Cloud First: Policy Not Aspiration. A techuk Paper April 2017

Similar documents
Cyber Security Strategy

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

Accelerating Cloud Adoption

the steps that IS Services should take to ensure that this document is aligned with the SNH s KIMS and SNH s Change Requirement;

SWIFT Response to the Committee on Payments and Market Infrastructures discussion note:

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

Up in the Air: The state of cloud adoption in local government in 2016

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Build confidence in the cloud Best practice frameworks for cloud security

Cybersecurity. Securely enabling transformation and change

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Innovation Infrastructure Partnership

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

RESPONSE TO 2016 DEFENCE WHITE PAPER APRIL 2016

Keeping the lid on storage

Ofqual. Ofqual Supporting a Cloud-First Programme. Client Testimonial

ehealth Ministerial Conference 2013 Dublin May 2013 Irish Presidency Declaration

Commonwealth Telecommunications Organisation Proposal for IGF Open Forum 2017

IPv6 Task Force - Phase II. Welcome

Stakeholder feedback form

CHAIR S SUMMARY: G7 ENERGY MINISTERS MEETING

Regional Development Forum For the Arab States(RDF-ARB) 2018

ICT FUNCTIONAL LEADERSHIP: PROGRESS REPORT OCTOBER 2016 TO MARCH 2017

Optimisation drives digital transformation

EMBRACE CHANGE Computacenter s Global Solutions Center helps organizations take the risk out of business transformation and IT innovation

A new approach to Cyber Security

Principles for a National Space Industry Policy

ENISA EU Threat Landscape

Healthcare IT Modernization and the Adoption of Hybrid Cloud

Commonwealth Cyber Declaration

10 Considerations for a Cloud Procurement. March 2017

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

ISRAEL NATIONAL CYBER SECURITY STRATEGY IN BRIEF

MOVING MISSION IT SERVICES TO THE CLOUD

Perfect Balance of Public and Private Cloud

Swedish bank overcomes regulatory hurdles and embraces the cloud to foster innovation

5G Testbeds and Trials. Programme Strategy and Structure

EGM, 9-10 December A World that Counts: Mobilising the Data Revolution for Sustainable Development. 9 December 2014 BACKGROUND

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

New Zealand Government IBM Infrastructure as a Service

Collaborative Working presentation for CIPS. Bob Meakes I C W Associate Director

Security and resilience in Information Society: the European approach

What do you see as GSMA s

13967/16 MK/mj 1 DG D 2B

GDPR Update and ENISA guidelines

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

Manchester Metropolitan University Information Security Strategy

Sector(s) Public administration- Information and communications (50%), General public administration sector (50%)

The UK s National Cyber Security Strategy

Leading the Digital Transformation from the Centre of Government

Earth Observation, Climate and Space for Smarter Government

SAINT PETERSBURG DECLARATION Building Confidence and Security in the Use of ICT to Promote Economic Growth and Prosperity

Protecting information across government

Next Generation Strategy

Bring Your Own Device (BYOD)

ANZPAA National Institute of Forensic Science BUSINESS PLAN

Business Model for Global Platform for Big Data for Official Statistics in support of the 2030 Agenda for Sustainable Development

Transport Technology Connecting Australians. National Intelligent Transport Systems Strategy

Resolution adopted by the General Assembly. [without reference to a Main Committee (A/62/L.30 and Add.1)]

Accelerate Your Enterprise Private Cloud Initiative

Predictive Insight, Automation and Expertise Drive Added Value for Managed Services

Joint Declaration by G7 ICT Ministers

Implementing ITIL v3 Service Lifecycle

EU Code of Conduct on Data Centre Energy Efficiency. Endorser Guidelines and Registration Form. Version 3.1.0

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

Research Infrastructures and Horizon 2020

Information Security Controls Policy

UK Gender Pay Gap Report 2018

Overcoming IT Challenges in the Education Segment Leveraging Cloud and On-Premise Resources for Maximum Impact

CESG:10 Steps to Cyber Security WORKING WITH GOVERNMENT, INDUSTRY AND ACADEMIA TO MANAGE INFORMATION RISK

How Your Organization Can Drive Success in the Age of Digital Disruption

Cyber Security and Cyber Fraud

ENISA s Position on the NIS Directive

Why Enterprises Need to Optimize Their Data Centers

CANARIE Mandate Renewal Proposal

POSITION DESCRIPTION

B.29[18a] Infrastructure as a Service: Are the benefits being achieved?

