Cloud-Based ICT Services Checklist

Transcription

1 Cloud-Based ICT Services Checklist Guideline A non-exhaustive list of considerations to be made when evaluating, purchasing, implementing and managing cloud-based ICT services. Keywords: Cloud-based ICT services; cloud services; ICT procurement; digital design; service design; ICT expenditure; information management; information security; privacy; recordkeeping; compliance; audit; business continuity; disaster recovery; evaluation Identifier: CS-GUIDE-01 Version no.: 1.0 Status: Issued Issue date: July 2014 Date of effect: July 2014 Next review date: July 2015 Authority: Victorian Government CIO Council Issuer: Victorian Government Chief Technology Advocate Except for any logos, emblems, trademarks and contents attributed to other parties, the policies, standards and guidelines of the Victorian Government CIO Council are licensed under the Creative Commons Attribution 3.0 Australia License. To view a copy of this license, visit

2 Overview VICTORIAN GOVERNMENT CIO COUNCIL This document provides a non-exhaustive checklist of considerations to be made when evaluating, purchasing, implementing and managing cloud-based ICT services ( cloud services ). Each checkpoint item is explained (see Checklist explanation). Context Cloud services are an important innovation in the provision of ICT services. Engineered for sharing, they enable a large and diverse customer base to use a standardised service without the need for each customer to individually buy, install and customise hardware and software 1. Cloud services also give users ready access to advanced functionality and high quality operations along with shorter project timelines and, when managed properly, significant benefits and less risk in comparison to traditional dedicated ICT solutions. Enterprise-grade cloud offerings now exist across the full spectrum of ICT services. However, some constraints apply. First, the cloud services market is rapidly evolving and comprises vendors and services of varying quality and appropriateness for government use. Secondly, not all workloads, categories of information or applications are appropriate for delivery as cloud services. Consequently, agencies should approach cloud services aware of both the opportunities and the risks, and taking note of procurement and risk management practices. Cloud services checklist The following checklist is a non-exhaustive list of considerations agencies should make prior to committing to a cloud service. 1 Has there been a frank assessment of the current ICT environment? 2 Are there clear business outcomes and priorities? 3 Have you assessed and categorised your data for suitability? 4 Do you understand the relevant data sovereignty risks? 5 Can you adopt a more flexible approach to your requirements? 6 Can your risk analysis processes accommodate cloud services? 7 Can your procurement strategy accommodate cloud services? 8 How will you fund your cloud implementation? 9 Have you completed formal data security and privacy impact assessments? 10 Have you gathered intelligence from other users? 11 Have you established how the service cost is determined and how it can be influenced? 12 Can you trial the service before purchase? 13 Does your cloud services agreement adequately address your circumstances? 14 Have you assigned roles and responsibilities for the storage and retrieval of your data? 15 Have you planned for service failure? 16 Have you considered your future needs? 17 Have you considered your potential roll-out plan? 1 See Appendix A for further information on the nature of cloud services. Cloud-Based ICT Services Checklist (CS CHECKLIST 01) v1.0 July 2014 / page 2

