Section 1: General Policy

 

Goal

The Philippine Government is committed to reducing the cost of government information and communication technologies (ICT) by eliminating duplication and fragmentation, and will lead by example in using cloud computing services to reduce costs, increase productivity, and develop excellent citizen services.

Cloud First Policy

Cloud computing has brought forth a new and more efficient means of managing government information technology resources. As such, the Congress, the Judiciary, Constitutional Commissions and all local government units are actively encouraged to adopt cloud computing. This document sets out general guiding principles for a “cloud first” approach for government departments and agencies to consider in adopting cloud computing solutions as a primary part of their information technology planning and procurement.

Agency Implementation

All Departments, National Government Agencies and Government-Owned and Controlled-Corporations (GOCCs), including State Universities and Colleges (SUCs), are encouraged to adopt cloud computing as the preferred ICT deployment strategy for their own administrative use and delivery of government services, except

  1. when it can be shown that an alternative ICT deployment strategy meets special requirements of a government agency and
  2. when it can be shown that an alternative ICT deployment strategy is more cost effective from a Total Cost of Ownership (TCO) perspective[1], and demonstrates at least the same level of security assurance that a cloud computing deployment offers.

Cloud Computing Benefits

  1. Inter-agency collaboration for greater efficiency and better citizen services – cloud enables more effective collaboration as agencies more easily share resources across institutions, allowing for greater efficiency, entrepreneurship, and creativity in delivering public services.
  2. Operational continuity and business recovery – with centralized data storage, management, and backups, data retrieval and business recovery during times of crisis (e.g. natural disasters or other disruptive events) become faster, easier and more cost effective.
  3. Faster deployment of services – reducing the amounts of ICT infrastructure required to be built and owned by government agencies reduces overall deployment times, and shifts the focus from management of infrastructure to delivery of services. Public ICT facilities and services can be tested and deployed quicker, and maintained more cost effectively, than if government agencies own and run unique computing facilities themselves.
  4. Greater budget control – a utility-based ‘pay for what you use’ model means that government agencies can purchase as much or as little resource as they need, as they need it. Cloud scalability results in systems usage being dialed up or down throughout the year as it is required. Transparency of the utility-based pricing structure means that spending caps and alerts can be implemented to further assist in budget control.
  5. Decreased spending on legacy infrastructure – deploying government services in cloud infrastructure results in immediate reductions of large capital outlays for ICT infrastructure and maintenance costs. More common commodity solutions – including best of class services – are also made available to government agencies through cloud provisioning. The cloud first model enhances government ICT resiliency and security as version upgrades to both hardware and software are managed by the cloud service provider.

 

Section 2: Definition of Terms

This section covers a number of key concepts associated with cloud computing.

What is Cloud Computing?

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, five deployment models, and certain assurances.

Essential Characteristics[2]

On-demand self-service. Government agencies can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.

Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g. mobile phones, tablets, laptops, and workstations).

Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to agency demand. There is a sense of location independence in that the government agency generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g. country, state, or data center). Examples of resources include storage, processing, memory, and network bandwidth.

Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the agency, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g. storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer (i.e., the government agency) of the utilized service.

Cloud Deployment Models

Private. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g. government agencies). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

Virtual Private. The cloud infrastructure is provisioned for exclusive use by a single organization based enhanced global security and compliance standards. It provides a virtual private cloud environment off premise with strong isolation and may provide dedicated infrastructure for exclusive use by an organization.

Community. The cloud infrastructure is provisioned for exclusive use by a specific community of users from agencies (or organizations) that have shared concerns (e.g. mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the agencies in the community, a third party, or some combination of them, and it may exist on or off premises.

Public. The cloud infrastructure is provisioned for open use. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

Hybrid. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g. cloud bursting for load balancing between clouds).

Government Cloud (also known as GovCloud). A public service cloud infrastructure provisioned by the DICT for use by government agencies. GovCloud is a hybrid deployment of on-premise resources controlled and provisioned by DICT and as well as resources from accredited Cloud Service Providers (CSPs). Eligible CSPs must be pre-accredited to provide services to all Departments, National Government Agencies and Government-Owned and Controlled-Corporations (GOCCs), including State Universities and Colleges (SUCs). To be accredited CSPs must meet a specific minimum set of standards for providing services to government agencies, and this accreditation process will be managed by DICT.

Assurance Approaches

Shared Responsibilities – Security and compliance responsibilities in developing cloud systems are shared between the Cloud Service Provider (CSP) and the government agency. The level of responsibility on both parties depends on the cloud deployment model type, and agencies should be clear as to their responsibilities in each model.