Cyber Security Issues and Responses. Andrew Rogoyski Head of Cyber Security Services CGI UK

Cybersecurity eit. Software. Certification. Industrial Security Embedded System

Cyber Resilience - Protecting your Business 1

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

Proactively released by the Minister of Internal Affairs

The United Republic of Tanzania. Domestication of Sustainable Development Goals. Progress Report. March, 2017

Security as a Service (Implementation Guides) Research Sponsorship

Leadership and Innovation to Every Building Greener THREE-YEAR STRATEGIC DIRECTION TO 2019

Cloud solution consultant

Package of initiatives on Cybersecurity

Securing Digital Transformation

DfT Policy Overview Rod Paterson

Security Awareness Training Courses

IT Risk & Compliance Federal

A Working Paper of the EastWest Institute Breakthrough Group. Increasing the Global Availability and Use of Secure ICT Products and Services

TEL2813/IS2621 Security Management

Private sector s engagement in the implementation of the Sendai Framework

DIT DSO Defence & Security Symposium 2017

Sussex Police Business Crime Strategy

Modern Database Architectures Demand Modern Data Security Measures

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

Transport and ICT Global Practice Smart Connections for All Sandra Sargent, Senior Operations Officer, Transport & ICT GP, The World Bank

THE TRUSTED NETWORK POWERING GLOBAL SUPPLY CHAINS AND THEIR COMMUNITIES APPROVED EDUCATION PROVIDER INFORMATION PACK

Transcription:

Cloud First: Policy Not Aspiration A techuk Paper April 2017

2 Cloud First: Policy Not Aspiration

Introduction As more organisations begin to use cloud computing as part of the evolution of their business strategy, business leaders are recognising the range of benefits which well managed cloud services can provide. Cloud is no longer a new technology adoption. However, despite the increasing understanding and uptake of cloud, the benefits of cloud remain elusive to some. This can often be the case when the focus of cloud implementation is primarily on technical considerations rather than how it can be used throughout an organisation to overcome business challenges, increase efficiencies, reduce costs and drive digital transformation. Cloud computing is essentially an approach to computing which enables organisations, of any size or sector, to access on-demand computing power and resources as and when they require it. Computing resources such as software applications, development platforms and IT infrastructures are all delivered as a service; normally charged as a utility service as and when they are consumed by users. Cloud represents a shift from traditional computing that will enable businesses to tap into state of the art data and IT infrastructures without having to make up-front capital investments, or develop sophisticated technical skills necessary to manage and maintain them. Moving to the cloud can also make public sector organisations more, rather than less, secure. Cloud services can offer much greater levels of security and resilience as required by users. With the cyber security tools, solutions and educational initiatives available today, cloud computing services can be as secure as users require. Cloud First: Policy Not Aspiration 3