3 Checklist explanation 1. Has there been a frank assessment of the current ICT environment? The starting point for any evaluation of a cloud service should always be to form a realistic appreciation of the strengths and weaknesses of the existing approach to sourcing and managing ICT capabilities. In particular this evaluation should include a frank assessment of the agency s track record for ICT project delivery and the sustainability and security of the agency s ICT environment. This is an essential precursor to making pragmatic and honest assessments of the benefits, costs and risks of different sourcing options. 2. Are there clear business outcomes and priorities? A sound understanding of the agency s desired outcome(s), or end state, is crucial to the assessment of whether cloud services are appropriate for the given situation. Knowing, and prioritising, what is needed allows providers and purchasers alike to determine the most appropriate solution for the purpose. This exercise includes establishing information such as who will use the service (in terms of types or classes of user, or specific groups), in what numbers and at what frequency/volume. 3. Have you assessed and categorised your data for suitability? Privacy laws and other information management obligations dictate that not all categories of information are appropriate for all types of cloud services. Consequently, agencies must analyse and categorise their data and satisfy themselves that the use of a cloud service will not put them at risk of breaching their legal, reputational and internal obligations. Crucially, agencies must consider any auditing requirements imposed on the data that will be stored in a cloud service. Particularly, thought must be given to how readily that data can be queried/retrieved/tested for compliance purposes, and where necessary discuss these needs with the service provider. 4. Do you understand the relevant data sovereignty risks? Critical to any decision to engage a particular cloud service is to know where the data resides. There should be an awareness that some cloud service providers: store their client data in locations other than where their business is or appears to be based; move data without notice from location to location to accommodate operational issues such as load balancing; and/or simply resell the cloud service of another provider, further distancing the control of the data from the owner. The difficulties with data not residing in Victorian or Australian jurisdiction are complex, and depend on the type of data stored and any legal or reputational overlay that may apply to that data. It is out of the scope of this guideline to provide advice in this area, 2 however an evaluation of the provider s storage arrangements needs to be undertaken before any decision to proceed with a given cloud service. 2 See Appendix B, Data sovereignty for further information. Cloud-Based ICT Services Checklist (CS CHECKLIST 01) v1.0 July 2014 / page 3

4 5. Can you adopt a more flexible approach to your requirements? Generally, cloud services particularly public cloud services 3 are unlikely to be tailored to meet the specific needs of a customer. In some circumstances this may well mean that certain organisational needs are unable to be met by particular cloud services. However, this restriction can also be viewed as a catalyst for agencies to hone the requirements of the organisation so that they can utilise cloud services and receive the benefits that they offer. Consequently, agencies requirements definition exercises may need to evolve. For example, agencies may need to establish a process whereby they iteratively question their requirements, and determine any available compromises, before and after approaching candidate cloud services. 6. Can your risk analysis processes accommodate cloud services? Proposals for cloud services should always be evaluated against relevant risk analysis processes and suitable mitigation strategies should be implemented. There should be recognition that cloud services present new challenges for risk management. For example, existing procurement policies and risk management processes can often focus on minimising the risk of making a bad decision, whereas cloud services may call for a more expansive analysis for example an assessment of the risk of failing to make a good decision, or the risk of failing to make a decision at all. Cloud services are subject to many different points of view as to their risks and benefits. Engage with prospective stakeholders early and closely manage their perceptions and queries. Further: ensure that the desired business outcomes and priorities are clearly stated; communicate the facts on the current state of their ICT environment, and how it relates to those desired outcomes and priorities; proactively socialise key research and case studies; showcase successful cloud services; and, subject cloud services to professional ICT project management processes, i.e. ensure good planning with a focus on outcomes and pragmatic, but effective, risk management. 7. Can your procurement strategy accommodate cloud services? Cloud services require extra care when aligning with existing Victorian Government Purchasing Board procurement rules (for example, the as-a-service model defies easy quantification of contract value). Similarly, more agile, iterative, approaches to sourcing ICT capabilities also do not fit well with formal request for proposal (RFP) and tendering processes. Consequently, agencies may need to assess and possibly adjust their procurement strategy to balance the business value of cloud services with the necessary compliance measures. 8. How will you fund your cloud implementation? It is important to note that whilst government ICT solutions have traditionally involved capital investment, cloud services are accommodated in operating expenses. These funding implications must be understood before engaging with a cloud services provider. This step is important because in some instances capital expenditure may be easier to secure than operational expenditure, and vice versa. Particularly, chief financial officers may need to be involved to engineer solutions to these types of challenges. 3 See Appendix A for a definition of public cloud services. Cloud-Based ICT Services Checklist (CS CHECKLIST 01) v1.0 July 2014 / page 4

5 9. Have you completed formal data security and privacy impact assessments? No matter how urgent the business need, or how compelling the offering is, agencies should always consider undertaking formal data security and privacy impact assessments before engaging with cloud services. These assessments will ensure that the relevant risks can be identified and actively managed through appropriate process, information management, operational and contractual mitigations. The process should be informed by an appreciation of the agency s desired outcomes and priorities and the pragmatic cost/benefit/risk compromises involved in the procurement. 10. Have you gathered intelligence from other users? As the government engages with cloud services in a range of different settings, a body of knowledge as to functionality, quality and reliability will begin to form. Consequently, before any interaction with cloud service providers, prospective purchasers should turn to other agencies to gather intelligence and possibly learn about alternatives. This engagement may also expose opportunities to, for example, re-use procurement and implementation materials, create sharing arrangements and possibly purchase services off existing contracts. Equally, agencies should recognise that any engagement they have with a cloud service will generate information that may be useful to others. To that end, documenting at least basic information about their interactions with cloud service providers is encouraged. 11. Have you established how the service cost is determined and how it can be influenced? Cloud services tend to be priced at the sustainable total cost of their operation, with an allowance to keep the service functionally relevant over time. This pricing formula can make cloud services appear expensive relative to other sourcing approaches. However, particular variables can impact on this equation and make cloud services more, or less, appealing from a cost perspective. For example, the number of users and transaction volumes can shape overall costs. For this reason, prospective purchasers should consider a range of usage models to evaluate the effect of pricing under different circumstances and how those results relate to the budget allocated for the service. 12. Can you trial the service before purchase? A key difference between cloud services and traditional ICT capabilities is that cloud services are generally available for near immediate use. This ready availability often means that purchasers of cloud services can seek a trial of the prospective cloud service and even apply real world scenarios to the trial (using caution always with the type of data that is used and the terms of the trial). This more agile approach may also allow more flexibility to trial multiple services, affording the decision-maker the chance to contrast and compare across a variety of offerings. 13. Does your cloud services agreement adequately address your circumstances? Vendors of cloud services often present standard form agreements to prospective purchasers. Unsurprisingly, these agreements can tend to focus on protecting the supplier s interests, and may not provide adequate assurance for a government agency. Agreements with cloud service suppliers should be closely scrutinised, and where the terms are not appropriate for the purchaser, a negotiation of terms may be necessary. The extent of Cloud-Based ICT Services Checklist (CS CHECKLIST 01) v1.0 July 2014 / page 5

6 that negotiation is a matter for the relevant agency, taking into account their particular circumstances. However, at a minimum, the points raised by this guideline, and other relevant government materials, should be addressed in any final written agreement. 14. Have you assigned roles and responsibilities for the storage and retrieval of your data? Because data is stored in, and reliant on, the cloud service provider s particular facilities, agencies must form adequate plans to get their data into and out of those facilities. Moreover, they should ensure that between themselves and the provider it is clear who has responsibility for what in those processes, and where costs lie. With respect to data retrieval, unexpected circumstances can arise, e.g. the provider ceases to operate (in an orderly or disorderly fashion) or one or both parties wish to terminate the relationship. Plans as to how to retrieve the relevant data on the realisation of these situations (and any other reasonably conceivable situation) should be developed before any decisions to pursue a particular cloud service. 15. Have you planned for service failure? A cloud service is essentially an arms-length outsourcing arrangement which, by its nature, involves the risk of interruptions to supply and/or the supplier ceasing operations permanently. In order to manage those risks, all purchasers of cloud services should have a plan to address those eventualities. Any such plan should be appropriate for the degree of reliance on the continuous availability and performance of the service, and should form part of the broader business continuity planning for the agency. Where possible this kind of plan should be adequately tested to the extent possible. 16. Have you considered your future needs? Over time, implementations of cloud services can evolve from small, possibly experimental, beginnings to become mission-critical applications. This possibility must be anticipated when partnering with a cloud service provider, with agencies carefully considering the capacity of the provider to evolve with their future needs (e.g. increase in users, consistent operational performance, and ability to meet evolving information security requirements). Recent quality certifications achieved by the vendor may provide indicators. 17. Have you considered your potential roll-out plan? Cloud services are well suited to starting with small, evaluative implementations, which may then be progressively iterated when the agency is satisfied of their suitability. The benefit of this approach is that business feedback from each of the iterations informs the next, and that feedback in turn benefits the entire rollout. At some point, larger scale rollout can then be accelerated on the back of that testing and the lessons that have been learned and resolved. This approach can considerably reduce the risks of project failure and deliver business outcomes more quickly. Agencies planning to utilise cloud services can advise stakeholders of this to manage expectations about the way the service will be rolled out. Cloud-Based ICT Services Checklist (CS CHECKLIST 01) v1.0 July 2014 / page 6