 

 

 

Section 3: Role of DICT GovCloud[3]

The initial GovCloud infrastructure was set up in 2013 by DOST as part of the Integrated Government Philippines (iGovPhil) Project to provide cloud infrastructure access to government agencies. As more agencies have learnt about GovCloud the demand for services has extended beyond a central processing unit for public sector email and document storage. As the public sector adopts a cloud first policy, the Philippines’ GovCloud will continue to support agencies efforts to adopt cloud solutions according to their requirements.

In order to expand and fulfill cloud service requirements in the public sector, DICT has developed a list of accredited cloud service providers. Together with on-premise resources from the DICT, this set of accredited CSPs is hereby referred to as the new version of GovCloud. The process for accreditation onto the new GovCloud is detailed in the Accreditation section below.

Benefits of Maintaining Pre-Accredited GovCloud Vendors

  • Saves time. By leveraging a pre-accredited list, Philippine Government agencies are able to streamline cloud computing tender processes involving only pre-accredited providers, as opposed to having agencies undertake individual assessments of cloud service providers for each tender, or develop their own datacenters or on-premises cloud facilities.
  • Ensures quality. The pre-accredited list of cloud vendors would have been pre-vetted to ensure their services meet or exceed the mandatory security controls for government cloud usage.
  • Ensures compliance. The operations of the new GovCloud are governed by the laws of the Republic of the Philippines. All contracts, agreements, and service level agreements pertaining the same are bound by Philippine laws and any claims, or issues raised shall be resolved in the Philippine courts or Philippine adjudicatory bodies.

Section 4: Data Classifications

Classifying data into discrete categories enables the Philippines Government to better protect government information and make better-informed decisions with regard to access, storing and transmission of Government data. Data classifications achieve stronger outcomes for government agencies by clarifying the safeguards required for protecting different types of data, thereby reducing uncertainty, standardizing access, and reducing costs. It also enables business and other public sector agencies to be able to better use and manage appropriately classified data.

Data can be broadly divided into three tiers of Public Sector Data Classification:

  • Tier 1: non-sensitive or unclassified data, which can be stored on accredited public cloud or the Philippines’ GovCloud
  • Tier 2: restricted or semi-sensitive data, which can be stored on accredited public cloud, or the Philippines’ GovCloud, with encryption requirements;
  • Tier 3: highly confidential data, which may require private (on premise) cloud deployment with specific encryption requirements.

Government agencies are recommended to select the appropriate cloud deployment model according to an agency’s specific needs, and the type of data it handles according to the Public Sector Data Classification, as illustrated in the table below.  Depending on the classification of the agency’s data, there will be a requirement to apply certain controls. Agencies may find that these controls are addressed by a public cloud provider or that they may only be serviced by a private cloud delivered on-premise.

 

Public Sector Data Classification Suggested Cloud Deployment Model Data Examples MC78 Correspondence
Tier 1: Non-sensitive or unclassified data Can be stored on accredited public cloud or Philippine GovCloud. Open Data, publicly available information including informational websites, terminology systems, standards, practitioner registries ·   Non-sensitive Matters
Tier 2: Restricted Semi-sensitive data Can be stored on accredited public cloud or GovCloud and meets a higher set of security standards and encryption protocols than compared with Tier 1 data, at agency discretion. Must have encryption to deal with restricted data. Restricted matters, business data, email, and CRM systems. Examples include financial records and medical records such as personally identifiable education records, personally identifiable financial information (PIFI), protected health information ·   Restricted Matters
Tier 3: Confidential and above – sensitive data Confidential data may require a private cloud deployment to achieve the security required for sensitive data, at agency discretion. Must have encryption. Political documents dealing with matters of international negotiations, Technical matters of military value, major governmental projects such as proposals to adjust the nation’s economy (before official publication) internal audit data, trade secrets, technical data supporting technology transfer agreements ·   Confidential Matters,

·   Secret Matters,

·   Top Secret Matters

 

This work has been further developed in a specific Data Classification paper and agencies should refer to that paper for further detail.

 

Section 5: Security

The benefit of migrating government workloads and data onto GovCloud or to public cloud is the ability to enhance overall data security. Accredited CSPs in GovCloud will meet international security standards, will be certified appropriately, and will abide by all relevant Philippine laws and industry standards.

