Requirements for Cloud Computing
In this section
- New measures introduced for public cloud services
- What government agencies need to know
- How the new requirements for government agencies will be introduced
In July 2016, new measures were confirmed to accelerate the adoption of public cloud services by New Zealand’s government agencies. The new measures complement existing policies and risk assessment processes and provide appropriate checks and balances.
The Department of Internal Affairs (DIA) will lead a 12-month implementation programme and work in partnership with the Government Communications Security Bureau, New Zealand Security Intelligence Services and National Cyber Policy Office to:
- streamline security certification
- update commercial frameworks
- develop information and guidance to lift knowledge and capability within government agencies.
Agencies will need to develop cloud plans
Agencies are expected to take a strategic approach to exploiting public cloud services to drive major business improvements such as improving customer experience or simplifying their operations or delivery models.
For this reason, agencies will need a written plan for their intended use of public cloud services. The Government Chief Information Officer will use these plans to help agencies to identify opportunities to exploit public cloud services.
Guidelines on office productivity are yet to be developed
Agencies can now use office productivity cloud services, provided they follow guidance to be developed by the Government Chief Information Officer and the Government Communications Security Bureau.
The new guidance will:
- align to existing requirements that:
- only information classified as RESTRICTED or below can be stored in a public cloud service
- a cloud risk assessment must be approved by its chief executive or delegate
- cover data encryption, authentication, data centre locations, and security certification and accreditation.
Until this guidance is developed, agencies can talk to their relationship manager in DIA about adopting these services.
DIA is preparing security certifications and risk assessments for parts of Microsoft’s Office 365 service. Agencies can leverage pricing for Microsoft Office’s 365 service through the G2015 licensing framework agreement. Microsoft has provided guidance for agencies on how to integrate Office 365 with the government email encryption service – SEEMail.
Agencies that wish to retain their information onshore should consider the Office Productivity common capability agreement.
Information and assistance is available
DIA will set up a centre of expertise to help agencies adopt public cloud services and produce guidance on issues such as jurisdictional risks, shadow cloud (services adopted without the involvement of an IT team), service use of public cloud services, security certification processes, and target operating models.
Agencies will also have access to licensing agreements for selected public cloud service suppliers and security certification of selected public cloud services.
What will the government’s new cloud measures mean for ICT suppliers?
- Compliance costs for security certification and procurement processes will decrease.
- They are able to offer offshore-hosted office productivity cloud services to New Zealand’s public sector agencies.
- Government agencies will become more familiar with assessing cloud risks.
Guidance and information will be developed on the areas listed below by DIA in partnership with the Government Communications Security Bureau, New Zealand Security Intelligence Services and National Cyber Policy Office. A timeline is yet to be confirmed.
Other government agencies will be involved through the Partnership Framework.
Cabinet requires agencies to have a plan – either separate or as part of an ICT strategy – on their intentions to accelerate adoption of public cloud services. The implementation programme will benchmark the current state of public cloud adoption by reviewing agency plans, working collaboratively with agencies to identify opportunities for acceleration, and monitoring and reporting to ministers.
Office productivity policy
From July 2016, agencies can use offshore-hosted office productivity services for material classified RESTRICTED and below, where appropriate risk management practices are in place. To adopt these services, agencies will need to comply with new guidance to be jointly-issued by the Government Chief Information Officer and the Government Communications Security Bureau. This guidance will cover a range of security controls including data encryption, authentication, data centre locations, and security certification and accreditation. Information and support will be available to agencies that would like to be early adopters of these services – contact your DIA relationship manager in the first instance.
Cloud risk assessments
While there will be no substantive change to risk assessments, the process will be made more flexible to allow agencies to adapt processes to suit their particular needs. Agencies will be supported to collaborate with each other by sharing knowledge and completing cloud risk assessments.
Guidance will be developed to help agencies better manage the risks of storing data in public cloud services in other jurisdictions, and to classify information in line with the National Security Classification system.
Guidance for agency security certification and accreditation processes will be developed. This will help agencies streamline existing processes and ensure they align with guidance from Government Communications Security Bureau and the New Zealand Security Intelligence Service.
Certification and accreditation processes
Certification and accreditation processes set out in the New Zealand Information Security Manual will be reviewed to make sure that they remain effective in light of industry-wide adoption of international security standards.
Centralised security certification
Security certification for some public cloud services will be provided by DIA, where these services are used by multiple government agencies and the level of agency spend is significant.
ICT operating models
Guidance will be developed for agency IT functions on potential target operating models including policies, frameworks, ICT workforce skills, and architectures.
Shadow cloud – services adopted without the involvement of an IT team
Guidance will be developed to help manage risks created by any shadow cloud activities within agencies.
Guidance and architectural reference patterns will be developed to help agencies securely use public cloud services, including office productivity.
Guidance will be developed on agency funding models to transition to a hybrid ICT environment.
Centre of expertise
A centre of expertise will be set up to help agencies connect and share knowledge and ideas about making the best use of cloud services.
Training and development
Training opportunities will be provided to build the capability of senior managers in utilising public cloud services to drive major business improvements.
Support and information
While implementation information is being developed, support, information, and assistance is available to agencies on a case-by-case basis.
Commercial supply arrangements will be negotiated with public cloud service suppliers to save procurement time and cost for government agencies. Arrangements for services and expertise will also be negotiated to enable agencies to systematically adopt public cloud services.
The existing Infrastructure as a Service all-of-government common capability will be expanded to include public cloud infrastructure services. An ICT marketplace will be established that comprises a catalogue of public cloud services to streamline procurement practices.