Department of Public Expenditure and Reform Publishes Advice on Cloud Computing
On 17 October 2019, the Department of Public Expenditure and Reform (“DPER”) published an advice note on cloud computing (the “Advice Note”).(1)
The Advice Note was developed by the Office of the Government Chief Information Officer in conjunction with the ICT Advisory Board and the wider public service ICT community. In December 2015, DPER issued a policy document called Considering Cloud Services which provided advice to assist public service organisations in making informed, risk-based decisions in relation to the adoption of cloud computing services (“CCSs”). While the 2015 policy document is still valid, the Advice Note recognises that cloud computing, along with the policy and legislative environments of which it forms a part, have continued to develop subsequent to the publication of the 2015 policy document. Consequently, DPER has published the Advice Note, which outlines its proactive and progressive approach to procurement of cloud computing in Ireland.
Scope of Advice Note
The Advice Note aims to provide high-level guidance to assist organisations in making decisions in relation to the adoption of cloud computing. Accordingly, the Advice Note does not detail the technical and functional features of the infrastructure provided to supply a particular cloud computing solution. It does not recommend particular providers, products or services, nor does it set out model procurement contributions whether on an individual supplier or supplier panel framework type basis. The scope of the Advice Note is limited, but as a high level-statement of policy it is useful.
Responsibility, not accountability, can be outsourced
While organisations may outsource their responsibility for the delivery of a CCS to a cloud service provider (“CSP”), DPER stresses in its Advice Note that organisations cannot outsource their accountability for that service to a CSP. Moreover, organisations remain responsible for their regulatory obligations, including their obligations under data protection law. Consequently, DPER states that organisations will need to put in place or update their own local cloud strategy, plans and policies. Organisations should seek legal advice prior to or during the implementation or updating of local cloud strategy, plans and policies.
This is similar to established norms in the outsourcing area, where public bodies can outsource service delivery, but not responsibility, for the service. However, in the procurement of CCS the perception is frequently that public sector customers have less leverage than they enjoy in other domains, including procurement of more traditional software licence and implementation, together with various forms of output-measured service outsourcing. Certainly, procuring CCS does require public sector customers utilising public procurement to adopt an at least somewhat different approach to more established ICT goods/services and outsourcing domains. The Advice Note does not go into detail in these areas, nor does it provide public sector bodies with an at least part procurement solution in the form of individual supplier sector contracts or supplier panel framework type agreement. It is essentially a policy document.
Viable service for most public service information or system
DPER believes that CCSs should be considered “potentially suitable” for any category of public service information or system (except where such data would be classified as ‘top secret’ in accordance with the Department of Finance’s Circular 39/07: Classification of material as ‘top secret’)(2) and recommends that, where possible, all new government systems should be developed to exploit the opportunities presented by cloud deployment. All existing systems will be reviewed for cloud capability and where practicable, suitable systems should move to public cloud or government private cloud environments. However, DPER stresses that “in all cases, a move to cloud will be a business decision on the basis of specific considerations made by individual pubic service organisations.” This business decision is, more particularly, what inputs into decision-making and what criteria to apply to decision-making, is, we believe, the key practical difficulty for public sector bodies considering procurement of CCS.
Definition of ‘cloud computing’
DPER notes that there is “no overarching agreed definition” of ‘cloud computing’ because “cloud computing refers to a concept comprising a set of combined technologies and not to a specific technology.”
NIST definition of ‘cloud computing’
The United States National Institute of Standards and Technology (“NIST”) defines ‘cloud computing’ as:
“a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.”(3)
The NIST’s definition of ‘cloud computing’ is internationally accepted and is summarised below:
|Five essential characteristics||Four deployment models||Three service models|
|On-demand self-service||Private cloud||Software as a service (SaaS)|
|Broad network access||Community cloud||Platform as a Service (PaaS)|
|Resource pooling||Public Cloud||Infrastructure as a Service (IaaS)|
|Rapid elasticity||Hybrid Cloud|
DPER’s definition of ‘cloud computing’
For the purposes of the Advice Note, DPER defines ‘cloud computing’ as:
“a set of technologies and service models that focus on network-based on-demand use and delivery of IT applications, processing capability, storage and memory space”
that can be provided by an external service provider, delivered in-house, or a combination of both, and can be provided on a private or shared basis.
Change required to Government’s adoption of infrastructure to support cloud computing
DPER comment that the pace of, and demand for, digitalisation is accelerating and the way in which the Government adopts the infrastructure required to support new technologies such as cloud computing needs to change. In DPER’s view, “traditional server room or data centre models will not be sufficient in the longer term” because “an increasing number of services will be available only through the cloud” and “vendor support for on premise solutions is likely to diminish.”