Government agencies will be expected to develop a security framework applying a risk management approach towards their own data control requirements (see Data Classification), and align this with internationally recognised standards and certifications, as well as Philippine industry standards. The precise baseline level of security requirements for contracted cloud services is laid out in the Security Framework section below. In determining their overall risk management approach beyond this baseline agencies may refer to the DOST 2004 National Cybersecurity Plan for guidance.[4] Stipulated security controls can include any one or more of the following:

  • Personnel Security
  • Physical and environmental security
  • Business continuity management and incidence response
  • Inventory and configuration management
  • Data encryption
  • Access controls, monitoring and logging
  • Network security and monitoring
  • System security and integrity.

Security Framework

Managing the security of contracted cloud services is a responsibility that is shared between the contracting agency and the cloud service provider, with the contracting agency responsible for selecting and implementing security controls for any workloads that it operates in the cloud, while the cloud service provider is responsible for ensuring that the services used by the contracting agency are highly secure and resilient so they are available to use on demand.

Data security of both GovCloud and the public cloud depends upon:

  1. Meeting security requirements for each data classification level; and
  2. Employing standardized tools and procedures for audit.

Data that can be migrated to GovCloud or the public cloud will need to meet security requirements for accreditation, and be verified by internationally recognized security assurance frameworks. Accepted international security assurance controls include ISO 27001, Service Organization Controls Report (SOC) 1 and 2, and the Payment Card Industry Data Security Standard (PCI DSS). Data will be encrypted using industry-tested and accepted standards and algorithms, such as AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits or higher), ECC (160 bits or higher), and ElGamal (1024 bits or higher).

The table below outlines the baseline (i.e. required) and optional (i.e. agency discretion applied) security controls that will be applied to classified government data, and which accredited CSPs and GovCloud must have met to be permitted to host classified government data.

 

 

SECURITY CONTROLS BASELINE CERTIFICATION AND/OR PROTOCOL REQUIRED DESCRIPTION
Security Assurance Requirements ·         ISO/IEC 27001 – Information Security Management

·         Payment Card Industry (PCI) Data Security Standard (DSS)

·         Optional: Service Organization Control (SOC) 1 and 2

·         Optional: ISO/IEC 27018 – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

These are the baseline and optional Security Assurance Requirements for Cloud Service Providers to be accredited on GovCloud.

 

These Security Assurance Requirements ensure that Cloud Service Providers have the necessary security certifications to host government workloads.

Encryption Requirements ·         AES (128 bits and higher)

·         TDES (minimum double-length keys)

·         RSA (1024 bits or higher)

·         ECC (160 bits or higher)

·         ElGamal (1024 bits or higher).

These are the baseline Encryption Requirements for Government Workloads before being deployed on an accredited GovCloud Cloud Service Provider. Note that while Cloud Service Providers can provide services with such Encryption technologies built in, these technologies can also be deployed by Government Agencies on such Workloads.

 

These Encryption Requirements ensure that workloads on any of the accredited GovCloud Cloud Service Providers is encrypted with the minimum baseline required by Philippine Government.

 

In addition to the above outlined baseline and optional security controls, Government cloud service providers should provide logical security audit on data access, including logs and audit trails to ensure the prescribed security and privacy requirements are met. Government agencies should rely on logical audits and continuous security monitoring to ensure cloud services meet the agreed-upon data confidentiality and integrity, that there have been no data breaches, and that data and workloads are continuously available.

Data Sovereignty

The benefits of cloud are best realized when there are no data residency restrictions placed on data. Data residency restrictions undermine the economies of scale as well as the security benefits to be gained from shared computing infrastructure. Nevertheless, where agencies have concerns with extraterritorial access to data or where Tier 3 Confidential and Sensitive Data are involved, then the appropriate security standards and controls should be employed or the agency should work with DICT to consider deploying a private, on-premise cloud solution.

 

Section 6: Migration Policy

Migrating data and workloads to the cloud enhances the availability and functionality of services, and improves interoperability with a wider range of other government data and workloads. Migration to cloud also enables greater automation of certain processes, increasing the availability and agility of computing resources for processes that have variable processing demands.

Migration can be seen as a three-step process: (1) Take stock (2) Plan (3) Migrate and manage.

1) Take stock

Identify how IT resources are aligned to objectives, and how costs are optimized. Take stock of entity data classifications and the corresponding security considerations. Non-sensitive workloads and those that pose low security concerns should be prioritized for migration first. Government websites, public archives, development and testing environments, are more readily moved to the cloud.

The value of moving workloads to the cloud is determined by the technology lifecycle and the increased functionality that cloud can bring. Moving workloads from IT resources that are near the end of their current technology lifecycle can avoid costly investments in new IT resources.

