GOVERNANCE GOVERNANCE EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT Institutional and Procurement Practice Note on Cloud Computing Cloud Assessment Framework and Evaluation Methodology World Bank Advisory Services and Analytics Supported by the GovTech Global Partnership - www.worldbank.org/govtech EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 1 © 2023 International Bank for Reconstruction and Development / The World Bank 1818 H Street NW, Washington DC 20433 Telephone: 202-473-1000; Internet: www.worldbank.org This work is a product of the staff of The World Bank with external contributions. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy, completeness, or currency of the data included in this work and does not assume responsibility for any errors, omissions, or discrepancies in the information, or liability with respect to the use of or failure to use the information, methods, processes, or conclusions set forth. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Nothing herein shall constitute or be construed or considered to be a limitation upon or waiver of the privileges and immunities of The World Bank, all of which are specifically reserved. Rights and Permissions The material in this work is subject to copyright. Because The World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to World Bank Publications, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2625; e-mail: pubrights@worldbank.org. >>> Contents Acknowledgments v List of Acronyms vii Executive Summary 1 1. Introduction 7 1.1 Cloud Service Models 8 1.2 Cloud Deployment Models 10 1.3 Cloud Security Accreditations and Certifications 13 1.4 Report Objective 13 2. Lessons Learned: A Comparative Analysis of Case Studies 14 2.1 Institutional Coordination Mechanisms 15 2.1.1 Cloud First Principle 15 2.1.2 Top-Level Policies and Strategies 16 2.1.3 Institutional Framework 16 2.2 Data Classification and Security Framework 18 2.2.1 Data Classification 18 2.2.2 Data Residency Requirements 19 2.2.3 Security Controls 19 2.2.4 Security Assessments 20 2.2.5 Continuous Monitoring 21 2.3 Procurement Arrangements 21 2.3.1 Finding and Selecting Cloud Services 21 2.3.2 Managing Vendor Lock-in 23 2.3.3 Payment Methods 24 3. The Way Forward – Main Takeaways 25 Appendix 1: Step-By-Step Guide to Public Cloud Assessments and Procurements for Government 33 Appendix 2: Comparison Table of Case Studies 35 Annex 1: Japan’s ISMAP Program 38 Annex 2: Australia’s Anatomy of a Cloud Assessment and Authorization Framework 47 Annex 3: UK’s Digital Marketplace and G-Cloud Framework 58 Annex 4: South Africa’s Cloud Security Framework 66 Annex 5: Dubai’s Cloud Security Risk Management Approach and Procedures 73 Notes 80 References 88 Boxes Box 3.1. Suggested Language for a Cloud First Policy 26 Box 3.2. How Cybersecurity Concerns in Ukraine Led to the Migration of Government Data to Public Cloud 27 Box 3.3. Data Migration Considerations – Lessons from Singapore 30 Box 3.4. Considerations for a Call-Off Contract Template for a Cloud Marketplace 31 Figures Figure 1.1. Cloud Service Models 8 Figure 1. 2 Shared Responsibility between Consumer and CSP 9 Figure 1.3. Example Services Available to a Cloud Consumer (NIST SP 500-292) 10 Figure 1.4. Types of Cloud Deployment 11 Figure 1.5. Different Cloud Deployment Schemes 12 Figure 2.1. Comparison of Data Classification Levels 18 Figure 2.2. Comparison of Case Studies’ Data Residency Requirements 19 Figure 2.3. Portability and Value Considerations for Cloud Services 23 Figure A1.1. Basic Framework of ISMAP 41 Figure A1.2. Structure of ISMAP’s Control Criteria 43 Figure A1.3. Four-Step Process of ISMAP 45 Figure A2.1. Notional Framework of Australia’s Institutional Mechanisms for Secure Cloud Procurements 50 Figure A2.2. Australian Government’s Data Classification System (PSPF Policy 08 – Sensitive and classified information) 51 Figure A2.3. Phase 1 of the Cloud Assessment Process for Australian Procuring Agencies 55 Figure A2.4. Phase 2 of the Cloud Assessment Process for Australian Procuring Agencies 56 Figure A3.1. Notional Framework of the UK’s Institutional Mechanisms for Secure Cloud Procurements 61 Figure A3.2. The UK’s Data Classification System 62 Figure A3.3. NCSC’s Four-Step Process for Procuring Public Cloud Services 64 Figure A4.1. Notional Framework of the South Africa’s Institutional Mechanisms for Secure Cloud Procurements 68 Figure A5.1. Notional Framework of the Dubai’s Institutional Mechanisms for Secure Cloud Procurements 75 Figure A5.2. Categories of Dubai Data 76 Figure A5.3. CSP Security Standard Certification Process 78 Tables Table ES.1. Major Similarities and Variations in Case Studies 2 TABLE 2.1. Benchmarking the Case Studies using the GTMI (updated October 2022), the EGDI (updated 2022), and the Global Cloud Ecosystem Index (updated 2022) 15 Table 2.2. Summary of Institutional Frameworks of the Case Studies 17 Table 2.3. Comparison of Security Assessment Considerations and Activities 20 Table 2.4. Summary of Procurement Models of the Case Studies 22 Table 3.1. Example of a Responsibility Matrix for Institutional Framework of Cloud Preapproval and Procurement 26 Table A2.1. ISM Security Control Principles 53 Table A3.1. NCSC’s 14 Cloud Security Principles 60 Table A4.1. Key Considerations for South African Procuring Agencies under the Determination and Directive 70 >>> Acknowledgments This note has been developed under the World Bank GovTech Global Partnership by a team led by Khuram Farooq (Senior Governance Specialist). The World Bank team was composed of Hunt La Cascia (Senior Public Sector Specialist); Knut Leipold (Lead Procurement Specialist); and Bertram Boie (Senior Digital Development Specialist); Robert Shields (Consultant); and Constantine Pagedas (Consultant). Overall guidance for the report was provided by Tracey Marie Lane (Practice Manager, Governance GP); Edward Olowo-Okere (Senior Advisor, EFI VP); Arturo Herrera Gutierrez (Global Director, Governance GP); and Donna Andrews (Acting Practice Manager, Governance GP). The note benefited from the expertise of the following World Bank experts: Natalija Gelvanovska- Garcia (Senior Digital Development Specialist), Dolele Sylla (Senior Governance Specialist) and Ishtiak Siddique (Senior Procurement Specialist). The note also benefited from the expertise of the following individuals: Matt Jodlowski (Australia, Policy Lead, Digital Strategy, Digital Transformation Agency); Bushra Al Blooshi (UAE, Research and Innovation Head, Dubai Electronic Security Center, Digital Dubai); Ben Vandersteen (United Kingdom, Technical Architect, Government Digital Service); Ayanda Nkundla (South Africa, Senior Manager, ICT Compliance, Department of Public Service and Administration); Alufheli Swalivha (South Africa, Director, Public Service ICT Stakeholder Management, Department of Public Service and Administration); Zaid Aboobaker (South Africa, Chief Director, E-Government, Department of Public Service and Administration); and various officials from Japan’s Information- technology Promotion Agency. The following members of a Cloud Computing Working Group initiated by the World Bank GovTech initiative contributed their expertise: Cheow Hoe Chan (Singapore, Government Chief Digital Technology Officer, GovTech Singapore); Richard Tay (Singapore, Head for the Whole- of-Government Operations, GovTech Singapore); Karen Kee (Singapore, Deputy Director, GovTech Singapore); Ben Vandersteen (United Kingdom, Technical Architect, Government Digital Service); Liz Lutgendorff (United Kingdom, International Lead Insight and Analysis Advisor, Government Digital Service); Abhishek Singh (India, President and CEO, National eGov Dept, Ministry of Electronics and IT); Bramhanand Jha (India, Sr. Consultant, Program Management, Ministry of Electronics and IT); Vinay Thakur (India, COO, National eGovernance Division, Ministry of Electronics and IT); Rachel Ran (Israel, Head of Cloud Strategy, National Digital Agency); Keren Katsir Stiebel (Israel, CMO, Director of Marketing, Communications and Foreign EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< v Affairs, Government ICT Authority); Toshiyuki Zamma (Japan, Head of International Strategy, Digital Agency); Kensuke Yabata (Japan, Director, Digital Agency); Sungjoo Son (South Korea, Director, Ministry of the Interior and Safety); Erica Dubach (Switzerland, Head of Division on Transformation and Interoperability, Swiss Federal Chancellery); Philippe Bruegger (Switzerland, Project Manager, SECO); Natalie Bertsch (Switzerland, Project Manager, SECO); Bushra Al Blooshi (UAE, Research and Innovation Head - Dubai Electronic Security Center, Digital Dubai); Ahmed AlSalman (UAE, Senior Manager Cloud Services, The Telecommunications and Digital Government Regulatory Authority); Omar Alriyami (UAE, Director, Data Analysis and Engineering, Statistics Centre, Abu Dhabi); Aziz Alkayyoomi (UAE, Acting Director of Information Technology, Statistics Centre, Abu Dhabi); and Maximiliano Maneiro (Uruguay, Emerging Technologies Manager, Electronic Government and Information and Knowledge Society Agency). Richard Crabbe provided editorial services, and Maria Lopez designed the final publication. This report was made possible by the World Bank’s GovTech Initiative and the GovTech Global Partnership trust fund, building on support of financial and in-kind partners that include the Ministry of Finance of Austria, the State Secretariat for Economic Affairs (SECO) of Switzerland, the Ministry of Economy and Finance (MOEF) of the Republic of Korea, the Ministry of Economic Development of the Russian Federation, the Ministry of Interior and Safety (MOIS) of the Republic of Korea, the Government of Japan and the Federal Ministry for Economic Cooperation and Development (BMZ) of Germany. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< vi >>> List of Acronyms ASD Australian Signals Directorate ACSC Australian Cyber Security Centre AO Authorizing Officer CCCS Canadian Center for Cyber Security CCS Crown Commercial Service (UK) CCSL Certified Cloud Services List (Australia) CDDO Central Digital and Data Office (UK) CIA Confidentiality, Integrity, and Availability COTS Commercial-off-the-shelf CSCM Cloud Security Controls Matrix (Australia) CSA Cloud Security Alliance CSO Cloud Service Offering CSCP Cloud Services Certification Program (Australia) CSP Cloud Service Provider DCDT Department of Communications and Digital Technologies (South Africa) DDA Dubai Digital Authority DDE Dubai Data Establishment DESC Dubai Electronic Security Center DSC Dubai Statistics Center DTA Digital Transformation Agency (Australia) DPSA Department of Public Service and Administration (Australia) ECTA Electronics Communications and Transaction Act (South Africa) FedRAMP Federal Risk and Authorization Management Program (United States) GDS Government Digital Service (UK) GDPR General Data Protection Regulations HCF Hosting Certification Framework (Australia) HOD Head of Department (South Africa) IaaS Infrastructure as a Service EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< vii ICT Information and Communications Technology IPA Information-technology Promotion Agency IRAP Infosec Registered Assessors Program (Australia) Information System Security Management and Assessment Program ISMAP (Japan) ISM Information Security Manual (Australia) International Standards Organization and the International ISO/IEC Electrotechnical Commission ISR Information Security Regulation (Dubai) JASA Japan Information Security Audit Association JIS Japanese Industrial Standard METI Ministry of Economy, Trade and Industry (Japan) MIC Ministry of Internal Affairs and Communications (Japan) MISS Minimum Information Security Standards (South Africa) MOU Memorandum of Understanding NCPF National Cybersecurity Policy Framework (South Africa) National Center of Incident Readiness and Strategy for Cybersecurity NISC (Japan) NIST National Institute of Standards and Technology (United States) NCSC National Cyber Security Centre (UK) PaaS Platform as a Service PAIA Promotion of Access to Information Act RFQ Request for Quote/Request for Quotations SaaS Software as a Service SDGE Smart Dubai Government Establishment SITA State Information Technology Agency (South Africa) SOC System and Organization Controls UAE United Arab Emirates EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< viii >>> Executive Summary With the