UK Government cloud leadership The UK Government has committed to adopting cloud computing, seeing it as key to delivering its ambition for end-to-end digital transformation. Crucial to this has been the G-Cloud framework¹ which originated as a joint Government and industry initiative. However, the public sector market as a whole has not yet become fully engaged and cloud has not yet fully penetrated into the core business of public service delivery. It s been nearly four years since the previous Government announced that purchases through the cloud should be the first option considered by public sector buyers of IT products and services. The adoption of this Cloud First policy was intended to drive wider adoption of cloud in the public sector and complement the Government s ongoing work in increasing operational standards, improving levels of data security and reducing the costs of delivering and managing complex, long term IT projects. A 2015 report, however, found that more than 50% of civil servants are not comfortable using cloud, with over 75% citing data security concerns as a key barrier to their adoption of cloud services.² The adoption of the Cloud First policy was meant to be underpinned with an understanding of the online threat environment to data and the importance of handling sensitive data with due care. However, if data security concerns are still preventing civil servants from adopting cloud services, this suggests that more guidance is needed to build greater trust and confidence amongst civil servants in the security of cloud computing. Recognising this, Government is in the process of working on and expanding guidance on its Cloud First policy which entails a move away from the phrase Cloud First towards the term Cloud Native.³ This move is intended to shift the policy away from merely committing to considering cloud before other options, to adapting how central government departments organise their work to properly take advantage of the benefits that cloud has to offer. 1 G Cloud Framework allows public sector organisations to buy cloud services listed on the Digital Marketplace without going through a full tender process. 2 According to a survey of 5,000 civil servants conducted by Dods and commissioned by cloud collaboration firm Huddle 3 https://governmenttechnology.blog.gov.uk/2017/02/03/clarifying-our-cloud-first-commitment/ 4 Cloud First: Policy Not Aspiration

Ensuring effective public sector adoption and usage of cloud To reap the full benefits of cloud computing, Government must incentivise a culture which recognises cloud computing s ability to deliver change, bring security benefits and support greater agility, flexibility and innovation. A recent techuk survey showed over one-third of civil servants involved in procurement of tech felt that their department s capabilities in change leadership, innovative thinking and digital capability are unsatisfactory or poor.⁴ Public sector leaders must enable a culture which allows public sector commissioners and buyers to leverage cloud computing as part of their business transformation to enable user-centered service design focused on delivery innovation. The benefits of cloud computing have already been tested and proved within the private sector and are currently delivering huge efficiencies and cost savings. To move the UK Government into the next phase, and to benefit fully from the opportunities provided by the cloud, Government departments and industry must work together to promote positive case studies highlighting where cloud computing has delivered operationally significant and innovative business transformation and citizen benefits. References to the role of commodity cloud services and cloud-based tools and services in realising the aims and objectives of the recently published Government Transformation Strategy⁵ are welcomed. However, the ongoing challenge will be in the execution of this strategy and Government being open to embracing the cloud services that can help it to achieve its 2020 targets. It is only by having a common, consistent approach to the adoption and implementation of cloud computing services, encouraging and enabling collaboration between public sector organisations at a central and local level, that the full cost saving and operational efficiencies and benefits that the cloud has to offer will be realised. 4 techuk s Civil Servants Survey Findings, May 2015: http://www.techuk.org/insights/news/item/4430- civil-servants-uncertaintyover-sme-suppliers-risks-delaying-it-adoption 5 https://www.gov.uk/government/news/the-future-of-public-service-government-transformation-strategy-launched Cloud First: Policy Not Aspiration 5

Government s role as a cloud security champion Government has a key role to play in leading the market to adopt more cloud products and services. It seems, however, that there is a gap between the Government s rhetoric on cloud services and its visible actions in practice. There is a fear that perceived security concerns and a lack of willingness to leverage cloud computing, as part of public sector business transformation (as well as possibly other issues), may be preventing Cloud First from becoming a concrete policy throughout public sector organisations rather than just an aspiration. We have identified a number of interventions that UK Government can take in order to be a standard bearer in the adoption of cloud: Be more vocal Government can be much more vocal about its commitment and support of Cloud First as a policy. Public sector buyers, and industry, need clarity as to whether Cloud First remains a priority policy and how it will continue in its current form. The Government Digital Service (GDS) blog on supporting cloud services is a useful example of positive messaging about the benefits of using cloud services.⁶ It highlights that a mandated requirement of the public sector s Technology Code of Practice is the requirement to objectively evaluate potential public cloud solutions first, before considering other options when updating or procuring IT solutions. Being more vocal on this mandated requirement would help to amplify the good news and promote examples of how the use of cloud services is making a real difference, to build trust in the security of cloud services in a way that could reach all public sector users. In January 2017, a guide was published by GDS offering public sector bodies advice on what to consider when putting services or data into the public cloud. This guide remains useful, particularly as it states that it s possible for public sector organisations to safely put highly personal and sensitive data into the public cloud. Many UK departments have made this decision based on risk management assessments once they have put appropriate safeguards in place. ⁷ Furthermore, the guide also highlights the security benefits of using cloud services: Cloud providers have a significant budget to maintain, patch and secure their cloud infrastructure. This means public cloud services can mitigate many common risks that often pose challenges for government organisations. ⁸ 6 https://governmenttechnology.blog.gov.uk/2016/07/22/why-we-use-the-cloud-supporting-services/ 7 https://www.gov.uk/guidance/public-sector-use-of-the-public-cloud 8 ibid 6 Cloud First: Policy Not Aspiration