2) Plan

Create a roadmap for migrating service to the cloud, including defining responsibilities and reporting lines. Migrating workloads to the cloud can change the skills needed within the organization, for example by requiring more developers and engineers, and fewer people concerned with managing IT infrastructure. This means working with cloud providers to understand the staff skills, training and education needed in the migration and post-migration workloads.

  • Identify data that can be shared, and would benefit from being shared, and requirements on security and access permissions for such data.
  • Identify the suitable cloud environment, such as virtualization of legacy IT, performance and functionality requirements, costs, and compatibility with legacy IT.
  • Determine whether replacing existing applications with new ones or to redesign service delivery architecture from the bottom-up is preferred.

Contracted cloud services should be able to integrate with existing services and should be interoperable with locally provisioned IT. They should be contracted on an aggregated basis to meet planned data and workload migration needs.

3) Migrate and Manage

Track, document and analyze progress of the plan in an iterative manner. Monitor performance and service delivery against objectives, and compare costs against the migration plan.

Following migration, adequate testing of the cloud environment needs to be performed before existing solutions are decommissioned. Testing should be performed on the basis of both typical/normal usage scenarios and extraordinary utilization/demand scenarios.

Ensure that staff are trained in the contracting and management of cloud services through service level agreements (SLAs) with cloud vendors and possess the requisite skills to manage the migrated workloads.

 

Section 7: Data Ownership, Retrieval, and Interoperability

Data Ownership

Government institutions will retain full control and ownership over their data, with CSP identity and access controls available to restrict access to customer infrastructure and data. CSPs should provide customers with a choice as to how they store, manage, and protect their data, and not require a long-term contract or exclusivity.

Ownership

Service contracts and other service level agreements (SLAs) related to provisioning of cloud services for Government agencies shall clearly provide that any data migrated to the cloud remains the property of the contracting Government entity, regardless of who owns, manages or operates the cloud. The contracting agency will retain rights of data access, retrieval, modification and deletion regardless of the physical location of the cloud services, including the right to approve, deny and revoke access by third parties.

Access

Access, retrieval, modification and deletion of data remains the right of the contracting Government agency and will be reflected in the relevant service contracts. The policies and processes pertaining to data access will be defined according to the needs of the contracting entity and specified in the agreement between the Government agency and the cloud provider.

Interoperability

A major benefit of cloud computing as compared to traditional IT infrastructure is that customers have the flexibility to avoid traditional vendor lock-in, and CSPs should allow customers to move data on and off their cloud platforms as needed. Interoperability of all GovCloud workloads should be based on the Philippine eGovernment Interoperability Framework (PeGIF[5]) as well as international standards, such as ISO/IEC 17203:2011 Open Virtualization Format (OVF) specification.

A cloud system’s components may come from different sources including public and private cloud implementations. These components should be replaceable by new or different components from different providers and continue to work, to facilitate the exchange of data between systems. CSPs are required to provide interoperability, ensuring government agencies may be able to change CSPs easily without a lengthy procurement and implementation cycle.

Open Data

Globally, governments are increasingly making their non-restricted data available for the public to discover, access, and use. These open data initiatives facilitate the development of public services, fuel entrepreneurship, accelerate research and scientific discovery, and create efficiency across multiple sectors.

Government entities should endorse the open data principle and, where technically feasible and economically reasonable, make non-restricted data available to other Government agencies and the public through the cloud. The open data principle is aligned with DOST’s Data Sharing Policy.[6] In keeping with this principle and Policy, Government agencies should likewise manage their data assets to promote openness and use for the public good.

As part of the Philippines Government commitment to open governance, and in line with this policy, DOST and its partner agencies have deployed the Data.gov.ph open data portal to facilities the exchange of public government data with other agencies and Philippine citizens.

 

Section 8: Accreditation Process for CSPs

GovCloud Accreditation

An accreditation process for CSPs to be listed in the Philippines’ GovCloud will be laid out by DICT, including the baseline security assurance requirements needed before being listed on GovCloud. This is to ensure basic levels of service reliability from GovCloud CSPs, and to assure that they have secure and controlled platforms providing the necessary array of security features which government agencies can use. Agencies should ensure that they only consider vendors who have GovCloud accreditation.

Baseline Security Controls

In order to provide a higher degree of assurance to agencies looking to deploy on GovCloud, DICT provides a list of baseline certifications required to be accredited on GovCloud. Agencies should look to selecting a CSP with these baseline Security Assurances which match their functional requirements.