technological advancements in cloud computing and the cost-efficiencies of cloud services, public cloud solutions offer numerous benefits for governmental operations.1 Although countries acknowledge the benefits of cloud services for the public sector, the mainstream adoption in the public sector, especially in developing countries, is slow. Concerns for cybersecurity, data sovereignty, and privacy are impeding progress. These risks can be managed through appropriate institutional and procurement arrangements. However, many countries struggle with how to establish institutional mechanisms to procure cloud services from commercial providers in a secure and cost-efficient way. Responding to this need, the World Bank’s GovTech team has prepared this Note to provide institutional and procurement guidance and risk-mitigation methodologies for integrating cloud services into the public sector. The intended audience for this report includes World Bank client countries, practitioners, and multilateral and bilateral development partners. The report aims to inform the audience about the range of institutional and procurement considerations when developing policies to preapprove and procure public cloud solutions. A case study approach has been adopted to present the experiences of four countries and one city – Australia, Japan, South Africa, the United Kingdom (UK), and the city of Dubai, United Arab Emirates (UAE) – that have taken various paths to develop institutional coordination mechanisms and procurement arrangements for public sector cloud service procurements. The strength of these case studies is in their diversity; they not only represent different geographic regions, but also offer variation in their cloud procurement approaches. Their deep experiences in the cloud security and procurement realms also offer readers a wealth of good practices to consider when developing their own cloud security and procurement policies. The majority of the case studies are advanced digital governments. Their experiences can offer good practices for readers to consider and implement when adopting public cloud solutions. Developing countries face unique challenges in adopting public cloud solutions that must also be considered. As such, the South Africa case study is intended to offer additional recommendations for developing countries. A comparative analysis is therefore conducted to identify lessons learned across the five case studies grouped into three key thematic areas: (1) Institutional Coordination Mechanisms; (2) Data Classification and Security Framework; and (3) Procurement Arrangements. The report highlights several similarities and variations across the five case studies, as described in Table 1 below. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 1 > > > T A B L E E S . 1 - Major Similarities and Variations in Case Studies Pillar 1: Institutional Pillar 2: Data Classification Pillar 3: Procurement Coordination Mechanisms and Security Framework Arrangements Similarities Cloud-First Policy: Each International certification: The Vendor Lock-in and case study has adopted a report underscores similarities Payments: Most of the “cloud first” principle within its in the use of international case studies address the government digital services certifications within the case issues of vendor lock-in and policy. Under this principle, studies’ security frameworks. transparency in payment public sector organizations For example, Japan and Dubai methods. – referred to in this report as leverage International Standards “procuring agencies” – must Organization (ISO)/International first consider and fully evaluate Electrotechnical Commission potential cloud solutions before (IEC) certifications as part of their considering any other option. preapproval processes, while Cloud first concepts may also others view ISO/IEC certifications promote consideration of public as beneficial but not required. cloud services before other types of cloud deployment. Preapproval: Most of the case studies have established The cloud first principle is cybersecurity agencies or cloud typically articulated within procurement offices, tasked to top-level government policies assess and preapprove Cloud and strategies that promote Service Providers (CSPs) for government cloud adoption. hosting government data. The Such policies aim to integrate preapproval process involves key digital service agencies, verification that the CSPs comply procurement specialists, and with a government’s cybersecurity cybersecurity agencies into requirements issued through a the government-wide cloud standard, manual, guidance, or adoption approach. cybersecurity framework. Continuous security monitoring: This report also highlights some similarities in security monitoring processes. For example, all case studies require procuring agencies to conduct continuous security monitoring of their cloud services through the entire procurement lifecycle. Similarly, most case studies require periodic reassessments of CSPs and their cloud services. Moreover, EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 2 Table ES.1 continued Pillar 1: Institutional Pillar 2: Data Classification Pillar 3: Procurement Coordination Mechanisms and Security Framework Arrangements most case studies emphasize the responsibility of each procuring agency to understand its own security needs during the cloud procurement lifecycle. Variations Institutional Framework: Data Classification: Most Marketplaces versus Japan has established a case studies have tiered Preapproved Lists: “Centralized” model wherein data classification systems Australia, the UK, and a single bureaucratic entity based upon Confidentiality, Dubai have marketplaces to facilitates the cybersecurity Integrity, and Availability (CIA) promote simple, standardized assessment of cloud services requirements. In contrast, procurements of cloud and offers a list of preapproved Japan only includes one data services. Japan, on the other cloud services to be procured classification level in its cloud hand, has a preapproved by public sector entities. procurement approach. cloud services list (“ISMAP Cloud Service List”) from South Africa’s “Decentralized” International Standards which procuring agencies can model provides guidance to versus Internal Controls: conduct procurements. The procuring agencies on various Some models – for example, specific contracting method considerations, including Japan and Dubai – base their depends on characteristics cybersecurity needs, for each security controls upon other of each agency and project. agency’s cloud procurement international cybersecurity South Africa presently does activities. standards such as the ISO/ not offer a marketplace IEC 27000 family of controls. or preapproved listing of Australia, Japan, and the In contrast, Australia uses cloud services. UK have adopted a “Hybrid” standards developed by the model wherein multiple U.S. Government’s National government entities share the Institute of Standards and responsibilities for preapproval Technology (NIST). Others, and procurement. such as South Africa and the UK, do not mandate alignment with any specific security standards or certifications for cloud procurements.2 Data Residency Approaches: South Africa and Dubai have legal requirements limiting the type of data that can cross national borders. In contrast, Australia, Japan, and the UK require each procuring agency EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 3 Table ES.1 continued Pillar 1: Institutional Pillar 2: Data Classification Pillar 3: Procurement Coordination Mechanisms and Security Framework Arrangements to make risk-informed decisions on data residency for certain data classification levels. Third-Party Assessments versus Internal Assessments: Australia, Japan, and Dubai have established third-party assessment (3PA) mechanisms to promote standardized assessments of cloud services In all case studies, each procuring agency is ultimately services and a cloud procurement office (CPO) to facilitate responsible for determining the classification levels the procurement of cloud services through a cloud for its data and buying a cloud service that satisfies its marketplace. Some countries may have the capacity to security and business requirements. establish new offices, while other countries may designate existing offices or working groups to address CSP Key Decision. This report offers some key takeaways preapproval and procurement policies. based upon some “good practices” observed in the case studies. These takeaways aim to provide client countries with a clear, simplified approach to institutional coordination Pillar 2: Data Classification and mechanisms and procurement arrangements for public sector Security Framework cloud service procurements. Further, this report suggests good practices under the three pillars for governments looking to securely integrate public cloud solutions into their • Data Classification Framework: Most countries already government operations. have a government-wide data classification scheme based upon CIA requirements. The data classification schemes typically include both government data and Pillar 1: Institutional any personal data of its citizens – personally identifiable Coordination Mechanisms information, or PII – that it handles. The World Bank’s Data Classification Matrix and Cloud Assessment Framework provides a suggested framework for how to • Cloud First Principles and Top-Level Policy Guidance: align data classification schemes with key issues such Establishing a government-wide “cloud first” principle and as the type of systems to be procured – for example, on- a whole-of-government approach to cloud procurements premises computing versus public cloud – data residency can help to promote a standardized process for requirements, and preapproval activities. Procuring preapproving CSPs and their cloud services. agencies may consider this scheme, in coordination with their respective government’s data classification • Institutional Framework: Considerations may include approach, to help determine how to handle data within designating a central cybersecurity body to facilitate public cloud environments. the preapproval or certification of CSPs and their cloud EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 4 • Data Residency: Data residency requirements for • Local CSPs vs Hyperscalers: Using standardized cloud services handling certain data classification levels security framework and associated requirements, such as Official, Secret, or Top Secret are also of major governments could help to promote local CSPs identified importance. Cloud services handling data below these as small and medium-sized enterprises (SMEs) that need thresholds do not require data residency requirements information on government’s security requirements to (see Data Classification Matrix and Cloud Assessment register as eligible providers. Hyperscalers generally have Framework). already implemented international security standards, which gives them an edge over local SMEs in terms of • Another key consideration is the domestic legal government contracts. requirements of CSPs. Risk-informed decisions on adopting public cloud services could include • Continuous Monitoring: Procuring agencies are conversations with CSPs to understand their legal ultimately accountable for the security of their IT obligations for their national governments, especially enterprises. They are responsible for working with CSPs for sensitive data of citizens such as personally and other stakeholders such as 3PAs to maintain a identifiable information (PII). secure public cloud environment. To this end, continuous monitoring activities may include security incident • Security Controls Based upon International notifications, re-verifications at least every two years, and Standards: There are various approaches to establishing security control change notifications. security controls for the preapproval of CSPs. • For example, a country could consider leveraging existing international cybersecurity standards, Pillar 3: Procurement Arrangements such as ISO/IEC and Cloud Security Alliance (CSA) security controls. Both ISO/IEC and CSA certifications are highly respected, widely used global • Centralized Marketplace for Cloud Services: An cybersecurity standards that many CSPs already online marketplace of CSPs and their