This is a reality in the ICT sector and there is likely as much a market-based push underlying the Advice Note as a public sector pull. The Advice Note is a welcome policy statement, but to a certain extent the public sector has no choice but to transition to CCS, given the relatively established market transition to cloud-only solution supply. A logical next step is for DPER to turn to assisting public service bodies in procuring CCSs. Taking technology innovation one step further, DPER state that the “Government must be in a position to adopt technologies such as blockchain, Artificial Intelligence and the Internet of Things to help re-invent how government services are delivered over the next few years and to support leading-edge ways of managing and analysing (large volumes of) data.” This, we read, is a statement of the next set of technology-based solution innovations DPER and public bodies will be required (we believe quite quickly) to deal with.
National and international initiatives demonstrate need for cloud computing
DPER note that a number of initiatives undertaken at a national and international level demonstrate the need for cloud computing.
The Department of Communications, Climate Action and Environment’s Climate Action Plan 2019 (4), published on 17 June 2019, predicts a rapid growth in electricity demand driven by technology. The Public Service reform plan, Our Public Service 2020(5), published in December 2017, stated that the development of digital services, eGovernment and making better use of using and sharing data are key to driving Ireland towards a more integrated, shared and digital environment. The Public Service Data Strategy 2019 – 2023 (6), published by DPER on 21 December 2018, seeks to create a coherent ecosystem where public service organisations can confidently exchange data to support improved service delivery and policy creation in a legal, transparent and effective manner.
The Data Sharing and Governance Act 2019 (“DSGA 2019”)(7) supports the Public Service Data Strategy 2019 – 2023 and seeks to provide a legal basis to enable public service organisations, where they already have a legal basis to collect data from a citizen or business directly in accordance with the General Data Protection Regulation (“GDPR”)(8) and the Data Protection Act 2018 (“DPA 2018”)(9), to collect that data from another Irish public service organisation. The majority of the provisions of the DSGA 2019 came into effect on 18 April 2019.
The GDPR, which took effect from 25 May 2018, has general application to the processing of personal data and special categories of personal data in the EU, and details the extensive obligations placed on data controllers and processors, and provides strengthened protections for data subjects.
DPER states that cloud computing, through its efficient use of hardware and sharing of resources, provides opportunities to support these national and international initiatives.
Security and cost-efficiency is paramount
DPER states that the Government will ensure that the delivery and back-office systems underpinning knowledge management, policy development and the services provided to Irish citizens and businesses are run in the most secure and cost-efficient manner. DPER advises public service organisations to adopt a ‘cloud-first’ approach for all new systems and that Government systems should move to a hybrid-cloud environment.
To move or not to move? That is not the question
DPER advises that the question to ask in 2019 is no longer whether to move to cloud, but rather what, how and when to move to cloud and which particular systems are suitable. Interestingly, in an effort to promote cloud computing, DPER advises that “if a system is deemed not suitable for public cloud, a hybrid or private government cloud model should be considered.” In other words, all deployment models should be considered. Moreover, in an effort to promote meaningful consideration of cloud computing as a viable service and to promote accountability of decision making, DPER states that the decisions reached to use or not to use cloud for particular systems should be documented, retained and supported with reasons.
The three principles underlying the Advice Note
DPER states that all organisations must comply with the following principles:
All new systems will be designed to maximise the benefits of cloud
|New systems||Organisations are required to identify if a cloud-based solution exists.|
|Off-the-shelf systems||Organisations should review product roadmaps and engage with suppliers to identify if a
cloud-based solution exists.
|Bespoke systems||Organisations should look at designing and building the system to maximise the benefits of cloud.|
All existing systems will be reviewed regularly for cloud capability
|Assessing migration suitability||Organisations should regularly review all existing systems to, amongst other things, assess which systems may be suitable for migration to cloud.|
|Input required from key decision makers||Business owners are key contributors to the review process.|
|Post-review retention and retire||Upon review, an organisation may decide that an existing system is unsuitable for migration and instead, retain and gradually retire the system.|
|Myriad of options exist when migrating existing application(s)||These range from re-hosting (i.e. small modifications to move the application(s) but taking no advantage of cloud capabilities) to re-designing (i.e. minor to major changes required to take some/greater advantage of cloud capabilities) to full replacement (i.e. designed for cloud capabilities).|
A move to cloud will be a business decision on the basis of specific considerations
|The development of local multi-year cloud strategies should be linked to an organisation’s overall strategy||To help focus a move to cloud, local multi-year cloud strategies should be developed which are linked to the organisation’s overall strategy and which identify business outcomes to be achieved.|
|A ‘cloud first’ approach does not mean a ‘cloud only’ approach||Financial, compliance and technological issues, along with the risk profile of the data, must be considered and may determine that, in some circumstances, cloud computing is unsuitable.|
How will cloud computing be delivered?
Going forward, DPER advises organisations to consider the following potential delivery models:
|Public Government cloud||Designed and configured for exclusive use||Owned, managed and operated by, or on behalf of, Government||On or off premises||Via Government networks only|
|Public cloud||Designed and configured for open use by the general public||Managed by cloud provider who offers standard, repeatable services at scale and on-demand||Off premises||Via public internet|
|Public cloud over private network||Designed and configured for open use by the general public||Owned, managed and operated by, or on behalf of, Government||Off premises||Via private network / dedicated communication link / Government networks|
|Hybrid||Using services both from public cloud providers and on Government-managed cloud||Managed from both public cloud provider and Government-managed private cloud||On or off premises||Via Government networks|
How does an organisation choose the right delivery model?
Organisations should familiarise themselves with the various offerings by initially running a number of test or pilot projects. The tests or pilot projects should be implemented with more than one CSP to understand and compare the offerings available and to ensure that they support the range and depth of technologies required by the organisation.
Things organisations should consider when deciding whether or not to move to cloud
A large proportion of data processed by organisations, including personal data and special categories of personal data as defined under the GDPR, are suitable for location in, or migration to, CCSs, subject to appropriate technical and organisational measures being put in place. In deciding what data can be put in the cloud and under which model (i.e. public Government, public, public over private, or hybrid), organisations must identify the sensitivity of their data, including the impact of a possible data breach under the GDPR and the DPA 2018 and categorise their data accordingly. While some organisations or departments have data classification systems in place, for example the Department of Foreign Affairs and Trade, most organisations do not and there are no central classification rules in place except for information defined as ‘top secret’ in accordance with the Department of Finance’s Circular 39/07: Classification of material as ‘top secret’. Organisations should seek legal advice when contemplating and conducting such a procedure.
Other things organisations should consider include the possibility of data encryption, the availability of access rights, logging all access to data, and managing data retention requirements.
Issues organisations should consider when choosing or using products built for, or operating in the cloud
Review product roadmaps and engage with suppliers
Organisations that are moving to a ‘cloud only’ model need to understand the off-the-shelf features, functionalities (both core and configurable), update release cycles and the implications for bespoke customisations. Understanding these issues will help an organisation determine the appropriate cloud deployment model for their particular product.
Think long term
Organisations need to recognise the potentially transformative potential for their business processes if they decide to adopt SaaS solutions and the long-term benefits customisations could have on their businesses’ long-term sustainability.
Identify peaks and troughs in utilisation
Organisations should review current system workloads to identify predictable or seasonal peaks and troughs in utilisation. This will be relevant in identifying if the current system can support auto-scaling in cloud computing (i.e. a method whereby the amount of computational resources in a server farm, typically measured in terms of the number of active servers, scales automatically based on the load on the farm). This may have cost implications.
Organisations need to balance the long-term inefficiencies (in particular, costs) of migrating applications ‘as is’ into cloud environments against the costs of modernising applications in advance or replacing such applications.
Public or private?
A balance needs to be struck between confidentiality, integration and availability requirements. Information in the public domain has no confidentiality requirements but may have high availability requirements and therefore be appropriate for deployment via a public cloud model.
Data-sharing and re-use
The majority of the provisions of the DSGA 2019 came into effect on 18 April 2019. The DSGA 2019 provides a legal basis to enable government organisations, where they already have a legal basis to collect data from citizens or businesses directly, to collect that data from another government organisation. Organisations should consider the DSGA 2019 when choosing or using products built for, or operating in, the cloud and when considering using cloud-based services to ensure their chosen services support and facilitate data-sharing and re-use.
Governance issues an organisation should consider when choosing or using products built for, or operating in, the cloud include:
- Will there be a clear division of responsibilities between the organisation and CSP? How will this be achieved?
- How does an organisation ensure that its employees possess the necessary level of cloud technological skills? How will this be achieved?
- How can good risk management of externally-hosted systems be demonstrated and assessed?
- How can organisations using CCSs from multiple CSPs ensure that they implement an organisation-wide approach to management and governance, which may include standardising cloud policies and clarifying processes and ownership?
When selecting a CSP, organisations need to exercise strong due diligence. The terms of the agreement and the subsequent management of the service must be fully considered. Service contracts should cover legal and regulatory obligations, location of data, security clearance of CSP personnel, business security requirements, dispute resolution mechanisms, technical support, escalation procedures, back-up policies, transitional services, and how upgrades of CCSs will occur.
Of particular importance for organisations to consider when choosing or using products built for, or operating in, the cloud is the consideration and development of a cloud exit strategy to manage issues such as poor CSP experience, poor provision of CCSs by the CSP, circumstances where the CSP no longer offers the CCSs, the possible substitution of CCSs to another CSP, and the transitional services provided by the incumbent CSP to the organisation during the transition period. Organisations also need to consider how data will be extracted in a durable medium from the incumbent CSP and what happens to copies of data held by them.
For any and all of these issues, legal advice should be sought and, where appropriate, guidance from the Office of Government Procurement.
DPER in its Advice Note affirms the advice communicated by the Data Protection Commission (the “DPC”) in its Five Steps to Secure Cloud-based Environments in June 2019(10). The DPC advises organisations to determine and implement a documented policy and apply the appropriate technical security and organisational measures to secure any utilised cloud-based environments.
Although not referred to in the Advice Note, the DPC published guidance for organisations engaging cloud service providers in October 2019(11). We discuss the DPC’s guidance note in a separate article. A risk to the security of personal data can arise where a data controller relinquishes control over the data to a CSP, where there is insufficient information available regarding the cloud processing services and their safeguards, or where the CSP cannot adequately support the data controller’s obligations or data subjects’ rights. A data controller must remain in control of the personal data it collects when it subcontracts the processing to a CSP. Moreover, the controller must be satisfied that the processor (i.e. CSP) will only process the data in accordance with the controller’s instructions. This is directly related to the need for a contract between controller and CSP. The controller must be also satisfied that the CSP has taken into account the risks presented from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The DPC states that controllers, before considering entrusting personal data to a CSP, must be satisfied that the CSP’s security standards are sufficient and appropriate for the processing of personal data they will undertake on the controller’s behalf. According to the DPC, the CSP should be in a position to give assurances on key issues such as:
- pseudonymisation and encryption of personal data if required;
- isolation or separation of personal data provided by the controller from the CSP’s other customers’ data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- means to delete or return all personal data to the controller when a contract expires or terminates.
The DPC states that controllers must seek to assure themselves on the above matters, both in advance of retaining a particular CSP and throughout any contractual arrangements.
Proof of compliance with cloud certification scheme(s)
When seeking CCSs, DPER recommends that organisations should, prior to contracting with a CSP, seek evidence of the CSP’s compliance with one or more cloud certification schemes. Proof of compliance may provide some degree of assurance to an organisation in relation to the CSP and the CCSs offered. There is no single relevant certification scheme for cloud computing. ISO 27001 is currently the most adopted certification scheme.
DPER’s Advice Note is timely, useful and provides high-level guidance to assist public service organisations in making decisions in relation to the adoption of CCSs. It must be noted, however, that the Advice Note is not intended to be exhaustive. While DPER recognises that a ‘cloud-first’ approach does not mean a ‘cloud only’ approach, it is clear from the Advice Note that a move to CCSs, of whatever type, is inevitable for many applications or solutions, whether by choice of the organisation or enforced by market providers. Accordingly, DPER’s Advice Note calls on organisations to start developing their own cloud strategy and specific cloud management policies, including the identification and prioritisation of existing applications that are suitable for cloud deployment or migration in the future.
In our experience, the difficulty for an organisation is largely around not the why of procurement, but the how. Procuring CCS has important differences from procuring traditional on-premises software solutions plus (typically) remote-based services, together with managed service-based solutions, whether on or off-premise. The cloud business model differs from that of traditional software licensors and support providers. This, allied to the size of the leading suppliers when compared to many public sector organisations and the particular requirements of the public procurement regime, has, we believe, created at least a feeling among public sector organisations that CCSs are difficult to procure, contract for and manage (including exit management). While procuring CCSs has its challenges, they can, we believe, be overcome and a number of potentially useful models do exist.
The author wishes to thank Colin Grant for his contribution to this article.
For more information on cloud computing, please see our separate article discussing the GDPR and cloud computing here.
(10) https://www.dataprotection.ie/sites/default/files/uploads/2019 06/190606%20Five%20Steps%20to%20Secure%20Cloud-based%20Environments.pdf