 

REQUIREMENTS BASELINE CERTIFICATION AND/OR PROTOCOL REQUIRED DESCRIPTION
Security Assurance Requirements ·         ISO/IEC 27001 – Information Security Management

·         Payment Card Industry (PCI) Data Security Standard (DSS)

·         Optional: Service Organization Control (SOC) 1 and 2

·         Optional: ISO/IEC 27018 – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

These are the baseline and optional Security Assurance Requirements for Cloud Service Providers to be accredited on GovCloud.

 

These Security Assurance Requirements ensure that Cloud Service Providers have the necessary security certifications to host government workloads.

 

Further information on these baseline Security Assurances will be provided by DICT.

 

Technical and Sector-Specific Certifications

Individual sectors may also have specific certifications required. These should be considered in tandem with the baseline certifications required, depending on the government agency’s requirements. For example, US Health departments require compliance to the US Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health (HITECH). Refer to the Annex for a sample list of sectoral and technical accreditations.

Service Level Agreements

The provisioning of Cloud Computing should be governed by SLAs to specify and clarify performance expectations, as well as establish accountability.  The SLAs should relate to provisions in the contract regarding incentives, penalties, escalation procedures, disaster recovery and business continuity, and contract cancellation for the protection of the institution in the event the service provider fails to meet the required level of performance.

Effective management of cloud services through SLAs will enable the contracting institution to manage their systems based on objectives and output requirements. To be effective, staff must be trained in the contracting and management of cloud services through SLAs, including determining and specifying the government agency’s service requirements. More detail is provided in the DICT baseline certification documentation; a sample SLA is provided in Annex C.

 

Conclusion

The Philippine Government recognizes Philippine citizens expect government services to be available, effective, and responsive to its communities, when and where required. Key to realizing such a vision is the effective use of ICT by government, and in today’s environment that means both embracing and leading with the adoption of cloud computing services. The availability of cloud services provides an opportunity for government to deliver services more broadly, more efficiently, and more cost effectively, as well as providing services that are more responsive to business and community needs.

This policy document has been developed to help drive a greater take up of cloud services by government agencies through promoting a ‘cloud first’ approach. The paper has provided the approaches and the tools necessary for government agencies to be able to confidently get started on the cloud, identifying what to look for, what steps to take in which order, and the resources available. Links, reference documents and annexes provide further materials for addressing each of the steps along the way in mapping out the transition and then in beginning the process of moving workloads to the cloud.

 

 

 

 

Annex A: Agency Resources for Cloud Computing

 

General

  1. US Department of Commerce, National Institute of Standards and Technology (NIST), Special Publication 800-145, Sep 2011, Definition of Cloud Computing http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf

 

Procurement

  1. Philippines Bureau of Internal Revenue (BIR), List of Accredited CRM/POS/Sales Receipting Software ftp://ftp.bir.gov.ph/webadmin1/pdf/list_of_acc_crm-pos_and_obm.pdf
  2. Infocomm Resource Marketplace, 10 Jan 2012, FAQ for Cloud Services Bulk Tender IDA(T)1050 http://gsp.ngp.org.sg/news/faq-for-cloud-services-bulk-tender-idat1050/

 

Philippine Legislation

  1. Memorandum Circular No. 78 (MC78), Promulgating Rules Governing Security of Classified Matter in Government Offices http://www.gov.ph/1964/08/14/memorandum-circular-no-78-s-1964-2/
  2. Republic Act No. 9470, 21 May 2007, An Act to strengthen the system of management and administration of archival records, establishing for the purpose of the national archives of the Philippines, and for other purposes http://www.gov.ph/2007/05/21/republic-act-no-9470/
  3. Philippines Department of Science and Technology (DOST), Procurement of Consultancy Services for the Design, Build and Operate of a Complete Cloud Solution for Philippine Government Agencies, Jul 2015, http://icto.dost.gov.ph/procurement-of-consultancy-services-for-the-design-build-and-operate-of-a-complete-cloud-solution-for-philippine-government-agencies/
  4. Philippines National Cybersecurity Plan, 8 Aug 2004 http://icto.dost.gov.ph/wp-content/uploads/2014/07/Cyber-Plan-Pre-Final-Copy_.pdf
  5. Department of Science and Technology, Data Sharing Policy, 13 July 2015 http://www.itdi.dost.gov.ph/images/stories/docs/DOST/DOST_Data_Sharing_Policy.pdf
  6. Philippines Republic Act No. 10173 Privacy Act, 25 Jul 2011, http://www.gov.ph/2012/08/15/republic-act-no-10173/
  7. Philippines’ Department of Trade and Industry’s Bureau of Product Standards (DTI-BPS) http://www.bps.dti.gov.ph

 

International Accreditation Sources

  1. Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) https://cloudsecurityalliance.org/star/
  2. International Standards Organisation
    1. ISO9000 Quality Management http://www.iso.org/iso/home/standards/management-standards/iso_9000.htm
    2. ISO/IEC 27001 – Information security management http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
    3. ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls http://www.iso.org/iso/catalogue_detail?csnumber=54533
    4. ISO/IEC 27018:2014 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498
    5. ISO/IEC 27017:2015 Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services http://www.iso.org/iso/catalogue_detail?csnumber=43757

 

National Accreditation Standards

  1. Singapore Infocomm Development Authority (IDA), 13 Nov 2013, New Multi-Tier Cloud Security (MTCS) Standard Launched in Singapore https://www.ida.gov.sg/About-Us/Newsroom/Media-Releases/2013/New-Multi-Tier-Cloud-Security-MTCS-Standard-Launched-In-Singapore
  2. Australia Information Security Registered Assessors Program (IRAP) http://www.asd.gov.au/infosec/irap/certified_clouds.htm
  3. USA Federal Risk and Authorization Management Program (FedRAMP) https://www.fedramp.gov
  4. Federal Information Security Management Act (FISMA) https://www.dhs.gov/fisma

 

 

Sector/Vertical Standards

  1. e-Payments – PCI Security Standards Council https://www.pcisecuritystandards.org/pci_security/
  2. Healthcare: US Health Insurance Portability and Accountability Act (HIPAA) http://www.hhs.gov/hipaa/
  3. Healthcare: Health Information Technology for Economic and Clinical Health (HITECH) http://www.hhs.gov/hipaa/for-professionals/special-topics/HITECH-act-enforcement-interim-final-rule/index.html

 

National Cloud First Policies

  1. Australian Government Cloud First Policy http://www.finance.gov.au/sites/default/files/australian-government-cloud-computing-policy-3.pdf
  2. Estonia Ministry of Economic Affairs and Communication and Microsoft, Sep 2014, Implementation of the Virtual Data Embassy Solution https://www.mkm.ee/sites/default/files/implementation_of_the_virtual_data_embassy_solution_summary_report.pdf
  3. New Zealand: Requirements for Cloud Computing, n.d. Benefits of cloud computing https://www.ict.govt.nz/guidance-and-resources/information-management/requirements-for-cloud-computing
  4. United Kingdom – Her Majesty’s (HM) Government, Government Cloud Strategy, Mar 2011, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/266214/government-cloud-strategy_0.pdf
  5. USA – Kundra, Vivek, 8 Feb 2011, Federal Cloud Computing Strategy https://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/federal-cloud-computing-strategy.pdf
  6. USA Government Accountability Office, Cloud Computing: Additional Opportunities and Savings Need to Be Pursued, 25 Sep 2014, http://gao.gov/products/GAO-14-753

 

 

Annex B: Total Cost of Ownership

Total cost of ownership (TCO) is a comprehensive assessment of information technology (IT) or other costs across the organization over time.

For IT, TCO includes hardware and software acquisition, management and support, communications, end-user expenses and the opportunity cost of downtime, training and other productivity losses.

 

 

 

 

Annex C: Sample Service Level Agreement[7]

This Service Level Agreement (“SLA”) is a policy governing the use of [Cloud Service Name] between [Service Provider Name] and its affiliates (“[abbreviation]”, “us” or “we”) and users of [Service Provider Name]’s services (“you”). This SLA applies separately to each account using [Cloud Service Name]. Unless otherwise provided herein, this SLA is subject to the terms of the Customer Agreement and capitalized terms will have the meaning specified in the AWS Agreement.

Service Commitment

[Service Provider Name] will use commercially reasonable efforts to make [Cloud Service Name] available with a Monthly Uptime Percentage (defined below) of at least 99.95%, in each case during any monthly billing cycle (the “Service Commitment”). In the event [Cloud Service Name] does not meet the Service Commitment, you will be eligible to receive a Service Credit as described below.

Definitions

“Monthly Uptime Percentage” is calculated by subtracting from 100% the percentage of minutes during the month in which [Cloud Service Name], as applicable, was in the state of “Unavailable.” Monthly Uptime Percentage measurements exclude downtime resulting directly or indirectly from any Exclusion (defined below).