7 Appendix A: What are cloud services? Cloud services defined VICTORIAN GOVERNMENT CIO COUNCIL There are many definitions of cloud services. The US National Institute of Standards and Technology (NIST) definition is commonly used in government cloud policy documents. This section provides an articulation of the commonly regarded characteristics of cloud services. Cloud computing Cloud computing refers to the underlying technologies and methods that are the building blocks of cloud services. These include, for example, virtualisation, automation, self-service provisioning, usage-based service metering and charging, multi-tenant infrastructure and application architectures, web services, service oriented architecture (SOA) and application program interfaces (APIs). Cloud services Cloud services are a form of outsourced shared services, created using cloud technologies and methods (see cloud computing, above). The distinction between cloud computing and cloud services is important. While it may be relatively straightforward for any organisation to implement cloud computing technologies, the creation and operation of a reliable and trustworthy cloud service is a significantly more difficult, and expensive, proposition, involving appropriate organisation, process, people and culture. Cloud services are also revolutionary because they represent a dramatic change in the way ICT capabilities are both provided and sourced as shared services. They represent an opportunity to shift how these capabilities are purchased and/or consumed, which in turn can lead to extraordinary organisational change. Cloud services may comprise a wide spectrum of ICT functionality, which typically fall under three categories: Software-as-a-service (SaaS): the provision of a fully operational application as a cloud service via a web browser and web services Platform-as-a-service (PaaS): the provision of an application development and operation environment as a cloud service Infrastructure-as-a-service (IaaS): the provision of computing and storage infrastructure as a cloud service This categorisation demonstrates how cloud offers customers the ability to source and consume rather than buy and control. Whilst the distinction between the IaaS, PaaS and SaaS categories is not always clear, in general terms, customers purchase: IaaS to access less costly, more flexible, ICT infrastructure; PaaS to enable faster and less costly development and operation of bespoke applications; and, SaaS to enable faster and less costly implementation and operation of standardised out of the box business applications. Delivery of cloud services: public, private and beyond Traditionally, cloud services have been described as either public or private (and more recently, as hybrid, comprising elements of public and private). Public cloud services are large scale global or national shared services where all customers consume standardised functionality on common terms and conditions. These services are usually accessed via a web browser and the public internet. Private cloud services are shared services with resources dedicated to a particular customer or community of customers. Private cloud services may be delivered in-house or externally provided and may be accessed via the public internet or via a secure Cloud-Based ICT Services Checklist (CS CHECKLIST 01) v1.0 July 2014 / page 7