cloud solutions for possess. Moreover, it is much simpler and easier for procuring agencies may be considered. Typically, to be countries to verify a CSP’s compliance with these added onto a marketplace, a CSP would be expected international certifications instead of developing their to sign a general “Cloud Framework Agreement” that own set of security controls. In addition, the adoption includes basic cybersecurity and data privacy provisions of international certifications could help harmonize such as compliance with relevant national laws that can be security assessments across countries. verified by the country. The Cloud Framework Agreement would require periodic updates, based upon the limits • Countries may also consider a more advanced, tiered of the relevant procurement legislation for framework security framework corresponding to the classification agreements in countries. A marketplace typically includes level of the data to be handled by a CSP, akin to the pricing for each cloud service offering and clearly identifies US government’s FedRAMP system. This type of a CSP’s preapproved status. Alternatively, countries may security control framework is a possibility for more instead choose to establish a preapproved listing of advanced countries. CSPs and their cloud services that is easily accessible to procuring agencies. • Security Assessments: Countries are encouraged to facilitate a standardized approach whereby CSPs are • Countries may also consider setting up framework preapproved by a government agency, an accredited agreements – “master agreements” – with hyperscalers third-party assessor (3PA), the cybersecurity agency, to facilitate streamlined and low-cost purchases or a combination thereof to handle certain government of basic cloud services such as cloud storage and data. Such reviews could also benefit from the concept hosting for multiple procuring agencies. These setups of “inheritance,” whereby every layer of the cloud stack would allow procuring agencies to directly purchase is certified. This means that if a Software as a Service these basic services from hyperscalers, as opposed (SaaS) system is built upon a certified Platform as a to buying these services through resellers on a Service (PaaS) or Infrastructure as a Service (IaaS), an marketplace or preapproved list. assessor only assesses the SaaS. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 5 • Selecting a Cloud Offering: Cloud offerings may be cost of transferring data from one CSP to another, before reviewed by procuring agencies on the marketplace or signing a contract. Procuring agencies may consider the preapproved list to determine which CSPs meets its listing cloud portability tools and associated migration specific business and security requirements. There are activities as optional services in the Tenders or RFQs to numerous ways to begin procurement of a cloud service help them more easily migrate between CSPs. once selected. For example, a procuring agency may issue a tender or RFQ to facilitate competitive bidding • Payment Methods: Key considerations for countries between CSPs on the marketplace. A procuring agency seeking fair cloud prices include promoting CSP pricing may also consider choosing a cloud service based upon transparency, allowing cloud service prices to fluctuate a “best value” standard that considers cost, security, total based upon market prices (enabling price reductions), cost of ownership, and other relevant considerations. allowing CSPs to offer different pricing models, and creating an on-demand, pay-as-you-go payment option to • Simplified and Standardized Contracts: Simple and foster cost reductions. standardized contracts are a preferred method for procuring cloud services. Box 3.4 provides a standardized Countries may wish to adopt the above recommendations to “Call-Off Contract” template for contracting with CSPs on manage the risks of procuring public cloud services. These a marketplace. For more complex solutions with specific commercial offerings can be employed in tandem with other functional requirements not available on the marketplace, cloud deployment models – such as GovClouds – to facilitate procuring agencies may need to undergo Tenders or a trusted Hybrid Cloud environment for governments. See RFQs outside the marketplace to conduct functional also Box 3.3 for more information on interoperating different evaluations of specialized cloud services not available on cloud environments through Open Application Programming the marketplace. Interface (Open API). • Avoiding Vendor Lock-In: Short-term contracts – for Appendix 1 provides a Step-by-Step Guide for countries to example, a two-year contract with limited annual renewals consider when beginning the cloud journey process for the – help manage the risk of vendor lock-in. Procuring public sector. agencies should also be aware of portability fees, the EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 6 1. >>> Introduction Despite widespread awareness on the benefits of cloud computing, authorities in most of the World Bank’s client countries have not explored the opportunity of adopting cloud computing solutions. Task teams are finding it difficult to provide relevant advice to the counterparts and address their concerns. Most authorities have identified risks of moving to cloud computing: Will their data be safe? Will they have sovereign control over access to data stored offshore? Will privacy be protected? These risks are real. Due to an inadequate assessment framework to identify and assess these risks, the typical response of most client governments is to develop a government’s cloud (G-Cloud or GovCloud). This seems logical for more sensitive or mission- critical data. However, this is not enough. Adopting a hybrid cloud model, which leverages the cloud services from the private sector to work in conjunction with the G-Cloud can offer immense opportunities to save costs, improve security, enhance performance, and strengthen resilience in a post COVID-19 world. However, client governments need guidance to change their policy response on cloud computing - from the risk-avoidance to the one of risk-management. This Note provides guidance on institutional and procurement arrangements and risk- mitigation methodology for acquiring and managing public cloud solutions using a whole-of-government approach. A quick summary of cloud service models, cloud deployment models and ‘Cloud-First’ principle will help to contextualize the discussion on the main guidance. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 7 1.1 Cloud Service Models The US government’s National Institute of Standards and operating systems, storage, or even individual application Technology (NIST) defines cloud computing as “a model for capabilities, with the possible exception of limited user enabling ubiquitous, convenient, on-demand network access specific application configuration settings.4 to a shared pool of configurable computing resources – for example, networks, servers, storage, applications, and • PaaS is the capability provided to the consumer to services – that can be rapidly provisioned and released with deploy onto the cloud infrastructure consumer-created minimal management effort or service provider interaction.” or acquired applications created using programming NIST assigns five essential characteristics of cloud computing: languages, libraries, services, and tools supported by the on-demand self-service; broad network access; resource provider. The consumer does not manage or control the pooling; rapid elasticity; and measured service.3 underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the The term, cloud services refers to a broad range of deployed applications and possibly configuration settings services offerings, which can be categorized as either for the application-hosting environment.5 Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS). • IaaS is the capability provided to the consumer to provision processing, storage, networks, and other fundamental • SaaS is the capability provided to the consumer to use the computing resources where the consumer is able to provider’s applications running on a cloud infrastructure. deploy and run arbitrary software, which can include The applications are accessible from various client operating systems and applications. The consumer does devices through either a thin client interface, such not manage or control the underlying cloud infrastructure as a web browser (web-based email), or a program but has control over operating systems, storage, and interface. The consumer does not manage or control the deployed applications; and possibly limited control of select underlying cloud infrastructure including network, servers, networking components – for example, host firewalls.6 > > > F I G U R E 1 . 1 - Cloud Service Models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Source: Cloud Information Center, gsa.gov. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 8 The top layer of a cloud service, the SaaS, is the most From a security perspective, each cloud service model “packaged” solution that can be deployed by a CSP with requires a unique shared responsibility relationship minimal management requirements for a consumer. Going between the consumer and the CSP. Compared to on- down the cloud service layers, PaaS and IaaS necessitate premises computing, where the consumer is predominately greater management and configurability requirements for responsible for all aspects of security, cloud services assign the consumer. Generally, customers have higher risk of some of the security responsibilities to the CSP. In general, vendor lock-in7 when more of the service is managed by the CSP security responsibilities of the consumer decreases the CSP. As such, SaaS solutions have higher risk of vendor as the cloud service model moves from IaaS to PaaS to SaaS, lock-in compared to PaaS and IaaS, as these two services are as shown below in Figure 1.2. almost exclusively managed and configured by the CSP. > > > F I G U R E 1 . 2 - Shared Responsibility between Consumer and CSP IaaS PaaS SaaS On-premises (Infrastructure-as-a-Service) (Platform-as-a-Service) (Software-as-a-Service) User Access/Identity User Access/Identity User Access/Identity User Access/Identity Data Data Data Data Appplication Appplication Appplication Appplication Guest OS Guest OS Guest OS Guest OS Virtualization Virtualization Virtualization Virtualization Network Network Network Network Infrastructure Infrastructure Infrastructure Infrastructure Physical Physical Physical Physical Customer responsibility Cloud service provider responsibility Source: Oracle Cloud Threat Report - Demystifying the Cloud Shared Responsibility Security Model. Overall, the different cloud service models create a trade-off for government cloud consumers. SaaS solutions reduce the security responsibility burdens for the consumer but increase the risk of vendor lock-in. Conversely, PaaS and IaaS increase the security responsibility burdens for the consumer while decreasing the vendor lock-in risk. As Figure 1.3 below illustrates, each cloud service model can offer a range of digital tools for use by procuring agencies. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 9 > > > F I G U R E 1 . 3 - Example Services Available to a Cloud Consumer (NIST SP 500-292) Human Resources ERP Social Networks Billing Financials Sales Content CRM Management Collaboration SaaS Email & Office Consumer Productivity Cloud Consumer Document Management Services Database Management Storage Business Platform Intelligence Application CDN Hosting Deployment Development Backup Compute & Recovery IaaS & Testing Integration PaaS Consumer Consumer Source: NIST. 1.2 Cloud Deployment Models There are four cloud deployment models available to may be owned, managed, and operated by one or more of governments, as shown below in Figure 1.4: the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.9 1. Private cloud is provisioned for exclusive use by a single A Government Cloud (GovCloud or G-Cloud) that hosts a organization comprising multiple consumers. It may be government-wide data center shared by all government owned, managed, and operated by the organization, a ministries is an example of a community cloud. G-Cloud third party, or some combination, and it may exist on or examples include DubaiPulse and GOV.UK PaaS. off premises.8 3. Public cloud is provisioned for open use by the general 2. Community cloud is provisioned for exclusive use by a public. It may be owned, managed, and operated by specific community of consumers from organizations that a business, academic, or government organization, or have shared concerns (such as government agencies). It some combination of them. It exists on the premises of EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 10 the cloud provider.10 Examples of public cloud providers that remain unique entities, but are bound together by include Microsoft Azure, Amazon Web Services (AWS), standardized or proprietary technology that enables data and Google Cloud. processing and application.11 For example, in some hybrid cloud environments, organizations connect a private cloud 4. Hybrid cloud is composed of two or more distinct system such as payroll software with a public cloud for cloud infrastructures – private, community, or public – workload processing, while the data remains on-premises. > > > F I G U R E 1 . 