Build a culture of cloud confidence Public sector leaders should create a culture which allows public sector commissioners and buyers to leverage cloud computing as part of its business transformation to enable user-centered service design that focuses on innovation. Make better use of successful examples Case studies are often the most successful way in which buyers can be influenced by the usefulness of cloud products and services. Successful deployments of sharing data using the cloud in the public sector need to be shared, along with details of the associated benefits and efficiency savings. Government departments and industry should work together to identify, record and promote positive case studies of where the use of cloud computing is delivering significant business transformation. Having the necessary capabilities to leverage the cloud Ensuring that civil servants have the required training, skills and capabilities to understand and leverage investment in the cloud is key. Early market engagement with the cloud computing industry should be encouraged to help ensure civil servants have the capabilities needed to adopt and promote cloudbased, new ways of working that can drive efficiencies and achieve the goal of doing more with less. Ask the right questions, get the right answers Many buyers of cloud services are not aware of the correct questions that they need to ask of their cloud providers or how to interpret the results. This in turn creates a disconnect between buyer and seller, and could result in incorrect products/services being purchased with the wrong type of security attached. Government can help by highlighting the questions that buyers need to be asking of their cloud suppliers, and explaining the value in the responses. Government departments should engage with industry early in the commissioning process to ensure that there is a forum for asking the right questions and getting the answers needed to move the cloud journey forward. This will create a better understanding between public sector technology leaders and cloud providers and ensure Government departments can fully maximise the opportunities from cloud computing services. techuk has published a three point plan⁹ to transform the delivery of public services, which provides a framework for effective engagement with Government and industry. 9 https://www.techuk.org/insights/news/item/2266-techuk-3-point-plan-to-transform-delivery-of-public-services Cloud First: Policy Not Aspiration 7

Make cloud a key part of government strategy The National Cyber Security Strategy, published in November 2016, unfortunately did not make specific mention of cloud security as a major priority either for Government or the newly established National Cyber Security Centre (NCSC). This has been widely noted. If the NCSC were to go on the record affirming the security benefits of well run cloud services as equal to traditional dedicated solutions, it would do much to address the security concerns of many potential end-users. In order for Cloud First to be a true and effective policy, not simply an aspiration, Government must ensure that cloud, and in turn the associated cloud security, form an integral part of the roll out of the Government s Transformation Strategy that provides a framework for achieving world-leading delivery of public services¹⁰. Within this strategy, the Government has reaffirmed that digital transformation is more relevant than ever to UK public services. The focus on information sharing and end-to-end transformation aligns with techuk s key priorities for public services. References to the role of commodity cloud services and cloud based tools and services in realising the strategy s aims and objectives is also welcomed. However, as ever, the challenge will be in the execution and techuk look forward to working with the Government to help it achieve its 2020 targets, embracing the full diversity and strengths of the technology sector, including cloud services providers. Define, adopt and drive open standards Open standards need to go hand-in-hand with cloud in order to deliver the flexibility and cost-savings which can be achieved through cloud. The open standards policy set out by government needs to be strengthened, expanded, accelerated and linked to the Cloud First policy to avoid costly blind alleys and ensure the true benefits of cloud are achieved. 10 http://www.techuk.org/insights/news/item/10200-gts-outlines-ambitious-targets-to-transform-public-services 8 Cloud First: Policy Not Aspiration