  • “Unavailable” and “Unavailability” mean that [Cloud Service Name] is “Unavailable” to you.
  • “Unavailable” and “Unavailability” mean:
  • When all of your running instances on [Cloud Service Name] have no external connectivity.
  • When all of your attached volumes on [Cloud Service Name] perform zero read write IO, with pending IO in the queue.
  • A “Service Credit” is a dollar credit, calculated as set forth below, that we may credit back to an eligible account.

Service Commitments and Service Credits

Service Credits are calculated as a percentage of the total charges paid by you (excluding one-time payments such as upfront payments made for Reserved Instances) for [Cloud Service Name] affected for the monthly billing cycle in which Unavailability occurred in accordance with the schedule below.

Monthly Uptime Percentage Service Credit Percentage
Less than 99.95% but equal to or greater than 99.0% 10%
Less than 99.0% 30%

We will apply any Service Credits only against future [Cloud Service Name] payments otherwise due from you. At our discretion, we may issue the Service Credit to the credit card you used to pay for the billing cycle in which the Unavailability occurred. Service Credits will not entitle you to any refund or other payment from [Cloud Provider Name]. A Service Credit will be applicable and issued only if the credit amount for the applicable monthly billing cycle is greater than one dollar ($1 USD). Service Credits may not be transferred or applied to any other account. Unless otherwise provided in the Customer Agreement, your sole and exclusive remedy for any unavailability, non-performance, or other failure by us to provide [Cloud Service Name] is the receipt of a Service Credit (if eligible) in accordance with the terms of this SLA.

Credit Request and Payment Procedures

To receive a Service Credit, you must submit a claim through our Support Center. To be eligible, the credit request must be received by us by the end of the second billing cycle after which the incident occurred and must include:

  • the words “SLA Credit Request” in the subject line;
  • the dates and times of each Unavailability incident that you are claiming;
  • the affected [Cloud Service Name] instance IDs or the affected [Cloud Service Name] volume IDs; and
  • your request logs that document the errors and corroborate your claimed outage (any confidential or sensitive information in these logs should be removed or replaced with asterisks).
  • If the Monthly Uptime Percentage of such request is confirmed by us and is less than the Service Commitment, then we will issue the Service Credit to you within one billing cycle following the month in which your request is confirmed by us. Your failure to provide the request and other information as required above will disqualify you from receiving a Service Credit.

[Cloud Service Name] SLA Exclusions

The Service Commitment does not apply to any unavailability, suspension or termination of [Cloud Service Name], or any other [Cloud Service Name] performance issues: (i) that result from a suspension of the Customer Agreement; (ii) caused by factors outside of our reasonable control, including any force majeure event or Internet access or related problems beyond the demarcation point of [Cloud Service Name]; (iii) that result from any actions or inactions of you or any third party, including failure to acknowledge a recovery volume; (iv) that result from your equipment, software or other technology and/or third party equipment, software or other technology (other than third party equipment within our direct control); (v) that result from any maintenance as provided for pursuant to the Customer Agreement; or (vi) arising from our suspension and termination of your right to use [Cloud Service Name] in accordance with the Customer Agreement (collectively, the “[Cloud Service Name] SLA Exclusions”). If availability is impacted by factors other than those used in our Monthly Uptime Percentage calculation, then we may issue a Service Credit considering such factors at our discretion.

 

 

 

 

 

Annex D: Public Procurement Process[8]

Procurement of cloud computing services should be as simple and as robust as possible. Cloud services should be listed in such a way as to clearly show how a utility model for procurement and payment will function, thereby providing clarity in showing value for money.

Structuring Cloud Purchases for the Public Sector

Direct or indirect purchases of cloud can be undertaken by agencies:

  • direct purchase from CSPs designed for commercially-available service, purchased as a commercial service item offered without labor hours;
  • indirect purchase from a CSP partner or reseller, negotiating an agreement with that organization.

There are four ways of purchasing cloud services:

1) Purchase from GovCloud (list of accredited cloud vendors and services)

This enables a direct or indirect purchase of cloud services. DICT will work with the industry to develop a GovCloud (list of accredited cloud vendors and services), which have met a minimum requirement for the different tiers of data classification. This is similar to best practice approaches elsewhere used to ease and accelerate cloud adoption in the public sector, for example:

  • Australia’s list of accredited cloud services vendors for their Whole of Government (WoG) Procurement Contracts, Arrangements and Initiatives – Cloud Services Panel[9]
  • Singapore requires any CSP serving the public sector to be certified under the Singapore MTCS security standard[10]
  • United Kingdom’s government cloud marketplace requires all digital suppliers to apply for eligibility and qualify under their Digital Marketplace Framework[11], before being able to be listed as a possible public service provider.

2) Leverage an existing vendor contract (indirect purchase)

Government agencies “share” a contract which has already been negotiated by another agency such as the Procurement Service of the Department of Budget Management (PS-DBM). Agencies can tap upon these preexisting agreements if applicable.

3) Purchase from a CSP reseller (indirect purchase)

Government agencies buy directly from a CSP reseller or partner – they do not deal with the CSP directly. This could be due to the desire to purchase a bundled service or maintenance provided by the CSP reseller.

4) Issuing a Terms of Reference (TOR) or Request for Proposal (RFP) (indirect purchase)

A traditional procurement approach for end-to-end or turnkey solutions, Agencies put together a list of their requirements via a Terms of Reference or Tender, and have CSPs as well as systems integrators propose solutions for purchase.

Building Infrastructure vs Renting Access: Utility-Based Pricing Models

Cloud computing brings the benefit of funding IT services as operational expenditure (OpEx) rather than capital expenditure (CapEx). While capital expenditures depreciate over time, a cloud-based OpEx budget allows for far stronger and more flexible budget control, having removed sunk capital costs.

Four elements are key for agencies to note when selecting CSPs: (1) transparency in pricing, (2) variable prices for different services, (3) multiple pricing models which allow agencies to evaluate CSP pricing against their organizational needs, and (4) pay-per-use utility model.

CSP pricing should be via a pay-as-you-go model, possibly with a baseline cost for services, and additional resources used listed as separate items. CSPs should provide transparent, publicly-available, up-to-date pricing, and tools that allow customers to evaluate their pricing. They should also provide customers with the tools to generate detailed billing reports (with line-item breakdowns) to meet compliance needs. An example of a single-line item structure approach towards utility-based pricing is as follows:

 

ITEM NO SUPPLIES/SERVICES QTY UNIT UNIT PRICE AMT
1001 CSP Cloud Services 1,000 EACH USD1.00 USD1,000

 

 

[1]                      Total cost of ownership (TCO) is a comprehensive assessment of information technology (IT) or other costs across the organization over time. For IT, TCO includes hardware and software acquisition, management and support, communications, end-user expenses and the opportunity cost of downtime, training and other productivity losses. See also Annex B.

[2]                      Based upon US Department of Commerce, National Institute of Standards and Technology (NIST), Special Publication 800-145, Sep 2011, Definition of Cloud Computing http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf

[3]                      Philippines Department of Science and Technology (DOST), Procurement of Consultancy Services for the Design, Build and Operate of a Complete Cloud Solution for Philippine Government Agencies, Jul 2015, http://icto.dost.gov.ph/procurement-of-consultancy-services-for-the-design-build-and-operate-of-a-complete-cloud-solution-for-philippine-government-agencies/

[4]                      Philippines National Cybersecurity Plan, 8 Aug 2004 http://icto.dost.gov.ph/wp-content/uploads/2014/07/Cyber-Plan-Pre-Final-Copy_.pdf

[6]                      Department of Science and Technology, Data Sharing Policy, 13 July 2015 http://www.itdi.dost.gov.ph/images/stories/docs/DOST/DOST_Data_Sharing_Policy.pdf

[7]                      Amazon EC2 Service Level Agreement, 1 Jun 2013, http://aws.amazon.com/ec2/sla/

[8]                      An update to government procurement procedures may be required, to bring cloud purchases in line with the Philippine Republic Act 9184 documentation on public procurement, allowing officials to be appropriately managing risk, evaluating available courses of action, and recording and documenting relevant decisions. Consideration should be given as to whether workloads below a certain annual value need to undergo a full procurement process. Many agencies will not need to apply their procurement processes to low-value workloads and this helps to ensure effort and resource are not being inappropriately targeted.

[9]                      Australia Whole of Government Cloud Services Panel, 1 Oct 2015, http://www.finance.gov.au/policy-guides-procurement/cloud-services-panel/

[10]                    Singapore Infocomm Development Authority (IDA), 13 Nov 2013, New Multi-Tier Cloud Security (MTCS) Standard Launched in Singapore https://www.ida.gov.sg/About-Us/Newsroom/Media-Releases/2013/New-Multi-Tier-Cloud-Security-MTCS-Standard-Launched-In-Singapore

[11]                    United Kingdom, n.d., Digital Marketplace https://www.digitalmarketplace.service.gov.uk