4 - Types of Cloud Deployment Public Cloud Private Cloud Typically have massice amounts of Usually reside behind a firewall and available space, which translates are utilized by a single organization. into easy scalability. Recommended Recommended for businesses with for software development and very tight regulatory requirements. collaborative projects. Types of Cloud Hybrid Cloud Deployment Community Cloud Combine public clouds with private A collaborative, multi-tenant platform clouds to allow the two platforms to used by several distinct organizations interact seamlessly. Recommended to share the same applications. Users for businesses balancing big data are typically operating within the same analytics with strict data privacy industry or field. regulations. Source: 4 Cloud Deployment Models: Their advantages and disadvantages - TurningCloud Solutions Blogs A procuring agency may choose a variety of cloud deployments to fit its needs. For example, a procuring agency may leverage public clouds for certain solutions, while leveraging private and hybrid clouds for other digital solutions. Figure 1.5 below is a visual depiction of a transition from legacy to a cloud environment. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 11 > > > F I G U R E 1 . 5 - Different Cloud Deployment Schemes12 Private Cloud Hybrid Cloud Legacy IT Public Cloud Public Cloud No.1 No.2 Multi Cloud Source: World Bank. Governments must also consider institutional frameworks and data privacy risks that were traditionally addressed by and procurement processes to manage the potential risks procuring agencies. As such, governments have created new of adopting cloud services. Procurement of public cloud institutional frameworks and pre-procurement certification services introduces new security considerations for procuring processes to ensure cybersecurity risks are properly managed agencies that have traditionally relied upon on-premises within these new public cloud arrangements. computing services. CSPs assume much of the cybersecurity EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 12 1.3 Cloud Security Accreditations 1.4 Report Objective and Certifications The objective of this report is to assist readers in considering a framework for the preapproval and CSPs may also demonstrate their cybersecurity credentials procurement of cloud services. This framework should through an accredited certification body—also called a third- ensure that national governments have the bureaucratic party assessor. Some key terms for this process include tools as well as the pre-procurement, procurement, and the following. post-procurement processes in place to ensure sufficient • Accreditation is the formal recognition by an independent cyber risk management of public cloud solutions for body, generally known as an accreditation body, that government agencies. an individual or organization operates according to The report is structured as follows: international standards.13 In terms of cloud security, an organization must receive an accreditation to become • Chapter 2 reviews lessons learned from the institutional an accredited certification body capable of performing a coordination mechanisms and preapproval and conformity assessment of the security posture of a CSP procurement arrangements of the five case studies. and/or its cloud service offerings (CSOs). 14 • Chapter 3 offers key takeaways and guidance moving • Certification is the provision by an independent body forward for countries seeking to better leverage public of written assurance, such as a certificate, that the cloud solutions. product, service, or system in question meets specific requirements.15 In terms of cloud security, a certification • Annexes 1-5 provide case studies on the institutional demonstrates that a cloud product, service, system, coordination mechanisms and preapproval and process, or CSP conforms to specified requirements such procurement arrangements of four national governments as international standards, as confirmed by an accredited and one city (Australia, Japan, South Africa, UK, and the certification body. Examples of cloud security certifications city of Dubai, UAE). include ISO/IEC 27001, Cloud Security Alliance (CSA) Level 2 STAR, and Systems & Organizational Control 2 The findings of this report facilitated the development of (SOC 2). the World Bank’s Data Classification Matrix and Cloud Assessment Framework for the preapproval of public cloud • Conformity Assessment Activity is the demonstration services that will serve as a reference model for countries, that specified requirements relating to a product, process, particularly developing countries, as they transition to cloud system, person, or body are fulfilled.16 In terms of cloud first postures. security, an accredited certification body may perform a “conformity assessment activity,” which includes a number of security tests, for a CSP and/or its CSOs to certify compliance with a standard such as ISO/IEC 27001. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 13 2. >>> Lessons Learned: A Comparative Analysis of Case Studies The experiences captured in the five case studies provide insights into good practices for institutional coordination mechanisms and procurement arrangements for integrating cloud services into public entity operations. Each case study presents various policies and processes that can be helpful for World Bank clients and donors/partners to consider when promoting their own cloud security and procurement practices. Table 2.1 below offers a benchmarking of the five case studies against three relevant indices: the World Bank’s GovTech Maturity Index (GTMI), the UN’s E-Government Development Index (EGDI), and the MIT Technology Review’s Global Cloud Ecosystem Index. As presented below, Australia, Japan, the UK, and the UAE are advanced in all three indices, whereas South Africa has a lower rating. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 14 > > > T A B L E 2 . 1 - Benchmarking the Case Studies using the GTMI (updated October 2022), the EGDI (updated 2022), and the Global Cloud Ecosystem Index (updated 2022) Global Cloud Ecosystem Case study GMTI (from 0 to 1) EGDI (from 0 to 1)18 Index (from 0 to 10)19 Japan 0.767 0.9002 7.8 Australia 0.811 0.9405 7.9 UK 0.840 0.9138 8 South Africa 0.562 0.7357 6 UAE* 0.961 0.9010 7.3 Note: *This table refers to UAE, as Dubai is not a country and thus not included in the GTMI. Below is a discussion on key similarities and differences and strategies that pertain to the whole-of-government. between these case studies, divided into three pillars: For example: • Pillar 1: Institutional Coordination Mechanisms • The Australian government’s original cloud security • Pillar 2: Data Classification and Security Framework guidance, the Australian Government Cloud Computing • Pillar 3: Procurement Arrangements Policy (2014),20 created a cloud first mandate for its procuring agencies. Its updated policy, the Secure Cloud Strategy (2019),21 also retains the cloud first policy. 2.1 Institutional • The Japanese government’s Cloud Adoption Policy for Coordination Mechanisms Government Information Systems (2018) maintains a cloud first principle that was previously articulated by past policies.22 This section provides a discussion of similarities and differences, along with a discussion on the strengths and • The UK government’s Cloud First Policy (2013) promotes weaknesses, of the institutional coordination mechanisms for the cloud first principle.23 procuring secure cloud services. • The Dubai Government Excellence Program (DGEP) 2.1.1 Cloud First Principle published a key performance indicator (KPI) for public Each case study has adopted a cloud first principle within agencies to abide by the cloud first principle.24 its government digital services policy. Under this principle, procuring agencies are required to first consider potential South Africa has not yet finalized its top-level policy on cloud cloud solutions before considering any other option, such as computing. Its National Policy on Data and Cloud remains in on-premises computing solutions. Many countries also require draft form. However, in its current draft form, the National Policy procuring agencies to consider public cloud solutions before does not articulate a cloud first principle. But a February 2022 any other cloud deployment model if that public cloud provides Public Service Cloud Computing Determination and Directive appropriate security controls for the data to be handled. issued by South Africa’s Department of Public Service and Administration (DPSA) establishes a cloud first principle for In four of the five case studies, cloud first principles public sector organizations.25 are articulated within top-level government policies EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 15 2.1.2 Top-Level Policies and Strategies These top-level policies, and supporting cybersecurity guidance and initiatives, represent an important first step The five case studies have top-level policy guidance to for countries beginning the cloud procurement journey. promote consistency of government approach toward The top-down policy approach encourages consistent cloud procurements. implementation of preapproval and procurement processes by public organizations seeking to procure public cloud solutions. • Australia’s Secure Cloud Strategy underpins the Moreover, as detailed below, the use of standardized government’s approach toward cloud preapproval and frameworks and processes can also allow for streamlining of procurement. The Strategy also integrates various CSP and cloud service approvals across procuring agencies. other government cybersecurity guidance documents to inform procuring agencies working to follow the Strategy’s guidance. 