Cloud security principles: Practice what you preach! Despite the lack of progress, Government did recognise early on that concerns around cloud security were inhibiting the adoption of cloud in both the public and private sectors. To address this, the 14 Cloud Security Principles ¹¹ were developed in order for users to evaluate the security of cloud products and services. The guidance was intended to help public sector organisations make informed decisions about cloud services and choose a cloud service that balances business benefits and security risks effectively. The principles, backed up with detailed technical advice on implementation and assurance, should have shepherded a new era of trusted cloud adoption within the public sector, with a follow-on effect on the private sector and their adoption of cloud. This, however, does not seem to have been the case to date. Cloud service providers (CSPs) can and are working to boost awareness and greater adoption and use of the cloud security principles. These principles were not just developed for users; they also gave CSPs an easy to use format in which to showcase the security of products to potential clients, in turn creating more trust and assurance between provider and public sector buyer. Government should encourage companies to clearly reference what they are doing against each principle providing evidence to support their position. However, it is important that CSPs understand that in showcasing how their services align with the principles, they must make it clear to the buyer that this does not mean that they are officially accredited by the UK Government. Such a status requires participation in accreditation initiatives which can require extensive external validation. 11 https://www.ncsc.gov.uk/guidance/implementing-cloud-security-principles Cloud First: Policy Not Aspiration 9

Further guidance It is welcome to see that the NCSC issued further guidance to both the public and private sectors in the form of its Understanding Cloud Security guidance.¹² This builds on the 14 principles and is intended to help buyers determine how confident they can be that a cloud service is secure enough for their organisation. This includes: Guidance on assessing the strength of the separation measures of a given cloud service¹³ (Separation and Cloud Security). Specific guidance on managing the security responsibilities when using Infrastructure as a Service.¹⁴ In order to publicise this guidance better, and ensure that it works effectively, Government needs to work closer with industry to highlight it. There are also a number of other areas on which further guidance would be welcome, including: 1. Data localisation requirements 2. Implementation of the new General Data Protection Regulation (GDPR) 3. Data Privacy 4. Control and Access 12 https://www.ncsc.gov.uk/guidance/introduction-understanding-cloud-security 13 https://www.ncsc.gov.uk/guidance/separation-and-cloud-security 14 https://www.ncsc.gov.uk/guidance/iaas-managing-your-responsibilities 10 Cloud First: Policy Not Aspiration

Conclusion and recommendations The following recommendations are a way for Government to become a cloud champion and ensure that Cloud First becomes a concrete policy and not just an aspiration within the public sector. The suggestions below will also help to build trust in the security of cloud services and increase the adoption of cloud within the public sector. Public sector leaders should be more vocal about Cloud First as a policy and work together to promote positive case studies of where cloud deployment is delivering significant business transformation in the public sector to amplify the good news about cloud services and build trust in the security of cloud. Government must ensure that cloud, and in turn cloud security, form an integral part of the Government s Transformation Strategy to ensure Cloud First is a living policy not an aspiration. Government departments should engage with cloud service providers early in the commissioning process to better understand and maximise the full opportunities from cloud computing services. A forum for effective engagement between Government and the cloud industry for asking the right questions and getting the right answers is needed to help departments move forward with their cloud journey. Government must regularly review the Cloud Security Principles, in conjunction with industry, and encourage cloud security providers to reference what they are doing against each principle for both public and private sector customers The National Cyber Security Centre should officially endorse well managed cloud storage as an equally secure data storage solution. Government should develop guidance for departments on the use of cloud computing services in relation to data issues including privacy, control, access as well as business resilience, data localisation and the introduction of the General Data Protection Regulation (GDPR). Cloud First: Policy Not Aspiration 11

techuk represents the companies and technologies that are defining today the world that we will live in tomorrow. The tech industry is creating jobs and growth across the UK. 900 companies are members of techuk. Collectively they employ more than 700,000 people. These companies range from leading FTSE 100 companies to new innovative start-ups. The majority of our members are small and medium sized businesses. www.techuk.org 10 St Bride Street, London EC4A 4AD techuk.org @techuk #techuk

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback