Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

Cloud-Based ICT Services Checklist

advertisement 
Cloud-Based ICT Services Checklist
Guideline
A non-exhaustive list of considerations to be made when evaluating, purchasing, implementing
and managing cloud-based ICT services.
Keywords:
Cloud-based ICT services; cloud services; ICT procurement; digital design;
service design; ICT expenditure; information management; information
security; privacy; recordkeeping; compliance; audit; business continuity;
disaster recovery; evaluation
Identifier:
CS-GUIDE-01
Version no.:
1.0
Status:
Issued
Issue date:
July 2014
Date of effect:
July 2014
Next review date:
July 2015
Authority:
Victorian Government CIO Council
Issuer:
Victorian Government Chief Technology Advocate
Except for any logos, emblems, trademarks and contents attributed to other parties, the policies, standards and
guidelines of the Victorian Government CIO Council are licensed under the Creative Commons Attribution 3.0
Australia License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/au/
Overview
This document provides a non-exhaustive checklist of considerations to be made when evaluating, purchasing,
implementing and managing cloud-based ICT services (‘cloud services’). Each checkpoint item is explained (see
Checklist explanation).
Context
Cloud services are an important innovation in the provision of ICT services. Engineered for sharing, they enable a
large and diverse customer base to use a standardised service without the need for each customer to
individually buy, install and customise hardware and software 1. Cloud services also give users ready access to
advanced functionality and high quality operations along with shorter project timelines and, when managed
properly, significant benefits and less risk in comparison to traditional dedicated ICT solutions.
Enterprise-grade cloud offerings now exist across the full spectrum of ICT services. However, some constraints
apply. First, the cloud services market is rapidly evolving and comprises vendors and services of varying quality
and appropriateness for government use. Secondly, not all workloads, categories of information or applications
are appropriate for delivery as cloud services. Consequently, agencies should approach cloud services aware of
both the opportunities and the risks, and taking note of procurement and risk management practices.
Cloud services checklist
The following checklist is a non-exhaustive list of considerations agencies should make prior to committing to a
cloud service.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
1
Has there been a frank assessment of the current ICT environment?
Are there clear business outcomes and priorities?
Have you assessed and categorised your data for suitability?
Do you understand the relevant data sovereignty risks?
Can you adopt a more flexible approach to your requirements?
Can your risk analysis processes accommodate cloud services?
Can your procurement strategy accommodate cloud services?
How will you fund your cloud implementation?
Have you completed formal data security and privacy impact assessments?
Have you gathered intelligence from other users?
Have you established how the service cost is determined and how it can be influenced?
Can you trial the service before purchase?
Does your cloud services agreement adequately address your circumstances?
Have you assigned roles and responsibilities for the storage and retrieval of your data?
Have you planned for service failure?
Have you considered your future needs?
Have you considered your potential roll-out plan?
See Appendix A for further information on the nature of cloud services.
2
Checklist explanation
1. Has there been a frank assessment of the current ICT environment?
The starting point for any evaluation of a cloud service should always be to form a realistic appreciation of the
strengths and weaknesses of the existing approach to sourcing and managing ICT capabilities. In particular this
evaluation should include a frank assessment of the agency’s track record for ICT project delivery and the
sustainability and security of the agency’s ICT environment. This is an essential precursor to making pragmatic
and honest assessments of the benefits, costs and risks of different sourcing options.
2. Are there clear business outcomes and priorities?
A sound understanding of the agency’s desired outcome(s), or end state, is crucial to the assessment of whether
cloud services are appropriate for the given situation. Knowing, and prioritising, what is needed allows providers
and purchasers alike to determine the most appropriate solution for the purpose. This exercise includes
establishing information such as who will use the service (in terms of types or classes of user, or specific groups),
in what numbers and at what frequency/volume.
3. Have you assessed and categorised your data for suitability?
Privacy laws and other information management obligations dictate that not all categories of information are
appropriate for all types of cloud services. Consequently, agencies must analyse and categorise their data and
satisfy themselves that the use of a cloud service will not put them at risk of breaching their legal, reputational
and internal obligations.
Crucially, agencies must consider any auditing requirements imposed on the data that will be stored in a cloud
service. Particularly, thought must be given to how readily that data can be queried/retrieved/tested for
compliance purposes, and where necessary discuss these needs with the service provider.
4. Do you understand the relevant data sovereignty risks?
Critical to any decision to engage a particular cloud service is to know where the data resides. There should be
an awareness that some cloud service providers: store their client data in locations other than where their
business is or appears to be based; move data without notice from location to location to accommodate
operational issues such as load balancing; and/or simply resell the cloud service of another provider, further
