Cloud Computing for the UK Public Sector. A Business Overview

Cloud Computing for the UK Public Sector A Business Overview

Why Cloud Computing? The Government s ICT Strategy signals that, in the future, the Public Sector will consume its ICT as-a-service. The recent Public Services Network (PSN) and Government Cloud (G-Cloud) framework tenders signpost intent to make a speedy transition to as-a-service consumption models. Cisco has a wealth of capability: for building cloud services, and for delivering the essential infrastructure components of private and public cloud environments. We have created this business overview to provide a better understanding of cloud computing ( Cloud ), to explain its importance to Public Sector business decision makers and to offer an approach to adoption. A companion technical overview will soon be available to explain cloud computing technology and to cover associated technical considerations. We look forward to the opportunity to discuss the contents of these papers with you. Rod Halstead Managing Director Cisco UK Public Sector Cisco Systems

Contents Contents 3 Introduction 4 Cloud Computing The Basics 6 What is Cloud Computing? 6 Why is the Public Sector Adopting Cloud Computing? 7 What about Cloud Computing Standards? 8 Cloud Essential Characteristics 8 Cloud Service Models 9 Cloud Deployment Models 10 Security Considerations for Cloud 11 Public Sector Cloud Deployment Models 12 The ICT Service Delivery Platform for Cloud 14 The ICT Service Delivery Platform 15 The Business Benefits of Cloud 17 Direct Cost Saving 17 Operational Efficiency 17 How to Approach Cloud Computing 18 Cloud Procurement 20 Summary and Recommendations 21 How Cisco Can Help 22 Cisco Cloud Products and Solutions 22 Cisco Services for Cloud 22 Further Information on Cloud 23 Cloud Primers 23 Government Papers on ICT Strategy and Cloud Computing 23 Cisco Business Papers 23 Cisco Technical Papers 23 Case Studies 23 3

4

Introduction The Government published its ICT Strategy in March 2011 to explain how ICT can help address the UK budget deficit: by delivering direct cost savings on current ICT expenditure, and by increasing the use of ICT to deliver new levels of operational efficiency to Public Sector organisations. The strategy proposes that direct cost savings will be achieved through fundamental change to the way that the Public Sector specifies, procures and operates ICT infrastructure, applications and services. This fundamental change is embodied in two key Government programmes the Public Services Network (PSN) and G-Cloud (Government Cloud). These programmes are very closely aligned and represent the way by which the Public Sector will, in the future, procure all ICT as-a-service. PSN and G-Cloud are both highly strategic and central to the Government s objectives of cost saving and efficiency. PSN will deliver a single network of networks (a private cloud network) for the Public Sector - the common infrastructure discussed in the ICT Strategy. G-Cloud will enable a range of cloud services to be delivered at scale into the Public Sector. In combination, PSN and G-Cloud will create a cloud environment for the Public Sector. Adoption of a cloud approach will allow ICT resources and services to be abstracted from underlying infrastructure and provided on-demand and at scale in multi-stakeholder (or shared services ) environments. This offers a unique opportunity for organisations to evaluate how best to deliver ICT infrastructure, applications and services to meet business requirements. It also brings the potential to eradicate established inefficiencies, costs and service management complexity. Cisco, as an ICT technology provider, is helping to shape and drive the transition to Cloud in both private and public sectors. Cisco has focused on three key areas for technical innovation: how data centre compute and storage resources can be consumed in a granular and cost-effective manner, how organisations can build a service delivery platform that will support cloud deployments at scale, and how these deployments can be made secure. Cisco in the UK has established a Public Sector Cloud Team to work actively with customers and service providers to ensure Cloud is fully understood and that business benefits can be realised in a timely fashion. This is very important because, although Cloud represents a technical transition, it can only deliver full benefit if aligned to profound business change to the ownership of ICT assets and ICT delivery within an organisation. Cisco has created this paper for business decision makers: To provide a better understanding of Cloud To explain why it should be incorporated into business strategies, and To provide guidance on how to approach Cloud adoption We would welcome the opportunity to discuss this paper and the companion paper with you and to work in partnership to realise the benefits of this new opportunity. 5

Cloud Computing - The Basics What is Cloud Computing? Cloud computing (or Cloud ) is an established industry paradigm for providing business computing using a managed service delivery model. In the cloud model, a managed service provider delivers ICT infrastructure or a computing application as a pre-packaged service to agreed service levels. The managed service provider, not the end-user organisation, is responsible for all aspects of delivering that service. Cloud will also have a very significant commercial impact because ICT is normally provided as metered services and invoiced by use. This represents a fundamental shift in ICT expenditure away from capital ( capex ) budgets to operational ( opex ) budgets. Cloud will have a significant organisational impact because of the fundamental shift of ICT responsibility away from local resources (ICT department or outsourcer) to the managed service provider. 6

Why is the Public Sector Adopting Cloud Computing? Cloud became a cornerstone of Government ICT Strategy in summer 2009. It offered one way to deliver significant cost saving to the 16 billion ICT budget as required by HM Treasury s Operational Efficiency Programme. The Government Cloud (G-Cloud) programme was established at that time to advance the vision for Cloud and accelerate the anticipated business benefits. It comprised three separate strands: data centre consolidation, cloud computing, and applications store - each with the ability to contribute significantly to cost savings. The G-Cloud programme has been maintained by a small group of Central and Local Government stakeholders. That group of stakeholders has delivered a Cloud Computing Strategy, issued a Cloud Framework Tender and advanced a number of cloud projects. The experience gathered on these projects is being shared through the Cloud Foundation Delivery Partner programme. Cloud has remained one of the key Common ICT Infrastructure programmes in the March 2011 revision of the Government ICT Strategy. The implementation plan for that strategy provides an excellent explanation of why Government should adopt Cloud: Government will exploit commodity ICT services through the use of cloud computing technologies to: To reduce government ICT running costs and power consumption through radically increasing re-use of assets and services including software and hardware, thus greening our ICT provision and saving both the direct additional costs of duplicate buying, as well as the indirect costs of running multiple redundant procurements; To optimise use of our data centre infrastructure - which traditionally has been hugely inefficient. Maximising utilisation will allow rationalisation and consolidation of the data centre estate and lead to significant cost savings; To increase public sector agility through moving towards consuming ICT as a utility where services can be supplied on a pay as you go basis, scaled up or down according to need. This will also allow the quicker implementation of government policies; and To create a fairer and more competitive marketplace by a standards based cloud environment that enables a range of service providers constantly improving the quality and value of the solutions they offer, from small SME organisations providing niche products to large scale hosting and computer server capacity 7

What about Cloud Computing Standards? Standards represent agreed best practice. When applied to ICT they provide the basis for interoperability and for information exchange. They are of critical importance to Public Sector ICT programmes where there is the need to join-up stakeholder groups to deliver services. The Public Services Network (PSN) programme had already invested heavily in the development of ICT standards both for infrastructure and real-time applications and it was recognised that the same need existed for Cloud. G-Cloud followed the already established US Federal Cloud Program and adopted the US National Institute of Standards and Technology (NIST) Definition of Cloud Computing (the NIST standards) 1. That adoption for UK Government was recently confirmed by the Government Procurement Service (GPS) G-Cloud Procurement Vehicle tender that used the NIST standards for its technical framework. The NIST definition of Cloud is extremely important to both business and technical decision makers. It provides a high-level The NIST definition of Cloud is extremely important to both business and technical decision makers analysis of Cloud, with a focus on three key areas as shown in the figure below: Essential Characteristics Service Models Essential Characteristics Service Models Deployment Models On-Demand Self Service Software as a Service (SaaS) Public Measured Service Broad Network Access Private Platform as a Service (PaaS) Rapid Elasticity Hybrid Resource Pooling Infrastructure as a Service (IaaS) Community Deployment Models Essential Characteristics are of great importance to business decision makers as they encapsulate the key business differences between cloud and traditional ICT delivery models. Cloud Service Models and Cloud Deployment Models can also have genuine business impact: the former because they define possible interface points between end-user organisations and service providers, the latter because they explain different physical mechanisms by which Cloud can be consumed. Figure 1 The NIST Definition of Cloud Computing Cloud Essential Characteristics The NIST standards define the essential characteristics of Cloud so that the differences from traditional ICT delivery models can be understood. The key characteristics for the business decision maker are that ICT delivered using the cloud model: Can be easily shared ( shared services ) across multiple stakeholder organisations, providing business convergence and cost benefits Can be consumed at scale over large networks of arbitrary topology Has reserves of capacity and performance that can scale to meet changing business demand Is typically metered and invoiced by use Is consumed as services C. L. O. U. D. can be used as a simple mnemonic to recall the essential characteristics (see text box). Cloud Essential Characteristics A Simple Mnemonic C ommon (multi-tenant and shared) L ocation-independent O n-demand (flexible and scalable) U tility (metered and invoiced by use) D elivered as-a-service 8 1 NIST Definition of Cloud Computing - http://csrc.nist.gov/publications/nistpubs/800-145/sp800-145.pdf

