model, as various models require from the users different level of knowledge. From the users point of view, the simplest choice is the SaaS model that transparently provides applications on demand. The user does not have to care about the infrastructure and the environment that host the applications. On the contrary, the IaaS model requires significantly higher competences. Users have to install and maintain operating system images and their application software on their own. The PaaS model stands between the two extremes, as intermediate users skills are required to configure and extend the environment that is generally maintained by the service provider.
13 3.3 / Deployment models [private, community, public, hybrid] Q09. What kind of services/applications do you use? Public clouds usually offer a standardized set of services ( , CRM, database, etc.). As such solutions provide poor customization possibilities, institutions with specific requirements should rather use private or community clouds that could be well tailored to their particular needs. Q10. How sensitive are the data you manage? Does privacy really matter in your institution? Are any legal (regulatory) aspects that prevent you from storing/computing your data outside your country and/or your institutions premises? Procedures related to data handling in public institutions are often subject to the regulations that determine whether the data can be migrated to a public cloud, or they should be processed and stored within the institutions data centers. Institutions with very strict requirements concerning privacy (like e.g. Police) that process very sensitive data are even more so not allowed to use public clouds for their purposes. Besides, some institutions publish all of their data
14 THE CHECKLIST 3.3 / DEPLOYMENT MODELS [PRIVATE, COMMUNITY, PUBLIC, HYBRID] anyway, e.g. to ensure transparency of processes, and therefore they can use public clouds. An intermediate solution is possible by using data encryption. Entities that are allowed to store data remotely, but are still concerned about privacy of their data, can encrypt them on their side and store them remotely exclusively in the encrypted form. Q11. What is the required network and application performance? The choice between private and public cloud strongly depends also on demands concerning network and computing performance. The usage of private cloud is usually recommended for institutions that have to ensure high quality of service and to guarantee high average performance. In case of periodic floods of requests but low average load of IT systems, using public clouds allows avoiding the cost of building oversized infrastructure, the full capabilities of which are very seldom used. Q12. Do your institutions IT staff have deep knowledge/resources to maintain in-house infrastructure? Creating, setting-up, maintaining and upgrading the in-house infrastructure of a private cloud require deep knowledge from the institution s IT staff, and could further consume a significant amount of manpower. Since no local infrastructure is needed for using public cloud resources (thus alleviating from all overhead related to maintenance), the IT personnel could focus on the institution s operational issues. Setup of an in-house infrastructure also requires special facilities (e.g. server room, air-condition, power), which induce significant costs.
15 THE CHECKLIST 3.3 / DEPLOYMENT MODELS [PRIVATE, COMMUNITY, PUBLIC, HYBRID] Q13. Is your institution independent or does it belong to a bigger structure? Are any collaboration possibilities required? The choice between private and public cloud strongly depends also on demands concerning network and computing performance. The usage of private cloud is usually recommended for institutions that have to ensure high quality of service and to guarantee high average performance. In case of periodic floods of requests but low average load of IT systems, using public clouds allows avoiding the cost of building oversized infrastructure, the full capabilities of which are very seldom used. Q14. Does your budget allow for covering input costs of building and/or upgrading the IT infrastructure of your institution? The initial costs of building a private cloud are usually very high. Sometimes, the amount of money needed to create (or upgrade) the IT infrastructure exceeds the institution budget. The solution here could be paying periodically a smaller price for renting resources from a public cloud.
16 3.4 / Business models [open, commercial / proprietary] Q15. Do you have a limited budget that doesn t allow you to buy commercial licenses? The financial factor has been already discussed previously. Creating an IT infrastructure to build a private cloud requires spending substantial financial resources needed for both, hardware and software. The cost of software could be, however, reduced by adopting and utilizing open source solution. Q16. Do you have a limited budget that doesn t allow you to buy commercial licenses? Commercial software usually offers limited configuration options, and the licenses usually prohibit any changes on the source code. In contrast, the inherent public availability of open source software allows a skilled IT team to tailor the software to specific institution needs.
17 THE CHECKLIST 3.4 / BUSINESS MODELS [OPEN, COMMERCIAL / PROPRIETARY] Q17. What is the required network and application perfor- mance? Most proprietary software implement own vendors standards, and therefore, once adopted, services cannot be easily moved to other cloud-ecosystems. Even if an offer by a competitive vendor is more attractive, the cost of migration usually exceeds any potential benefits. Open source solutions, on the other hand, are mostly designed using open standards, and hence allow for easy building of an environment from interoperating components coming from various vendors. The migration process is also facilitated by this fact. Q18. What is the required network and application perfor- mance? Vendors of commercial software usually offer to customers extended support (help-desk, info-line, etc.). Such services are extremely helpful to IT staff in case of any problem related to software installation, configuration or maintenance. Still, they come with a price. The proprietary software is usually quite expensive because its cost covers also the expenses of user support. Open source software could be used (in most cases) for free, but with limited support. Thus the skills of the IT personnel should be much higher in this case. Q19. Do you need transparency of the solutions you provide? Nowadays the citizens highly rate their right to privacy and a choice of open source seems to be natural for public institutions that would like to retain transparency of their procedures. Customers often would like to
18 THE CHECKLIST 3.4 / BUSINESS MODELS [OPEN, COMMERCIAL / PROPRIETARY] have precise knowledge of how their data are handled. The publicly available open source software could be analyzed and checked to verify whether it contains any suspicious functionality or not. Q20. Do you need fast and responsive support? If the business model of an institution requires high availability of the services or the institution runs critical services, then support for the cloud infrastructure becomes necessary. Commercial clouds provide support for their customers. Support for open source cloud middleware may be available as an additional, paid service, or it may be offered by third-party companies. As open source software is usually supported in a voluntarily fashion, there is no guarantee that critical errors will be fixed in a timely manner. In any case, signing a service-level agreement (SLA) with the cloud provider should clarify matters such as data access, security, services, support etc. Through the SLA it should also be clearly clarified what happens in the case of service failure, network failure, cloud provider going out of business etc.
19 4. Illustrative Illustrative use use cases cases / / PROFILE PROFILE A A
21 4.1.1 / Institution profile The institution s general characteristics are: Financial guarantees from t=he government to ensure operational abilities Very specific demands concerning data security/privacy A number of tailored software divided into several groups of applications Skilled IT staff Average (or low) knowledge of IT technologies among institution members Demands of high availability, good quality of services and reliable support A stable load of utilized IT systems / Suggestions concerning cloud adoption The institution size and specific character would prevent it from taking advantage of many cloud features like sharing resources, outsourcing of services, etc. The economic aspects are not critical in this case. The measured load of IT systems is rather stable, so infrastructure is not oversized. Thus, the migration of services to cloud is not a must but utilization of clouds could bring many advantages anyway, so cloud adoption should be a next milestone on the institution roadmap.
22 ILLUSTRATIVE USE CASES 4.1 / PROFILE [ A ] Due to the institution s specific characteristics, a Platform-as-a-Service (PaaS) model should be deployed. Institution members could be divided into several groups provided with ready-to-use system images that contain preinstalled applications. The heterogeneity of operating systems required by applications makes an application on demand (Software-as-a-Service, abbrev. SaaS) model much harder to adopt. Because of the specific nature of the institution, the majority of utilized services could be migrated only to a private cloud to ensure the proper level of security of data handled, and a high availability of critical services. The request for high availability of services, and demands for software certification as well as for fast and responsive support suggests the utilization of commercial products; however open models could be also used (though with many restrictions).
23 4. Illustrative use cases 4.2 / PROFILE B
24 PROFILE B: A MEDIUM SIZE EDUCATIONAL INSTITUTION, HANDLING BOTH SENSITIVE AND PUBLIC AVAILABLE DATA, WITH LIMITED BUDGET AND FLUCTUANT LOAD OF IT SYSTEMS TYPICAL EXAMPLES: UNIVERSITY, RESEARCH INSTITUTION, ETC.
25 4.2.1 / Institution profile The institution s general characteristics are: Limited financial resources that could be spent on IT Processing a combination of sensitive data (e.g. employee and student records, research data), as well as publicly available data (e.g. news, timetables, tender announcements, science papers) Utilization of a small number of applications by administrative staff and a number of various software by others (students and researchers) Good competences of the IT department staff Average knowledge of IT technologies among the institution members A volatile level of IT systems utilization (form very low load, e.g. during holidays, to overload, e.g. during exam sessions) Resources could be shared with similar and/or partner institutions / Suggestions concerning cloud adoption The institution features are evident of its capability to adopt cloud technologies. Migration of the services to the cloud and sharing of
26 ILLUSTRATIVE USE CASES 4.2 / PROFILE [ B ] some services with other institutions could bring about financial benefits, reduce the resources spent on IT infrastructure maintenance, and allow for better handling of periodical flood of requests. Because of the heterogeneity of the data being processed by the institution, a hybrid cloud model seems to be the most appropriate solution. Within a private cloud, sensitive data could be effectively and securely stored, while a public cloud could be used for maintaining and processing the institution s publicly available data. The public cloud could serve also as a reservoir of a computational power that could be easily utilized (renting extra resources) in case of demand overflow. A well-defined set of applications could be provided using the SaaS model to administrative staff. Due to wide spectrum of software used by students and researchers, they could leverage on demand virtual machines by utilizing the IaaS or PaaS models. While the institution s ERP applications are critical, the majority of the software being used within the institution could be an open source solution.
27 some services with other institutions could bring about financial benefits, reduce the resources spent on IT infrastructure maintenance, and allow for better handling of periodical flood The institution s general characteristics are: of requests. 4. Because of the financial heterogeneity of the processed Limited resources thatdata couldbeing be spent on IT by the institution, a hybrid acloud model seems to bedata the(e.g. most appropriate Processing combination of sensitive employee solution. and Within a private cloud, sensitive data bepublicly effectively and student records, research data), ascould well as securely available stored, while public cloud could be used data a(e.g. news, timetables, tenderfor maintaining and processing the institution s publicly available data. The public cloud announcements, science papers) could serve also asofaa reservoir of a of computational power that could Utilization small number applications by be easilyadministrative utilized (renting extra in various case of software demand overflow. staff andresources) a number of Illustrative use cases by others (students and researchers) A well-defined set of applications could be provided using the SaaS Good competences of the IT department staff model to administrative staff. Due to wide spectrum of software used Average knowledge of IT technologies among the by students and researchers, they could leverage on demand virtual institution members machines by utilizing the IaaS or PaaS models. While the institution s A volatile level of IT systems utilization (form very ERP applications are critical, the majority of the software being used low load, e.g. during holidays, to overload, within the institution could be an open source solution. e.g. during exam sessions) Resources could be shared with similar and/or partner institutions 4.3 / PROFILE C / Suggestions concerning cloud adoption The institution features are evident of its capability to adopt cloud technologies. Migration of the services to the cloud and sharing of
28 PROFILE C: A SMALL PUBLIC INSTITUTION WITH LIMITED BUDGET AND NO SPECIFIC DEMANDS ON PRIVACY OF ITS DATA, OR EXCESSIVE REQUIREMENTS ON IT SYSTEMS PERFORMANCE. TYPICAL EXAMPLES INCLUDE SCHOOLS, SMALL CULTURAL INSTITUTIONS, ETC.
29 4.3.1 / Institution profile The institution s general characteristics are: Very limited financial resources Application and services that currently run on desktop computers Processing of public data (e.g. web pages, news, timetables) Only a small number of applications are used (office applications, web servers) No dedicated IT staff, volunteers with moderate knowledge of IT technologies IT technologies unawareness among institution members No special demands on the network throughout and performance of IT systems / Suggestions concerning cloud adoption A cloud adoption could bring about many benefits to such small institutions that cannot afford their own IT infrastructure or dedicated IT staff. Usage of external resources is often the only possibility to use and/or provide services in such cases. As the institution does not have enough financial resources to cover the initial investment for building in-house infrastructure, the usage of
30 ILLUSTRATIVE USE CASES 4.3 / PROFILE [ C ] a public cloud seems to be the only choice. Because of the limited number of applications being used, the institution could build its own set of applications on demand (SaaS model), choosing from a wide spectrum of cloud providers, including the biggest ones as Amazon, Google, Microsoft, etc., as well as providers of more specific applications (e.g. digital school register). SLAs with such providers usually include also support services, which are particularly important when an institution has no skilled IT staff. Where possible, the use of open source software could allow for further reduction of expenses. Finally, the institution owner (e.g. a ministry or local government) can prepare additional cloud-based applications and share them with a set of other similar institutions.
31 HOW CAN I FIND OUT MORE INFORMATION ON THESE MATTERS? Design: apanicroom.com Additional graphics: made by Freepik.com FOR MORE INFORMATION YOU CAN VISIT THE EUROPEAN COMMISSION DEDICATED WEBSITES: ON CLOUD COMPUTING: ON SLAs: OR SIMPLY VISIT THE SUCRE PROJECT WEBSITE: THE DEDICATED CLOUD IN THE PUBLIC ADMINISTRATION SECTION: THE SUCRE VIDEO ABOUT CLOUD ADOPTION IN THE PUBLIC SECTOR: A SUCRE PROJECT PUBLICATION / 2014 
32 HELLENIC REPUBLIC National and Kapodistrian University of Athens