distancing the control of the data from the owner.
The difficulties with data not residing in Victorian or Australian jurisdiction are complex, and depend on the type
of data stored and any legal or reputational overlay that may apply to that data. It is out of the scope of this
guideline to provide advice in this area,2 however an evaluation of the provider’s storage arrangements needs to
be undertaken before any decision to proceed with a given cloud service.
5. Can you adopt a more flexible approach to your requirements?
Generally, cloud services – particularly public cloud services3 – are unlikely to be tailored to meet the specific
needs of a customer. In some circumstances this may well mean that certain organisational needs are unable to
be met by particular cloud services. However, this restriction can also be viewed as a catalyst for agencies to
hone the requirements of the organisation so that they can utilise cloud services and receive the benefits that
they offer. Consequently, agencies’ requirements definition exercises may need to evolve. For example, agencies
may need to establish a process whereby they iteratively question their requirements, and determine any
available compromises, before and after approaching candidate cloud services.
2
3
See Appendix B, Data sovereignty for further information.
See Appendix A for a definition of public cloud services.
3
6. Can your risk analysis processes accommodate cloud services?
Proposals for cloud services should always be evaluated against relevant risk analysis processes and suitable
mitigation strategies should be implemented. There should be recognition that cloud services present new
challenges for risk management. For example, existing procurement policies and risk management processes can
often focus on minimising the risk of making a bad decision, whereas cloud services may call for a more
expansive analysis – for example an assessment of the risk of failing to make a good decision, or the risk of failing
to make a decision at all.
Cloud services are subject to many different points of view as to their risks and benefits. Engage with prospective
stakeholders early and closely manage their perceptions and queries. Further: ensure that the desired business
outcomes and priorities are clearly stated; communicate the facts on the current state of their ICT environment,
and how it relates to those desired outcomes and priorities; proactively socialise key research and case studies;
showcase successful cloud services; and, subject cloud services to professional ICT project management
processes, i.e. ensure good planning with a focus on outcomes and pragmatic, but effective, risk management.
7. Can your procurement strategy accommodate cloud services?
Cloud services require extra care when aligning with existing Victorian Government Purchasing Board
procurement rules (for example, the ‘as-a-service’ model defies easy quantification of contract value). Similarly,
more agile, iterative, approaches to sourcing ICT capabilities also do not fit well with formal request for proposal
(RFP) and tendering processes. Consequently, agencies may need to assess and possibly adjust their
procurement strategy to balance the business value of cloud services with the necessary compliance measures.
8. How will you fund your cloud implementation?
It is important to note that whilst government ICT solutions have traditionally involved capital investment, cloud
services are accommodated in operating expenses. These funding implications must be understood before
engaging with a cloud services provider. This step is important because in some instances capital expenditure
may be easier to secure than operational expenditure, and vice versa. Particularly, chief financial officers may
need to be involved to engineer solutions to these types of challenges.
9. Have you completed formal data security and privacy impact
assessments?
No matter how urgent the business need, or how compelling the offering is, agencies should always consider
undertaking formal data security and privacy impact assessments before engaging with cloud services. These
assessments will ensure that the relevant risks can be identified and actively managed through appropriate
process, information management, operational and contractual mitigations. The process should be informed by
an appreciation of the agency’s desired outcomes and priorities and the pragmatic cost/benefit/risk
compromises involved in the procurement.
10. Have you gathered intelligence from other users?
As the government engages with cloud services in a range of different settings, a body of knowledge as to
functionality, quality and reliability will begin to form. Consequently, before any interaction with cloud service
providers, prospective purchasers should turn to other agencies to gather intelligence and possibly learn about
alternatives. This engagement may also expose opportunities to, for example, re-use procurement and
implementation materials, create sharing arrangements and possibly purchase services off existing contracts.
Equally, agencies should recognise that any engagement they have with a cloud service will generate
information that may be useful to others. To that end, documenting at least basic information about their
interactions with cloud service providers is encouraged.
4
11. Have you established how the service cost is determined and how it
can be influenced?
Cloud services tend to be priced at the sustainable total cost of their operation, with an allowance to keep the
service functionally relevant over time. This pricing formula can make cloud services appear expensive relative to
other sourcing approaches. However, particular variables can impact on this equation and make cloud services
more, or less, appealing from a cost perspective. For example, the number of users and transaction volumes can
shape overall costs. For this reason, prospective purchasers should consider a range of usage models to evaluate