Cloud Service Models The NIST standards offer three cloud service models, each with a different interface point between managed service provider and end-user organisation. The models provide options that vary in the extent to which control of ICT delivery is transferred away from the end-user organisation to the managed service provider. Three main service models are defined, as follows: Infrastructure as a Service (IaaS) provides processing, storage, networks and other computing infrastructure resources. The end-user organisation does not manage or control the infrastructure but has control over operating systems, applications and programming frameworks Platform as a Service (PaaS) provides computing platform resources on which end-user organisations can deploy applications, developed using specified programming languages and tools. The end-user organisation does not manage or control the underlying compute platform but has control over deployed applications Software as a Service (SaaS) provides end-user organisations with access to applications running on cloud infrastructure. The end-user organisation does not manage or control the underlying cloud infrastructure or the capabilities of cloud applications. The end-user organisation may, however, manage or control user-specific application settings Cloud service models may, of course, exist in combination and alongside non-cloud models. For example, an organisation may wish to meet its overall data centre and hosting requirements using the IaaS model from one provider, while meeting its voice, video and real-time collaboration requirements using the SaaS model from another. Cloud service models are extremely important as they define the boundary, in terms of roles and resources, between a cloud service provider and an enduser organisation. When an organisation decides to adopt Cloud it hands over some level of control of ICT delivery to a third party. It must make structural, process and governance changes to reflect this and so realise the full business benefits. For example, an organisation may deliver all its ICT through an internal department or outsourcer contract. However, if it wishes to consume using the cloud model it would need to re-evaluate its current contracts, local delivery resources and governance structures. 9

Cloud Deployment Models Cloud deployment models describe the infrastructure domains (usually the network domains) over which cloud ICT services can be delivered. Four main deployment models are defined by NIST, as follows: Public Cloud a domain (typically the Internet) open to the general public or wide group of stakeholders, owned and managed by a cloud service provider Private Cloud a domain operated solely for a single organisation, owned by the cloud service provider, managed by the cloud service provider or the end-user organisation Community Cloud a domain shared by several stakeholder organisations who operate within a specific community, owned by the cloud service provider, managed by the cloud service provider or by one or more of the stakeholder organisations, as a variant of private cloud Hybrid Cloud - a domain that combines two or more deployment models that remain unique entities, but are bound together by technology that enables data and application portability The G-Cloud programme set out further principles around these four deployment models and their suitability for UK Government, as follows: In addition to these three 2 G-Cloud deployments, the US National Institute of Standards and Technology (NIST) defines another cloud deployment model: Community cloud. In UK government terms, private and community cloud deployment models refer to the same thing as the G-Cloud programme founding principles dictate that the Public Sector should be treated as one organisation for cloud services. In other words, this means that there will be only one private cloud (possibly per IL) that is able to be accessed by all public sector consumers. The components of this are expected to be delivered by multiple suppliers/organisations, but they must be interconnected and available to all, thus creating a single private cloud. As laid out in the G-Cloud principles that were defined during phase 2, government should utilise the public cloud deployment model as a default position, utilising private cloud only where essential criteria cannot be met by public cloud delivery model offerings. For example: Information Assurance criteria might currently drive the use of government accredited data centre services and infrastructure for sole use of the public sector where services are processing/storing information at Impact Level 3 and above. However, how our essential criteria are met is expected to evolve as the cloud market innovates and matures, possibly reducing our need for private cloud delivery. Cloud deployment models are of critical importance to the Public Sector and link together the PSN and G-Cloud programmes in a very direct way. Each deployment model is associated with particular security characteristics that dictate which applications and services may run over them this is covered in the next main section of this paper. In addition, each model is associated with a different level of scalability. Public clouds are typically much larger than private clouds and this affects how cloud services can be delivered and their cost. For example, public cloud services can likely be delivered at low cost to an organisation because of the opportunity for follow-thesun management operations. Cloud may, of course, exist in combination within other delivery models within an organisation. For example, an organisation may wish to continue to deliver the majority of its ICT conventionally but decide, for reasons of cost, to deliver citizen contact applications as cloud services over the Internet. There is no standard template that defines the right combination of cloud and non-cloud services for an organisation. The right combination must be arrived at through development and refinement of a vision for Cloud linked directly to business needs. 10 2 Note: Public, Private and Hybrid

Security Considerations for Cloud Security is one of the prime considerations when making an assessment of Cloud and of the suitability of particular applications for cloud deployment models. Each cloud deployment model has its own security characteristics and potential risks. These will dictate the applications and services that may be used over them, for example: Public clouds offer no assurance and are only suitable for applications operating at Impact Level 0. They are not suitable, therefore, for applications that demand any level of confidentiality, integrity and availability. Even for applications that do not demand confidentiality and integrity a business must look at availability to ensure the cloud service can meet the required service levels Private clouds can offer assurance and so can operate at any Impact Level. The PSN will deliver a private cloud for the Public Sector and be assured to operate at Impact Level 2. PSN standards have also been developed that allow applications operating at Impact Levels 3 and 4 to use security overlays Note on Impact Levels Impact Levels (or Business Impact Levels) are defined by CESG. They are on a scale from 0 (no impact) to 6 (extreme impact) and define the impact to a business that would result from any compromise of the confidentiality, integrity or availability of information used Adoption of private and community clouds requires an end-user organisation to be confident that its data will remain confidential and isolated on shared compute, networking, and storage resources. Maintaining data security and separacy in a multi-stakeholder environment requires technology and processes for identity management, data protection and integrity, and data governance. Organisations must be aware that cloud computing is at scale and usually involves much larger infrastructure domains than in the past. Cloud environments, therefore, offer larger attack surfaces and so are more vulnerable to security and cyber-security threats. Organisations must put robust procedures in place and deploy the latest security technology to manage these risks. In addition, and finally, there are other security and assurance risks that need to be recognised and managed for cloud deployment models to be successfully adopted: by an application, or residing on an ICT system or infrastructure. There is a direct relationship between Protective Marking and Impact Levels. See the CESG business impact tables at: http://www.cesg.gov.uk/policy_ technologies/policy/media/business_ impact_tables.pdf Each cloud deployment model has its own security characteristics and potential risks. These will dictate the applications and services that may be used over them Legal compliance does the cloud service comply with applicable laws and regulations? Service location does the cloud service meet legal constraints on the geographic location of data and can this be addressed in service contracts? Data ownership does the cloud service offer clear data ownership and data inspection guarantees? Insider abuse of privilege does the cloud service properly control access to provider staff to prevent data leakage? Data monitoring does the cloud service meet all business and legal requirements for monitoring data relating to different clients? 11

Public Sector Cloud Deployment Models Cloud deployment models are particularly important for Public Sector organisations at this time because of new options available through the PSN programme. End-user organisations should assess available public and private deployment models against cost and security considerations. The following key considerations should be taken into account: 1. PSN promises, for the very first time, to deliver a single private cloud for the whole of the Public Sector 2. PSN will also deliver private clouds to individual organisations and community clouds to groups of stakeholders 3. Cloud deployment models can only support particular levels of security; for example, public clouds can typically only operate at Impact Level 0 4. Cloud deployment models differ in their scale; this potentially affects both cost and ability to deliver shared services Cisco believes that each of the four deployment models in the NIST standards can readily be deployed by Public Sector organisations. Public Cloud refers to Cloud over the Internet through wired or wireless connections. Cloud computing services delivered via this deployment model would typically operate at Impact Level 0. However, it is technically possible to operate up to Impact Level 3, using established guidance provided by CESG, although this approach is not recommended for use at scale. Private Cloud will, in the future, refer to Cloud over the PSN. Cisco believes that three variants will emerge: Single organisation private clouds implemented as virtual private networks (VPNs) over the PSN Multi-organisation community clouds implemented in a similar way The PSN, as a single overall private cloud, embracing the whole of the Public Sector Cloud computing services delivered via this deployment model may, typically, operate up to Impact Level 4. Community Clouds already exist in a functional sense for example, as Healthcare Community of Interest Networks (COINs). In the future, however, community clouds may be realised as community clouds over the PSN as the vehicle for supporting multiple stakeholder organisations. Cloud computing PSN promises, for the very first time, to deliver a single private cloud for the whole of the Public Sector services delivered via this deployment model would also be able to operate up to Impact Level 4. Such services, supporting community or stakeholder groups, are often referred to as shared services. Hybrid Clouds, as explained previously, comprise a combination of public and private clouds. However, within the Public Sector, the term may also refer to implementations comprising different categories of private cloud or combinations of private and community cloud. This type of hybrid cloud already exists for example, the University of Loughborough runs cloud applications from a local data centre over a campus (private) cloud but also has the ability to run the same applications over the JANET network a community cloud. This approach is often termed to as co-operative cloud by industry. 12

13

The ICT Service Delivery Platform for Cloud Every Public Sector organisation should develop its own ICT Strategy to define the common ICT infrastructure required to support its business computing. Cisco refers to this common ICT infrastructure as the ICT service delivery platform. When the platform is to be used for cloud deployments, particular attention must be paid to availability, scalability and information security and to the mobility features necessary to support large communities of location-independent end-users. The essential components of this platform, and their characteristics, are documented in the next sub-section of this paper. 14

The ICT Service Delivery Platform The service delivery platform comprises four essential ICT pillars: Data Centre consolidated and virtualised service delivery points housing all applications and services Private or Community Network high performance, high availability infrastructure to deliver applications and services to end-users This approach also enables the costeffective re-use of existing systems as the building blocks for new services in what is referred to as service-oriented design. Through our Cisco CloudVerse solution we are able to offer all the key elements of the service delivery platform, with characteristics that make them ideal for cloud deployments. The main elements of CloudVerse are: We recommend an architectural approach to the development of the service delivery platform Mobile, Virtual (VDI) Desktops offering secure, lower cost, mobile access to applications and services Information Assurance and (Cyber) Security the protective wrap of security infrastructure that maintains information confidentiality, integrity and availability and can mitigate cyber threats We recommend an architectural approach to the development of the service delivery platform. Such an approach allows an overall ICT architectural blueprint to be developed and agreed by stakeholders, then built incrementally as performance and functional requirements develop and budgets permit. Unified Data Centre a simplified architecture that provides efficient network operations, greater ICT agility for business innovation and an open system for supporting multiple cloud and virtualisation strategies Cloud Intelligent Network that integrates seamlessly with the unified data centre to provide a powerful end-to-end delivery platform for cloud services Mobile, Virtual End-points that support location-independent workers at scale permitting them to use end-points and connection methods of choice Information and Service Assurance - the Cisco SecureX Architecture that enables consistent security policies and enforcement, up-to-date threat intelligence and greater infrastructure scalability so helping to manage the risk of moving to Cloud More information on CloudVerse, and the capabilities of Cisco cloud products and solutions, can be found using the references at the end of this paper or in the companion paper Cloud Computing in the UK Public Sector A Technical Overview. Information Assurance and (Cyber) Security Data Centres ( Service Delivery Points ) Private or Community Network Mobile, Virtual End-points Figure 2 The ICT Service Delivery Platform 15

16

The Business Benefits of Cloud By enabling business process change and streamlining public services delivery, Cloud can help organisations meet their two key business requirements; realising direct cost savings, and creating operational efficiency. Direct Cost Saving ICT represents a significant cost for most organisations. Kable 3 estimates that cost to be, on average, 3% of overall budgets but the figure can be as great as 20% in some compute-intensive organisations. There is a strong consensus that Public Sector organisations can best realise direct ICT cost savings through adherence to the following principles: 1. Implement standards only procure ICT that is compliant with best-practice standards and implemented by skilled service providers 2. Remove the need for integration through buying ICT as accredited, off-the-shelf services 3. Buy ICT in a different way as metered services (operational costs) rather than as hardware and software assets (capital costs) The G-Cloud programme, which is based on the NIST standards and which specifies accredited cloud services, aligns very directly with these principles. However, Government must also create and develop a flexible, dynamic marketplace that will drive down costs through competition and technical innovation. This is being done through the current PSN and G-Cloud tenders that, in time, can create marketplaces for infrastructure, real-time and cloud services. Operational Efficiency Cloud can promote operational efficiency and so deliver indirect cost savings. It can do this because of its inherent agility and scalability, and through driving business process change and streamlined public service delivery as follows: Greater business agility by allowing statutory and business requirements to be met more quickly, by allowing near limitless business scalability, and by enabling businesses to meet annual cycles and to grow over time Support for business process change - by bringing powerful new real-time cloud services to support new ways of working, and new citizen care applications associated with channel shift Enhanced information management and sharing potential through shared services that join-up stakeholders who can share information and applications to improve the delivery of services Cisco has produced a companion paper Operational efficiency in the public sector 10 recommendations for cutting costs in 2011 2012 that highlights the role of ICT in delivering operational efficiency to the Public Sector. See the reference at the Cloud can promote operational efficiency and so deliver indirect cost savings end of this paper. The recommendations contained within that paper can all lead to greater savings if delivered using a cloud model. 3 Kable is one of the leading providers of market intelligence on the UK Public Sector 17

How to Approach Cloud Computing Cloud must be considered as a fundamental change to business operations and commercial models, rather than as a technology change. Cloud requires a thorough review and assessment of business fundamentals. This includes answering a number of core questions covering the appetite for organisational and process change, the importance of owning ICT assets and the acceptance of risk associated with change. To help with this process, we have created a set of key questions which can be found in the Planning for Cloud: Questioning Business Fundamentals text box below. Cisco recommends a four-phase approach to Cloud based on a thorough understanding of the essential characteristics, service models and deployment models contained in the NIST definition, as follows: 1. Preparation: to fully understand Cloud, how it can benefit an organisation and how it will affect resources, processes, operational structure and costs Planning for Cloud: Questioning Business Fundamentals Each organisation needs to plan its own path to Cloud. That process requires answers to a series of key questions on business fundamentals including: What constraints are keeping us from meeting our business needs through our current approach to ICT infrastructure and applications? How much control do we want to retain over ICT assets (infrastructure and applications) and ICT delivery? How often do our business requirements change? Do we regularly need to meet new regulations and compliance requirements? Do we welcome the expected impact on cost models and budgets? What aspects of our budgeting and procurement processes will need to change? What new operational models would we need to implement? How would Cloud fit into our overall strategy and future goals? What is our tolerance to the risk associated with change? What are the benefits and limitations of Cloud for our processes? Which applications can and should be moved to Cloud? How will our ICT teams be affected? What aspects of our overall culture will need to change? 18

2. Planning and Design: to plan which elements of ICT infrastructure and applications are suitable for Cloud delivery. To select which services should be delivered on private cloud and which are suitable for migration to a public cloud. To plan and design for the evolution of cloud infrastructure and the phased introduction of each cloud service 3. Implementation: to realise cloud architecture and services on time and within budget 4. Optimisation: To continue the evolution to Cloud and enable ongoing cost reduction The preparation, planning and design phases are absolutely critical to successful deployment of Cloud. We have developed a ten point checklist, the Public Sector Cloud Maturity Model A Ten Point Checklist for Success to help end-user organisations take the right steps in their transition to Cloud (see right). Cisco recommends that each phase should be facilitated through a series of stakeholder workshops. The workshops can be used to develop a common understanding of Cloud and provide the vehicle both for answering key questions and for developing plans. We suggest that workshops might be held to focus on the following areas: Cloud basics Organisational and process change Ownership of ICT assets and ICT delivery Public Sector Cloud Maturity Model A Ten Point Checklist for Success 1. Understand the Government ICT Strategy and its constituent G-Cloud and PSN programmes 2. Understand the essential characteristics, service models and deployment models for Cloud defined in the NIST standards 3. Decide if the essential characteristics for Cloud align with business appetite for organisational change, financial change and for risk 4. Agree how important the ownership of ICT assets (infrastructure, compute) and ICT delivery is to your business 5. Analyse the ICT required for the business to select those infrastructure and compute services that could best move to Cloud 6. Define service models for the selected cloud services in line with the policy on ICT ownership 7. Carry out a security audit to identify if adequate assurance provision is in place for the move to Cloud 8. Agree cloud deployment models for the selected cloud services in line with security, availability and financial considerations 9. Define the vision for Cloud within the business (based on points 2 8) and incorporate it into the ICT strategy 10. Agree the route for most efficient procurement of the selected cloud services Expected benefits and benefits realisation Suitability of infrastructure and applications for cloud deployment Service delivery platform and end-toend architectures Cisco Services has global consulting practices with the skills to take the advice contained in this section and deliver a vision for Cloud and create business, services and technical strategies. Change to financial models Information assurance and security 19

Cloud Procurement Procurement change is absolutely essential if Cloud is to realise full benefit for the Public Sector. An organisation s strategy should be to procure cloud services, based on best practice standards, from accredited service providers without the overhead of the full OJEU (Official Journal of the European Union) process. At the present time the majority of Public Sector ICT procurement is via tenders advertised in the OJEU. Such tenders form the final element in a set of processes that comprise: gathering of business requirements, writing of technical specification, writing the OJEU tender documents, tender response evaluation and contract award. These processes are complex, resource-intensive and very expensive for an organisation to implement. They can often take long periods of time so delaying projects. OJEU tenders are not the recommended approach, nevertheless they do offer the first route for procuring cloud services. The Government Procurement Service (GPS), formerly OGC Buying Solutions, has a strategy for Public Sector organisations to procure from frameworks (lists) of providers who have been assessed as having the necessary capability. GPS, on behalf of the G-Cloud programme, has just run a tender to populate a framework of cloud providers. The procurement for a G-Cloud Procurement Vehicle was defined as follows in the OJEU tender: It is intended this procurement will establish a multi-supplier vehicle for the purchase of Cloud-based IT Services ( G-Cloud Services ) by public bodies in Central Government and across the wider public sector. This vehicle will be called the G-Cloud Procurement Vehicle. This framework runs in parallel with the PSN Services framework, and the overlap across the frameworks is recognised. The PSN (Public Services Network) provides strategic convergence for GSi, PNN, N3 and other public sector networks. It would be possible to buy Cloud Computing Services from the PSN framework, and equally, PSN services from this framework. Note, however, that any services that connect to the PSN will be subject to PSN governance and required to undergo PSN Compliance Certification. The G-Cloud Procurement Vehicle will list providers with accredited capability to deliver IaaS, PaaS and SaaS services as well as specialist capabilities such as cloud transition and migration services. It is the second route and the preferred route by which organisations can procure of cloud services. The PSN programme is also tendering to set up two frameworks of providers one for connectivity and one for services - with the capability to offer accredited services. There is an acknowledged overlap (see extract from the OJEU tender left) between PSN services which are mainly realtime applications - and G-Cloud SaaS applications. For this reason the PSN Services Framework will be a third route for procurement of selected cloud services. Public Sector organisations must assess which of these procurement routes best meets their business need. At the present time there is no suggestion that any of these routes are to be mandated, although it is quite possible that this may change at some point in the future. 20