8 private network. A private cloud service may include functionality and/or contractual terms and conditions that are substantially tailored to an individual customer s needs. In practice the distinction between public and private is becoming less clear, and less useful, as the range and maturity of services evolves. To this end, public and private may be viewed as ends of a continuum rather than discrete service variants. Today, a single provider can deliver services using different models, more-public or more-private, depending on customer needs. The fullest benefits of the cloud services model arise at the public cloud end of the continuum. Bearing this in mind, agencies are advised to avoid simplistic assumptions based on public versus private cloud distinctions in particular the assumption that a private cloud service is always safer than a public cloud service should be challenged. Instead, agencies might focus on understanding the actual trustworthiness and functionality of a particular cloud service, keeping in mind always the question: all things considered, will this service achieve better business outcomes than the alternatives? Enterprise-grade cloud services It is important to acknowledge that not all cloud services providers, and not all cloud service offerings, are suitable for use by large enterprises such as government agencies. Indeed, many cloud services are targeted purely at the consumer and small-medium business markets and the degree to which these services meet the needs of larger organisations varies. In general terms, enterprise-grade cloud services may be distinguished by characteristics such as the: trustworthiness/credibility/financial strength of the provider organisation; operational maturity, historical performance and resilience of the service; depth and breadth of the customer base; forward roadmap of service enhancements; provider s achievement of quality and security accreditations; geographic location of data centres; availability and quality of customer support services; and willingness of the provider to agree to non-standard contractual terms and conditions. Whether a cloud service is appropriate for a specific enterprise purpose is a decision for the relevant agency. All usual benefit and risk assessments should be applied, to both the service provider and the specifics of the services being considered. Cloud-Based ICT Services Checklist (CS CHECKLIST 01) v1.0 July 2014 / page 8

9 Appendix B: Reference and toolkits Victorian Government Policies and Guidelines Victorian Government Procurement VICTORIAN GOVERNMENT CIO COUNCIL Procurement Reform Procurement Reform Statement Policies, Guides & Tools Victorian Government ICT Strategy Policies, Standards & Guidelines Information Privacy The Information Privacy Principles (IPP) Guidelines to the IPP Privacy Impact Assessments guide Requirements for health records Health Privacy Principles (46kB PDF) Australian Government Policies & Guidelines National Cloud Computing Strategy, Department of Communications y_html Cloud Computing Policy and Guides, Australian Government Information Management Office agict.gov.au/policy-guides-procurement/cloud The Data Centre as a Service Multi Use List Fact Sheet, Department of Finance agict.gov.au/policy-guides-procurement/data-centres/data-centre-as-a-service-dcaas-multi-use-listmul-fact-sheet/ Cloud Computing Security Considerations, Department of Defence (Australian Signals Directorate) Privacy Law Reform, Office of the Australian Information Commissioner Privacy Resources, Office of the Australian Information Commissioner Individual healthcare identifiers Compliance obligations for state and territory healthcare providers, Office of the Australian Information Commissioner individual-healthcare-identifiers-compliance-obligations-for-state-and-territory-healthcare-providers Cloud-Based ICT Services Checklist (CS CHECKLIST 01) v1.0 July 2014 / page 9

10 Other State Government Jurisdictions VICTORIAN GOVERNMENT CIO COUNCIL NSW Government ICT Strategy Resources finance.nsw.gov.au/ict/resources NSW Government Cloud Services Policy and Guidelines NSW Procurement Reform Strategic Directions Statement Cloud Service Providers Codes of Practice Cloud Computing Consumer Protocol - Discussion Paper, Australian Computer Society New Zealand Cloud Computing Code of Practice Data sovereignty Data Sovereignty and the Cloud report, University of New South Wales (Cyberspace Law & Policy Community) United States Government Cloud IT Services, U.S. General Services Administration Federal Cloud Computing Strategy, CIO.gov cio.gov/wp-content/uploads/downloads/2012/09/federal-cloud-computing-strategy.pdf (918kB PDF) The Federal Risk and Authorization Management Program (FedRAMP), CIO.gov cloud.cio.gov/fedramp Information Technology Reform: Progress Made but Future Cloud Computing Efforts Should be Better Planned (Report), U.S. Government Accountability Office UK Government Government Service Design Manual, gov.uk Further information For further information regarding this guideline, please see contact information at Version history Version Date TRIM ref Details 0.1 September 2013 D11/ Initial Draft 0.9 Sep 2013 May 2014 D11/ Version for initial noting by the CIO Council July 2014 For release Cloud-Based ICT Services Checklist (CS CHECKLIST 01) v1.0 July 2014 / page 10