the effect of pricing under different circumstances and how those results relate to the budget allocated for the
service.
12. Can you trial the service before purchase?
A key difference between cloud services and traditional ICT capabilities is that cloud services are generally
available for near immediate use. This ready availability often means that purchasers of cloud services can seek a
trial of the prospective cloud service and even apply real world scenarios to the trial (using caution always with
the type of data that is used and the terms of the trial). This more agile approach may also allow more flexibility
to trial multiple services, affording the decision-maker the chance to contrast and compare across a variety of
offerings.
13. Does your cloud services agreement adequately address your
circumstances?
Vendors of cloud services often present standard form agreements to prospective purchasers. Unsurprisingly,
these agreements can tend to focus on protecting the supplier’s interests, and may not provide adequate
assurance for a government agency. Agreements with cloud service suppliers should be closely scrutinised, and
where the terms are not appropriate for the purchaser, a negotiation of terms may be necessary. The extent of
that negotiation is a matter for the relevant agency, taking into account their particular circumstances. However,
at a minimum, the points raised by this guideline, and other relevant government materials, should be
addressed in any final written agreement.
14. Have you assigned roles and responsibilities for the storage and
retrieval of your data?
Because data is stored in, and reliant on, the cloud service provider’s particular facilities, agencies must form
adequate plans to get their data into and out of those facilities. Moreover, they should ensure that between
themselves and the provider it is clear who has responsibility for what in those processes, and where costs lie.
With respect to data retrieval, unexpected circumstances can arise, e.g. the provider ceases to operate (in an
orderly or disorderly fashion) or one or both parties wish to terminate the relationship. Plans as to how to
retrieve the relevant data on the realisation of these situations (and any other reasonably conceivable situation)
should be developed before any decisions to pursue a particular cloud service.
15. Have you planned for service failure?
A cloud service is essentially an arms-length outsourcing arrangement which, by its nature, involves the risk of
interruptions to supply and/or the supplier ceasing operations permanently. In order to manage those risks, all
purchasers of cloud services should have a plan to address those eventualities. Any such plan should be
appropriate for the degree of reliance on the continuous availability and performance of the service, and should
form part of the broader business continuity planning for the agency. Where possible this kind of plan should be
adequately tested to the extent possible.
5
16. Have you considered your future needs?
Over time, implementations of cloud services can evolve from small, possibly experimental, beginnings to
become mission-critical applications. This possibility must be anticipated when partnering with a cloud service
provider, with agencies carefully considering the capacity of the provider to evolve with their future needs (e.g.
increase in users, consistent operational performance, and ability to meet evolving information security
requirements). Recent quality certifications achieved by the vendor may provide indicators.
17. Have you considered your potential roll-out plan?
Cloud services are well suited to starting with small, evaluative implementations, which may then be
progressively iterated when the agency is satisfied of their suitability. The benefit of this approach is that
business feedback from each of the iterations informs the next, and that feedback in turn benefits the entire
rollout. At some point, larger scale rollout can then be accelerated on the back of that testing and the lessons
that have been learned and resolved. This approach can considerably reduce the risks of project failure and
deliver business outcomes more quickly. Agencies planning to utilise cloud services can advise stakeholders of
this to manage expectations about the way the service will be rolled out.
6
Appendix A: What are cloud services?
Cloud services defined
There are many definitions of cloud services. The US National Institute of Standards and Technology (NIST)
definition is commonly used in government cloud policy documents. This section provides an articulation of the
commonly regarded characteristics of cloud services.
Cloud computing
Cloud computing refers to the underlying technologies and methods that are the building blocks of cloud
services. These include, for example, virtualisation, automation, self-service provisioning, usage-based service
metering and charging, multi-tenant infrastructure and application architectures, web services, service oriented
architecture (SOA) and application program interfaces (APIs).
Cloud services
Cloud services are a form of outsourced shared services, created using cloud technologies and methods (see
cloud computing, above). The distinction between cloud computing and cloud services is important. While it may
be relatively straightforward for any organisation to implement cloud computing technologies, the creation and
operation of a reliable and trustworthy cloud service is a significantly more difficult, and expensive, proposition,
involving appropriate organisation, process, people and culture.
Cloud services are also revolutionary because they represent a dramatic change in the way ICT capabilities are
both provided and sourced as shared services. They represent an opportunity to shift how these capabilities are
purchased and/or consumed, which in turn can lead to extraordinary organisational change.
Cloud services may comprise a wide spectrum of ICT functionality, which typically fall under three categories:

Software-as-a-service (SaaS): the provision of a fully operational application as a cloud service via a
web browser and web services

Platform-as-a-service (PaaS): the provision of an application development and operation environment
as a cloud service

Infrastructure-as-a-service (IaaS): the provision of computing and storage infrastructure as a cloud
service
This categorisation demonstrates how cloud offers customers the ability to ‘source and consume’ rather than
‘buy and control’. Whilst the distinction between the IaaS, PaaS and SaaS categories is not always clear, in
general terms, customers purchase: IaaS to access less costly, more flexible, ICT infrastructure; PaaS to enable
faster and less costly development and operation of bespoke applications; and, SaaS to enable faster and less
costly implementation and operation of standardised ‘out of the box’ business applications.
Delivery of cloud services: public, private and beyond
Traditionally, cloud services have been described as either public or private (and more recently, as hybrid,
comprising elements of public and private). Public cloud services are large scale global or national shared
services where all customers consume standardised functionality on common terms and conditions. These
services are usually accessed via a web browser and the public internet. Private cloud services are shared
services with resources dedicated to a particular customer or community of customers. Private cloud services
may be delivered in-house or externally provided and may be accessed via the public internet or via a secure
private network. A private cloud service may include functionality and/or contractual terms and conditions that
are substantially tailored to an individual customer’s needs.
In practice the distinction between public and private is becoming less clear, and less useful, as the range and
maturity of services evolves. To this end, public and private may be viewed as ends of a continuum rather than
7
discrete service variants. Today, a single provider can deliver services using different models, more-public or
more-private, depending on customer needs.
The fullest benefits of the cloud services model arise at the public cloud end of the continuum. Bearing this in
mind, agencies are advised to avoid simplistic assumptions based on public versus private cloud distinctions – in
particular the assumption that a private cloud service is always safer than a public cloud service should be
challenged. Instead, agencies might focus on understanding the actual trustworthiness and functionality of a
particular cloud service, keeping in mind always the question: all things considered, will this service achieve
better business outcomes than the alternatives?
Enterprise-grade cloud services
It is important to acknowledge that not all cloud services providers, and not all cloud service offerings, are
suitable for use by large enterprises such as government agencies. Indeed, many cloud services are targeted
purely at the consumer and small-medium business markets and the degree to which these services meet the
needs of larger organisations varies.
In general terms, enterprise-grade cloud services may be distinguished by characteristics such as the:

trustworthiness/credibility/financial strength of the provider organisation;

operational maturity, historical performance and resilience of the service;

depth and breadth of the customer base;

forward roadmap of service enhancements;

provider’s achievement of quality and security accreditations;

geographic location of data centres;

availability and quality of customer support services; and

willingness of the provider to agree to non-standard contractual terms and conditions.
Whether a cloud service is appropriate for a specific enterprise purpose is a decision for the relevant agency. All
usual benefit and risk assessments should be applied, to both the service provider and the specifics of the
services being considered.
8
Appendix B: Reference and toolkits
Victorian Government Policies and Guidelines
Victorian Government ICT Strategy Policies, Standards & Guidelines

http://www.enterprisesolutions.vic.gov.au/business-systems/
Requirements for health records

Health Privacy Principles
www.health.vic.gov.au/hsc/downloads/hppextract.pdf (46kB PDF)
Australian Government Policies & Guidelines
•
•
•
•
•
•
Cloud Computing Policy and Guides, Australian Government Information Management Office
agict.gov.au/policy-guides-procurement/cloud
The Data Centre as a Service Multi Use List Fact Sheet, Department of Finance
agict.gov.au/policy-guides-procurement/data-centres/data-centre-as-a-service-dcaas-multi-use-listmul-fact-sheet/
Cloud Computing Security Considerations, Department of Defence (Australian Signals Directorate)
www.asd.gov.au/infosec/cloudsecurity.htm
Privacy Law Reform, Office of the Australian Information Commissioner
www.oaic.gov.au/privacy/privacy-act/privacy-law-reform
Privacy Resources, Office of the Australian Information Commissioner
www.oaic.gov.au/privacy/privacy-resources/all/
Individual healthcare identifiers — Compliance obligations for state and territory healthcare providers,
Office of the Australian Information Commissioner
www.oaic.gov.au/privacy/privacy-resources/privacy-agency-resources/privacy-agency-resource-1individual-healthcare-identifiers-compliance-obligations-for-state-and-territory-healthcare-providers
Other State Government Jurisdictions
•
NSW Procurement Reform Strategic Directions Statement
www.procurepoint.nsw.gov.au/policy-and-reform/nsw-procurement-board/strategic-directions-20132014
Cloud Service Providers Codes of Practice
•
•
Cloud Computing Consumer Protocol - Discussion Paper, Australian Computer Society
www.acs.org.au/information-resources/public-policy/2013-australian-cloud-protocol
New Zealand Cloud Computing Code of Practice
www.thecloudcode.org
Data sovereignty
•
Data Sovereignty and the Cloud report, University of New South Wales (Cyberspace Law & Policy
Community)
www.cyberlawcentre.org/data_sovereignty/CLOUD_DataSovReoprt_Full.pdf
United States Government
•
•
Cloud IT Services, U.S. General Services Administration
www.gsa.gov/portal/category/100671
Federal Cloud Computing Strategy, CIO.gov
cio.gov/wp-content/uploads/downloads/2012/09/Federal-Cloud-Computing-Strategy.pdf (918kB PDF)
9
•
•
The Federal Risk and Authorization Management Program (FedRAMP), CIO.gov
cloud.cio.gov/fedramp
Information Technology Reform: Progress Made but Future Cloud Computing Efforts Should be Better
Planned (Report), U.S. Government Accountability Office
www.gao.gov/products/GAO-12-756
UK Government

Government Service Design Manual, gov.uk
www.gov.uk/service-manual
Further information
For further information regarding this guideline, please see contact information at
www.enterprisesolutions.vic.gov.au.
Version history
Version
Date
TRIM ref
Details
0.1
September 2013
D11/192132
Initial Draft
0.9
Sep 2013 – May 2014
D11/192132
Version for initial noting by the CIO Council
1.0
31 July 2014
For release
10
Related documents
Slide - People
Slide - People
Cloud Computing - Lutheran Services in America
Cloud Computing - Lutheran Services in America
Lisa Neal-Graves, Director Technology Insights, Intel
Lisa Neal-Graves, Director Technology Insights, Intel
Cisco Video Strategy - Distributed Computing Industry Association
Cisco Video Strategy - Distributed Computing Industry Association
Document
Document
Earth Science January 22, 2014 17.3 RCQ Pg 488 List 3 factors that
Earth Science January 22, 2014 17.3 RCQ Pg 488 List 3 factors that
More on the project
More on the project
Download
advertisement