2.1.3 Institutional Framework While the case studies have strong similarities in declaring cloud • Japan’s Cloud Adoption Policy for Government Information first principles and developing top-level cloud procurement Systems informs its centralized approach toward policies and strategies, they have major differences in the cloud procurements, the Information System Security institutional frameworks to advance cloud preapproval Management and Assessment Program (ISMAP). and procurement. These differences can be categorized into three models: Centralized, Decentralized, and Hybrid. Table • The South African government is deliberating on 2.2 below summarizes the strengths and weaknesses of the finalization of its draft National Data and Cloud each model. Policy published in April 2021 by the Department of Communications and Digital Technologies (DCDT).26 Centralized Model: Japan uses a centralized approach that puts the responsibility upon ISMAP, in collaboration with third- • The UK’s Cloud First Policy drives many of the party assessors, to preapprove cloud services that are then government’s initiatives and strategies to promote secure added to its Cloud Service List. In turn, procuring agencies acquisition of cloud solutions across public organizations, may issue tenders for cloud services on the Cloud Services including the G-Cloud Framework and Digital Marketplace. List, without the need to conduct their own security assessment of the cloud service. • The Dubai Digital Agency (DDA) develops and oversees its policies and strategies to promote Dubai’s Decentralized Model: South Africa promotes a more digital transformation. decentralized approach. The Public Service Cloud Computing Determination and Directive issued by the Department of EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 16 Public Service and Administration’s (DPSA) offers guidance information on relevant security certifications, pricing, functional on how procuring agencies should approach the cloud service offerings, among other information. Agencies procuring cloud procurement process, including business and security aspects services off the Digital Marketplace are responsible for their of cloud procurement. Procuring agencies are responsible own security assessments and approvals. for finding, assessing and approving, and procuring cloud services. In Australia, cloud service offerings can be assessed and preapproved under the Australian Cyber Security Centre’s Hybrid Model: In this model adopted by Australia, the (ACSC) Infosec Register Assessors Program (IRAP). In turn, UK, and Dubai, various government entities share the the Digital Transformation Agency’s (DTA) Cloud Marketplace preapproval and procurement responsibilities. Unlike offers a range of cloud solutions, including offerings from IRAP- in Japan, multiple government entities help to facilitate assessed CSPs and CSPs without an IRAP assessment. the preapproval and procurement of CSPs and their cloud solutions. And unlike in South Africa, procuring agencies In Dubai, the Dubai Electronic Security Center (DESC) receive support from procurement offices in finding and oversees the certification audits of CSPs conducted by third- assessing cloud services. Under the Hybrid approach, each party Certification Bodies under the CSP Security Standard. In procuring agency is ultimately responsible for assessing the turn, procuring agencies may purchase the cloud services of security of cloud services against its own security needs, CSPs with or without certification on Dubai’s eSupply portal, sometimes with the assistance of third-party assessors. depending on the data type and the risk assessment process of the entities involved. In the UK, the Crown Commercial Service’s (CCS) Digital Marketplace offers a range of cloud solutions along with > > > T A B L E 2 . 2 - Summary of Institutional Frameworks of the Case Studies Case study Model Strengths Weaknesses Japan Centralized • Streamlines security responsibilities • Available preapproved cloud offerings within one organization, facilitating may be limited compared to other the preapproval of cloud services and models. listing the preapproved cloud services. • Centralized system could create • Eases the security assessment bottlenecks. process for procuring agencies. South Africa Decentralized • Standardized procurement guidance • Available preapproved cloud offerings provides for flexibility in agency- may be limited compared to other level cloud assessment and models. approval process. • Centralized system could create • Empowers agencies to tailor bottlenecks. their assessment, approval, and procurement activities to its unique circumstances. Australia Hybrid • Streamlines security responsibilities • Multiple organizations with varied within one organization approving responsibilities could cause complexity UK or verifying the certification of and confusion. cloud services. Dubai • Centralized marketplace eases the process of selecting and assessing various cloud services. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 17 2.2 Data Classification and Security Framework This section discusses the similarities and differences among many case studies use the Confidentiality, Integrity, and the case studies, along with a discussion on the strengths and Availability (CIA) framework when considering levels of injury weaknesses, of the data classification and security framework in case of a security incident. Many countries also aim to considerations for secure cloud services. distinguish between lower-priority “Sensitive” or “Protected” data versus higher-priority “Classified” or “Secret” data. Japan 2.2.1 Data Classification is unique in that the ISMAP system only pertains to one data classification level – “Confidential 2,” which corresponds with Each case study has its own, unique data classification the US government’s FedRAMP Moderate Impact Level. system. That said, there are some commonalities among many of the data classification systems. For example, > > > F I G U R E 2 . 1 - Comparison of Data Classification Levels Japan (ISMAP) Australia UK South Africa Dubai • Confidential 2 • Unclassified • Official • Restricted • Open (Unofficial, • Secret • Confidential • Shared- Official, Official: • Top Secret • Secret confidential Sensitive) • Top Secret • Shared-sensitive • Classified • Shared-secret (Protected, Secret, Top Secret The case studies limit the types of data that a public cloud the vast majority of UK government data is marked Official may handle. For example: and agencies may make case-by-case determinations if a public cloud service provider may handle such data. • Japan’s ISMAP only approves public cloud services for the handling of data at the Confidential 2 level. • South Africa’s Determination and Directive stipulates that agencies must, as far as practically possible, • The Australian government allows CSPs without security avoid moving data classified as Secret or Top Secret to clearances to handle data at or below the Official: Sensitive public clouds. level. CSPs that handle data classified at the Protected level and above are required to have personnel who hold • Dubai requires procuring agencies to purchase the security clearances at the commensurate level. public cloud services of certified CSPs to handle any Shared data. • The UK government does not have any official limitation on the types of data to be handled by public clouds. However, EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 18 2.2.2 Data Residency Requirements Cases study countries also vary in their data residency requirements (Figure 2.2). Only South Africa and Dubai have data residency requirements for data handled by public cloud service providers. > > > F I G U R E 2 . 2 - Comparison of Case Studies’ Data Residency Requirements • South Africa: Public cloud data must always reside within the borders of South Africa, with limited exceptions. • Dubai: Dubai forbids the handling of Shared data outside the UAE. In addition, Required CSPs handling Shared data for government entities must have a minimum of two data centers within the country’s geographic jurisdiction. However, there is an exemption process for procuring agencies seeking to host shared data outsides UAE, which is based on a risk assessment process • Australia: Recommends cloud consumers use CSPs and cloud services located in Australia for handling their sensitive and security-classified information. Australia also requires CSPs handling data at or above the Official:Senstive data level to obtain a Hosting Certification Framework (HCF) certification. Recommended • UK: Recommends public agencies to consider the implications of where data is hosted. • Japan: Procuring agencies should strongly consider the potential risks of the handling of data that may become subject to foreign laws and regulations when selecting cloud service offerings. 2.2.3 Security Controls Dubai’s CSP Security Standard requires CSPs to obtain the following international certifications: ISO/IEC 27001 Each case study has its own, unique regime of security certification with the ISO/IEC 27017 extension and the controls for the preapproval of public cloud services. CSA Level 2 STAR. Japan and Dubai developed their own control regimes based upon existing international standards. Australia bases its • Australia uses the Information Security Manual (ISM)28 and controls upon NIST standards. Other countries (e.g., UK and its associated Cloud Security Controls Matrix (CSCM)29 to South Africa) rely more directly upon existing laws, regulations, evaluate the security of cloud services. The ISM draws and guidance. the foundation of its framework from the NIST Special Publication (SP) 800-37, Risk Management Framework • ISMAP uses Japanese Industrial Standard (JIS) controls,27 for Information Systems and Organizations: A System based upon the ISO/IEC 27000 family of standards, Lifestyle Approach for Security and Privacy. as the criteria against which to evaluate the security of cloud services. ISMAP also maps the JIS standards to • The UK government does not subscribe to one type NIST Special Publication 800-53 (Rev. 4) and Japan’s of cybersecurity standard or set of security controls own domestic security control framework. Similarly, when assessing cloud services. Instead, it has several EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 19 security compliance requirements as part of the Digital and mitigate risk before adopting public cloud services. Table Marketplace’s G-Cloud Framework. The UK government 2.3 below reviews the various preapproval and procurement also encourages CSPs to consider various baseline considerations and activities of each country. security guidance, especially the National Cyber Security Center’s (NCSC) 14 Cloud Security Principles.30 • Security Self-Assessment: Are procuring agencies required to assess their own risk profiles before assessing • South Africa does not have a centralized set of security cloud services? controls for cloud services procured by procuring agencies. Instead, it refers to existing national laws and • Third-Party Assessors: Do third-party assessors agency-specific information security requirements. conduct a security assessment of the CSP as part of the review process? Moreover, Australia and the UK state that any third-party certifications such as ISO/IEC certifications possessed by • Assessment Reuse: Can CSPs share third-party a CSP are taken under consideration during the security assessments with multiple procuring agencies? assessment process. However, such certifications are not required. In essence, they are seen as beneficial, but • Controls Inheritance: As part of the security assessment, not mandatory. do cloud services inherit the security controls of other cloud services they are built upon? 2.2.4 Security Assessments • Reassessment Requirements: Must approved CSPs Each case study employs its own unique process for cloud and their cloud services be periodically re-assessed? preapproval to ensure procuring agencies properly assess > > > T A B L E 2 . 3 - Comparison of Security Assessment Considerations and Activities Japan Australia UK South Africa Dubai Security Yes Yes (“Phase 2A” Yes Yes Yes Self-Assessment Report) Third-Party Yes (“ISMAP Yes (“IRAP No No Yes (“Certification Assessments Assessors”) Assessors”) Bodies”) Assessment Yes (approved Yes No No Yes Reuse services added to Cloud Service List) Controls No Yes Case-by-case Case-by-case Yes Inheritance Reassessment Every 12 months Every 24 months 24-month Contracts cannot Basic reviews Requirements maximum exceed 5 years every G-Cloud Contract 12 months and full recertifications every 3 years. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 20 Some good practices from a review of the case studies’ and Dubai have developed online marketplaces for cloud security assessments include: services for procuring agencies. • In general, procuring agencies conduct a security For example, the UK’s Digital Marketplace requires each CSP self-assessment of their own systems related to data to sign the UK’s G-Cloud Framework, a contractual agreement classification levels, security requirements, business between the CSP and the UK government’s CCS. The G-Cloud needs, and risk management considerations. This self- Framework requires suppliers to self-declare compliance with assessment helps align an agency’s needs with the various cybersecurity and data privacy-related requirements. available cloud services. • The UK’s self-declaration model works well in a competitive, • Australia, Japan, and Dubai use third-party assessors high-capability economy in which CSPs are held to high (3PAs) that conduct standardized security standards by both CCS and market competitors. assessments of CSPs. This process allows agencies to assess cloud services and CSPs in comparison to each • In this system, there is little incentive to falsify self- other using consistent, standardized assessment forms. declarations as failure to deliver services as advertised The CSPs pay for the fees of the 3PA. The fee structure would likely result in the reduction or elimination of future is established by the government through framework government contracts. Procuring agencies could replace contracts with the approved 3PA. the CSP with a more suitable vendor. • In Australia, CSPs are encouraged to share IRAP Australia’s Cloud Marketplace is a panel arrangement wherein assessments with other agencies, thus streamlining CSPs are appointed to supply services for a set period of time approval processes for that CSP and its cloud services under agreed terms and conditions. In contrast to the UK across the government. model, DTA releases periodically releases Request for Tender for CSPs to be added to the Cloud Marketplace. DTA must • All countries require either mandatory reassessments review and then approve these tenders—as opposed to the or establish maximum contract lengths to help ensure self-declaration model for the UK’s Digital Marketplace. ongoing reviews of a CSP’s security posture. Dubai’s eSupply is the main online portal for suppliers, 2.2.5 Continuous Monitoring including CSPs, to participate in online bidding for government contracts. Any company may register as a supplier on eSupply. All case studies require procuring agencies to work with CSPs Procuring agencies may issue RFQs seeking cloud services and, in some cases, 3PAs to continuously monitor the security from suppliers on eSupply. Another mechanism is a listing of of a cloud service. For example, under Japan’s ISMAP, cloud preapproved cloud offerings. For example, Japan’s ISMAP services must be renewed on an annual basis by ISMAP Cloud Services List provides procuring agencies with an Assessors to ensure the continued security of each offering. updated list of preapproved cloud services. South Africa does Other countries similarly engage in long-term continuous not currently have a centralized List or Marketplace of cloud monitoring through mandatory security reassessments, service offerings. Instead, each procuring agency conducts incident reporting requirements, and guidance for cloud its own market research or Open Tender process to begin its lifecycle security. cloud procurement activities. Selecting and contracting with CSPs. Marketplaces are 2.3 Procurement Arrangements designed to facilitate simplified, short-term contracts for cloud services. This section provides a discussion of similarities and • In the UK, a procuring agency can issue a Call-Off differences, along with a discussion on the strengths and Contract with a CSP for a commercial-off-the-shelf weaknesses, of the arrangements to procure cloud services. (COTS) cloud solution under the G-Cloud Framework on the Digital Marketplace. If only one supplier meets its 2.3.1 Finding and Selecting Cloud Services requirements, it can directly issue the Call-Off Contract. If, Finding Cloud Services. Some case studies offer a on the other hand, there are several potential suppliers, a centralized marketplace of cloud services. Australia, the UK, procuring agency may review and select a service based EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 21 upon the lowest-priced offering or a best value purchase considerations may include business and operational needs, based upon numerous factors, such as total cost of technical fit of the service, and service management. The ownership, technical merit and functional fit, and service UK’s Digital Marketplace and Australia’s Cloud Marketplace management. CCS provides a standard template Call-Off also include pricing information for cloud services. The Contract for procuring agencies. marketplaces offer mostly COTS cloud solutions. In certain cases, procuring agencies with specific functional requirements • In Australia, each procuring agency seeking a cloud that go beyond COTS offerings available on the marketplaces service must undergo a competitive bidding process may issue a separate tender or RFQ off the marketplace for under an RFQ to achieve best value for money. Once a such specialized cloud services. For example, UK procuring procuring agency selects its vendor, it forms a contract agencies coordinate with the CCS to issue a Request for under the Cloud Marketplace panel arrangement. DTA Tender for specialized cloud services. provides a standardized contract templates for procuring agencies using the Cloud Marketplace. The UK has also entered into separate agreements with hyperscaler providers such as AWS, IBM, and Microsoft, to • Under Dubai’s eSupply, the specific procurement allow streamlined and discounted cloud services for procuring requirements for a cloud service under an RFQ varies agencies. These arrangements allow procuring agencies to depending on requirements for each project, for example, purchase hyperscaler services such as cloud storage and whether it handles Shared data and thus requires the CSP compute directly from the hyperscalers through direct award to be certified through the CSP Security Standard. or competitive bidding. For Japan, procuring agencies may contract with cloud services from its ISMAP Cloud Service Security is a key consideration when selecting cloud List. The procuring agencies have flexibility in how to procure services from the marketplaces. For example, the Australian cloud services off the Cloud Service List; as such, the specific marketplace notes whether its listed cloud services are IRAP- method of contracting varies depending on characteristics of assessed. Moreover, the UK’s Digital Marketplace also lists each project. South Africa does not have a cloud marketplace the cybersecurity certifications and standards for each CSP or preapproved list. Each procuring agency has the flexibility and its cloud services. to conduct procurements and contracting as they see fit, in accordance with the DPSA’s Determination and Directive. Another key consideration when selecting cloud services is cost, including total cost of ownership.31 Other > > > T A B L E 2 . 4 - Summary of Procurement Models of the Case Studies Case study Model Strengths Weaknesses Australia Marketplace • A marketplace offers a centralized • Requires advanced e-government location for procuring agencies capabilities to create and maintain UK to review cloud services with an online marketplace. and without preapprovals or Dubai certifications. • There is flexibility in how to add CSPs and their cloud services onto a marketplace, how procuring agencies can select and contract with a CSP, and how to approach pricing and payments. Japan Preapproved List • Lists of preapproved CSPs offers • Procurements off the preapproved procuring agencies an easy way to lists are conducted on a case- locate secure cloud services. by-case basis, meaning there EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 22 Table 2.4 continued Case study Model Strengths Weaknesses • Procuring agencies can engage are no standardized contract in typical procurements such as templates available. tenders for cloud services on the preapproved lists. South Africa Top-level • Procuring agencies must abide • May result in discrepancies in Guidance by the DPSA’s Determination security and service standards and Directive. across the public sectors. • This system provides flexibility in procurement methods for each agency. 2.3.2 Managing Vendor Lock-in The UK Central Digital and Data Office (CDDO) also calls on procuring agencies to assess which CSPs maximize Vendor lock-in is also a key consideration. Short-term both the value and portability of the services. Portability cloud services contracts are one effective tool for managing refers to the ease and affordability of moving a system and data the risk of lock-in. For example, the UK government’s G-Cloud from one CSP to another. More portable offerings decrease Framework contracts normally do not exceed 24 months. vendor lock-in risk. Agencies should consider portability ease Similarly, most Australian procuring agencies buy subscription- and costs as part of its cloud service procurements. Figure 2.3 based units of cloud services for no longer than three years. below illustrates how procuring agencies may assess CSPs based on their value and portability. > > > F I G U R E 2 . 3 - Portability and Value Considerations for Cloud Services32 Value Services here tend to offer It’s rare to find services a lot of value that can make here, but they can the risk of lock-in worthwhile represent good value and a very low lock-in risk Avoid services that offer Many common or low value and portability non-complex services are typically found here Poratbility Source: www.gov.uk. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 23 2.3.3 Payment Methods • Variable Prices: Cloud procurement models should allow flexibility to ensure cloud prices can fluctuate based upon Some case studies also address pricing and payment market pricing, taking advantage of price reductions in the considerations to enable transparent and fair cloud prices. cloud market. For example, the UK’s Call-Off contract requires the procuring agency and vendor to specify the payment method, schedule • Multiple Pricing Models: CSPs should be able to offer of payments, and a breakdown of charges. Australia’s DTA different pricing models to enable procuring agencies to specifies that vendors cannot charge more than its maximum assess which model best fits its needs. price posted on the Cloud Marketplace. • Pay-Per-Use Model (“Utility Style”): Countries should AWS’s Cloud Procurement: Best Practices for Public develop an on-demand, pay-as-you-go – utility style – Sector Customers offers numerous considerations for option for procuring cloud services to help reduce costs. public sector payment methods for cloud services.33 Some top considerations include: See Appendix 2 for a one-page Comparative Analysis Table for the five case studies. • Transparency: CSP pricing information should be available and easy to understand for procuring agencies. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 24 3. >>> The Way Forward – Main Takeaways Moving forward, readers are encouraged to use the findings of this report when deliberating on future plans for procurements of secure cloud services. Based upon the “lessons learned” above, key takeaways from this report include: Institutional Coordination Mechanisms Cloud First Principles and Top-Level Policy Guidance. Establishing a government-wide cloud first principle and outlining the government’s vision and objectives for using cloud services in government can help foster a standardized approach for preapproving CSPs and their cloud services. Government leaders are encouraged to leverage expertise across the bureaucracy, including cybersecurity and procurement specialist, to help develop these policies. See Box 3.1 below for suggested cloud first policy language. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 25 > > > B O X 3 . 1 - Suggested Language for a Cloud First Policy “When procuring new or existing services, public sector organizations should consider and fully evaluate potential cloud solutions as the first option before exploring any alternative options such as on-premises infrastructure. When choosing cloud models for procurement, agencies should consider and fully evaluate the public cloud as the first option before exploring any alternative cloud deployment models such community, hybrid, or private cloud.” Source: World Bank. Policies should be complemented by strong leadership and assessment activities and provide advisory and technical inter-governmental coordination. A motivated cadre of leaders support to agencies, CSPs, and other stakeholders such as within the government to provide guidance and enforce third-party assessors (3PAs). Countries may also consider compliance is necessary to actually enact the policies. establishing a cloud procurement office (CPO) to facilitate Moreover, the concept of change management to help foster the procurement of cloud services, such as the establishment the buy-in of government employees on public cloud solutions of a cloud marketplace or web-published list of preapproved is also an important ingredient to success. CSPs to help facilitate procurements of cloud services. Some countries may have the capacity to establish these new offices, Institutional Framework. Considerations may include while others may be better aligned to designate existing designating a central cybersecurity body to facilitate offices to working groups to address CSP preapproval and the preapproval of CSPs and their cloud services. This procurement policies. body would be responsible for overseeing cloud security > > > T A B L E 3 . 1 - Example of a Responsibility Matrix for Institutional Framework of Cloud Preapproval and Procurement Entity Responsibility A Top Policymaking Structure Establish top-level policies and outline the vision and objectives for using cloud (such as a Cabinet Office) services in government. A Central Cybersecurity Body Develop and oversee data classification scheme and a preapproval process for CSPs and their cloud services. Cloud Procurement Office Establish a cloud procurement framework (such as a marketplace, preapproved list, hyperscaler agreement frameworks, etc.). Source: World Bank. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 26 Data Classification and Security Framework premises or private cloud data will be more secure. Typically, these concerns relate to data on defense, geopolitics, diplomacy, Data Classification Framework. Most countries have already strategic economic assets, and citizens. Governments could established a government-wide data classification scheme carefully evaluate these concerns according to their context, based upon CIA requirements. The data classification schemes but the contrary may be true – public cloud might be safer. The typically include both government data and any personal rationale is simple. The data on-premises in a single centralized data of its citizens (i.e., personally identifiable information, location can increase privacy and security vulnerabilities as or PII34) that it handles.35 The Data Classification Matrix it is more susceptible to a single point of failure. In contrast, and Cloud Assessment Framework provides a suggested a globally connected cloud creates economies of scale. framework for how to align data classification schemes with Hyperscalers like Microsoft, Google, Amazon and others have key issues such as the type of systems to be procured – teams of thousands of global cybersecurity experts working for example, on-premise computing versus public cloud, to safeguard the cloud by leveraging datapoints and data data residency requirements, and the rigor of preapproval threats from all over the world. Microsoft experts, for example, activities. Ultimately, each procuring agency is responsible monitor eight trillion security signals every 24 hours,37 far for using the government’s data classification scheme to help more signals than any one customer would have access to understand its cloud security needs depending on the data and with a local or private cloud. “The cybersecurity world offers information environments. lessons on why data localization and residency restrictions can be harmful and costly: Data security issues can arise from Data Residency. A major consideration for every country is its storing all data in one geographical territory, which is contrary data residency requirements for cloud services handling certain to the diversification approach most commonly mandated in data classification levels (e.g., Official, Secret, or Top Secret). the cybersecurity industry and often adopted by multinational For example, a country may not have strict data residency companies to ensure robust security across a geographically requirements for CSPs handling data below its Official data dispersed network.”38 classification level.36 Moreover, procuring agencies handling Secret or Top Secret data typically require the use of private While there may be instances where the benefits of or community clouds. See the Data Classification Matrix and increased security are outweighed by another consideration, Cloud Assessment Framework for additional guidance. a government can only make that determination if it has a clear view on the potential benefits and risks. The example of The underlying reason for such residency requirements is the Ukraine in Box 3.2 below is an excellent example. heightened concerns for cybersecurity and the notion that on- > > > B O X 3 . 2 - How Cybersecurity Concerns in Ukraine Led to the Migration of Government Data to Public Cloud Prior to the war with Russia, Ukraine had a long-standing Data Protection Law that prohibited government authorities from processing and storing data in the public cloud. This meant that the country’s public-sector digital infrastructure was run locally on servers physically located within the country’s borders. A week before the war started in 2022, the Ukrainian government was running entirely on servers located within government buildings—locations that were vulnerable to attacks. Ukraine’s Minister of Digital Transformation and his colleagues in Parliament recognized the need to address this vulnerability. On February 17, 2022, days before the start of the war, Ukraine’s Parliament amended its Data Protection Law to allow government data to move off existing on-premises servers and into the public cloud. This in effect enabled it to “evacuate” critical government data outside the country and into data centers across Europe. Microsoft and other tech companies rallied to help. Within 10 weeks, Ukraine’s Ministry of Digital Transformation and more than 90 chief digital transformation officers across the Ukrainian government worked to transfer to the cloud many of the central government’s most important digital operations and data. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 27 The data was the target of intensely heightened cybersecurity attacks during the war. However, recent advances in cyber threat intelligence and end-point protection have helped Ukraine withstand a high percentage of destructive cyberattacks. Cybersecurity experts noted multiple waves of destructive cyberattacks against 48 distinct Ukrainian agencies and enterprises, seeking to penetrate network domains by initially compromising hundreds of computers and then spreading malware designed to destroy the software and data on thousands of others. A defining aspect of Ukraine’s defense so far has been the strength and relative success of its cyber defenses supported by private sector companies like Microsoft. While not perfect, and some destructive attacks have been successful, these cyber defenses have proved stronger than offensive cyber capabilities. This reflects two important and recent trends. First, threat intelligence advances, including the use of artificial intelligence, have helped to make it possible to detect these attacks more effectively. And second, internet-connected end-point protection has made it possible to distribute protective software code quickly to cloud services and other connected computing devices to identify and disable malware. Ongoing wartime innovations and measures with the Ukrainian Government have strengthened this protection further. But continued vigilance and innovation will likely be needed to sustain this defensive advantage. Source: “Extending our vital technology support for Ukraine,” Microsoft On the Issues, November 3, 2022; “Defending Ukraine: Early Lessons from the Cyber War,” Microsoft On the Issues, June 22, 2022; Microsoft Digital Defense Report 2022 (released June 22, 2022); “An overview of Russia’s cyberattack activity in Ukraine,” April 27, 2022. In March 2022, following cyberattacks on Ukraine, the Security Controls based upon International Standards. Government of the Republic of Lithuania approved There are various approaches to establishing security controls amendments to the Law on Management of State Information for the preapproval of CSPs. Resources39 with the aim of improving security and resiliency of government services by allowing storage of additional copies • A country can consider leveraging international standards, of government data to be held in data centers located in the such as ISO/IEC and CSA security controls, as the basis for European Union (EU), the North Atlantic Treaty Organization preapproving CSPs. Both ISO/IEC and CSA certifications (NATO), or the European Economic Area. Such data centers are highly respected, widely used global cybersecurity will have to meet the same technical requirements for cyber standards that many CSPs already possess. It is much security and national security interests as national data simpler and easier for countries to verify a CSP’s existing centers. The law had previously required that state data only certification with these international standards instead of be stored in national data centers. creating a new set of security controls. This is the preferred method for developing countries. Some smaller countries may have difficulty attracting CSPs to build data centers within their geographical boundaries. One • Alternatively, developed countries may consider a more possibility to address this challenge is a “trusted neighbor” advanced, tiered security framework to preapprove or concept whereby countries can host government data within certify CSPs based upon the classification level of the CSP data centers located within trusted neighboring countries data to be handled. One example of this method is the US or allies. Moreover, with regard to data sovereignty, CSPs are government’s FedRAMP system. bound by national legal requirements of their countries. For example, American CSPs and any CSP with a US subsidiary • Regardless of the security control path chosen by the is currently bound by the requirements of the CLOUD Act.40 country, a cybersecurity body or a group of government Within this context, countries’ decisions on adopting public cybersecurity experts can lead the development of the cloud services should be informed by conversations with preapproval framework using the Data Classification CSPs to understand their legal obligations for their national Matrix and Cloud Assessment Framework as guidance. governments, especially for sensitive data of citizens such as PII. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 28 Security Assessments. Countries are encouraged to facilitate procuring agencies may be considered. Under this system, a a standardized approach to preapprove CSPs to handle CSP would be expected to sign a general Cloud Framework certain government data, whether by a government agency, Agreement as a condition of joining the marketplace that an accredited third-party assessor (3PA), the cybersecurity includes basic cybersecurity and data privacy provisions agency, or a combination thereof. As noted above, this could (such as compliance with relevant national laws) that can be done using international security control standards (a more be verified by the country. The Cloud Framework Agreement simplified approach) or a tiered security framework (a more would require periodic updates, based upon the limits of the advanced approach). relevant procurement legislation for framework agreements in the countries and other considerations. Marketplaces typically • If multiple countries adopt the same international include pricing for each cloud service offering and clearly standards such as ISO/IEC and CSA certifications, this identify a CSP’s preapproval or certification status. could enable the harmonization of security assessments across countries. Alternatively, countries may instead establish a listing of preapproved CSPs and their cloud services that is easily • Countries should also consider the concept of accessible to procuring agencies. Countries may also consider “inheritance,” whereby every layer of the cloud stack is setting up Master Agreements with hyperscalers that offer certified. This means if a SaaS is built upon a certified special terms and pricing for hyperscaler offerings available PaaS or IaaS, an assessor only assesses the SaaS. This to all procuring agencies for direct contract awards or tenders. eases the certification process of SaaS providers. Such agreements should also include basic cybersecurity and data privacy provisions. Under this setup, a procuring Local CSPs vs Hyperscalers. Hyperscalers have generally agency could directly purchase basic cloud services from already implemented international security standards such as hyperscalers, as opposed to buying these services at higher ISO/IEC and CSA, which gives them an edge over local CSPs cost through resellers on the marketplace. identified as small and medium-sized enterprises (SMEs) in terms of government contracts. A standardized security Selecting a Cloud Offering. The above recommendations framework and associated requirements such as inheritance allow procuring agencies to review cloud offerings on the of controls could help address this challenge and provide local marketplace or preapproved list/registry to determine which SMEs to register as eligible providers. CSPs meets their specific business and security requirements. The Data Classification Matrix and Cloud Assessment Continuous Monitoring. Procuring agencies are ultimately Framework provides a possible template for agencies to accountable for the security of their IT enterprises. As such, assess their own internal business and security needs. they are responsible for working with CSPs to maintain a secure public cloud environment. In this regard, agencies, Procuring agencies can leverage numerous ways to begin CSPs, and others (such as 3PAs) are encouraged to work a procurement of a selected cloud service. For example, a together to continuously monitor the security of the cloud procuring agency may issue a tender or RFQ to facilitate environment and operation. Government and commercial competitive bidding between CSPs on the marketplace. A stakeholders should be responsible for notifying each other procuring agency may also consider choosing a cloud service of any security incidents, and such incident reports should be based on a best value standard that considers cost, security, elevated to a country’s central cybersecurity body. Agencies total cost of ownership, and other relevant considerations. may also seek to request CSPs to connect with their incident Other procurement considerations may include the capacity of monitoring platforms to guarantee the security of their cloud a cloud solution to scale services, the ease of receiving desktop solutions. Other suggestions include annual or biennial re- support from CSPs, and the costs of capital expenditures certifications and security control change notifications by (CapEx) versus operating expenditures (OpEx). Another the CSPs. consideration is whether or not the procurement involves data migration from legacy systems or applications, as presented Procurement Arrangements below in Box 3.3. Ultimately, the cloud service selections are determined by the needs of each procuring agency. Centralized Marketplace or Listing for Cloud Services. An online marketplace of CSPs and their cloud solutions for EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 29 > > > B O X 3 . 3 - Data Migration Considerations – Lessons from Singapore There are numerous considerations to be made on data migration related to the cloud, whether it be migrating data from a legacy system into a cloud environment or from an existing cloud vendor to another cloud vendor. Some good practices in this area include: • When transitioning from a legacy system or application, it is helpful to plan for a separate cloud expert support services contract for a system integrator to support procuring agency with their acquisition planning. • When transition between cloud vendors, it is important to establish data migration requirements within the contract agreements (see Box 3.4). • In either case, procuring agencies should take the opportunity to inventory data and erase or archive unneeded data before a transition. Furthermore, procuring agencies should work with vendors to ensure a secured and seamless data migration process. Singapore provides a helpful example by outlining different approaches to data migration. The Singapore government uses four approaches for data migration, each of which has cost-benefit trade-offs: 1. Rehost: A lift-and-drop approach, migrating workloads from on-premises to cloud with minimal changes to the application. This approach can be used for legacy systems that would be redeveloped in the short run as well as simple and agency-specific systems that do not require frequent changes. (Low level of realized benefits) 2. Re-platform: Migrate workloads to run on cloud with some changes to modernize critical components like middleware and/or database. This approach can be used for legacy systems that are required to operate in the medium-term before full redevelopment, simple, agency-specific systems that do not require frequent changes, and systems in the middle of their life-cycle. (Medium level of realized benefits) 3. Redevelop: Redevelop apps to take advantage of cloud-based technologies, such as containers and serverless run- time. This approach can be used for systems that need to fully exploit the capabilities on the Cloud and have more unique needs. (High level of realized benefits) 4. Replace: Replace with SaaS, which are licensed on a subscription basis and hosted on the cloud. This approach can be used for enterprise systems with a high degree of functional commonality and low degree of customization. (Medium-high level of realized benefits) Singapore has a team of developers who have created “Open API” (Open Application Programming Interface) solutions to help move data between systems. Singapore works to ensure CSPs can interoperate with the Open APIs. Overall, this approach allows Singapore to move data more easily between systems, which improves data migration efforts. Source: Richard Tay, Senior Director, Government Infrastructure Group, Government Technology Agency, Singapore. Simplified and Standardized Contracts. Simple and developing a standardized Call-Off Contract template for standardized contracts are the preferred method for procuring contracting with CSPs on a marketplace. cloud services. Box 3.4 below offers considerations for EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 30 > > > B O X 3 . 4 - Considerations for a Call-Off Contract Template for a Cloud Marketplace The Contract Template should provide (1) the basic details such as parties and contract period, (2) terms and conditions of the cloud service, and (3) data security and privacy conditions. The list of considerations to be included in this template could therefore include: • An Order Form that includes contracting parties, start and end date, extension possibilities, contract value, pricing model, payment method, and invoice details. • A Service Level Agreement (SLA) that details performance details listing the seller’s obligations, including quality of services requirements, along with provisions for rebates if there is a failure of service. • Statement of the division of responsibilities between the buyer and seller for the information system, including data custodianship responsibilities. • Requirement for the seller to abide by relevant national laws, agency regulations, and applicable international standards. • Statement of data ownership rights of the buyer. • Description of usage rights and intellectual property rights, including requirements that seller provides the buyer with certain usage and intellectual property rights of the cloud service during the contract period. • Statement of the seller’s insurance along with the seller’s liability requirements to the buyer. • Dispute resolution provisions. • The seller’s exit plan to ensure orderly transition to a new seller, including the rights of the buyer for early termination and a requirement to erase or archive specified data as part of the contract termination. • Listing of current cybersecurity certifications and/or cybersecurity standards followed; operative data privacy standards; and location of data storage, processing, and transit. • Requirement for the seller to notify the buyer of a security breach. • Requirements for continuous security monitoring. An example of a cloud marketplace contract template provided by the UK Crown Commercial Office’s G-Cloud Framework and Call-Off Contract Templates (see Footnotes 103, 107). Sometimes, more complex solutions with specific functional these cases, a procuring agency would conduct functional requirements not available on the marketplace could evaluations of specialized cloud services off the marketplace. necessitate tenders or RFQs outside the marketplace. In EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 31 Regardless of the type of contract, each contractual as opposed to more expensive fixed-price contracts. In this agreement with a CSP should clearly state that the procuring way, the procuring agencies would purchase a cloud offering agency is the data owner, while the CSP is the data custodian. as a service contract—not a product purchase. In addition, The procuring agency should also detail how the CSP should Master Agreements with CSPs (especially hyperscalers) for archive its data during or after the contract period as well as cloud services across multiple government agencies can help how to handle the government-owned data at the conclusions reduce costs for countries. of the agreements—for example, erasing or migrating the data. Furthermore, donor-funded projects face issues of disbursements – monthly subscriptions will slow down Avoiding Vendor Lock-in. Short-term contracts, usually two- disbursement – and potential inability of the government to year contracts or less with limited annual renewals, help to pay for the cloud subscription fees once the project is closed. manage the risk of vendor lock-in. Procuring agencies should Advance payment for up to three years of subscription fee is also be aware of portability fees – the cost of transferring data allowed by vendors like AWS. This could be considered to from one CSP to another – before signing a contract. The lower address the issues of slow disbursements and government’s the portability costs, the lower risk of vendor lock-in. Procuring potential default on subscription payments after the agencies should also consider listing cloud portability tools project’s closure. and associated migration as optional services in the tenders or RFQs. Such services would help the procuring agencies to Appendix 1 provides a Step-by-Step Guide for countries migrate between CSPs more easily. to consider when beginning the journey to public cloud procurements. Payment Methods. Procuring agencies should choose a payment method that best fits their situation, depending on Governments and their procuring agencies may wish to the specific project needs. Key considerations for obtaining adopt the above recommendations to manage the risks of fair cloud prices include promoting pricing transparency, procuring public cloud services. These cloud solutions can be allowing cloud service prices to fluctuate based upon market interoperated with other cloud deployment models—such as prices, allowing CSPs to offer different pricing models, and GovClouds—to facilitate a trusted Hybrid Cloud environment creating an on-demand, pay-as-you-go (utility style) payment for governments. See Box 3.3 for more information on different option. Indeed, many procurers prefer to begin using the pay- interoperating cloud environments through Open API. as-you-go model for initial procurement of cloud services EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 32 >>> Appendix 1. Step-By-Step Guide to Public Cloud Assessments and Procurements for Government • Procuring agencies staff should be trained to understand the government’s data classification system and implement such classifications for information and data on Step 1: IT systems. Data Classification • Source: Data Classification Matrix and Cloud Assessment Framework. Matrix • Countries should develop data residency policies for data/information on cloud systems based upon the data classification system. Step 2: • This policy should align with national data privacy laws and the country’s own risk Data Residency assessment. Requirements • Source: Data Classification Matrix and Cloud Assessment Framework. • Countries may adopt a simplified approach to security controls and a security framework by leveraging international controls. Step 3: • Alternatively, countries may adopt a more complex approach that uses a tiered set of Security Controls security controls such as the US government’s FedRAMP. and Framework • Source: Data Classification Matrix and Cloud Assessment Framework. • Countries should create a process to verify a CSP’s compliance with its security framework. Step 4: • Source: Data Classification Matrix and Cloud Assessment Framework. Security Assessment and Pre-Approval • Each procuring agency is responsible for working with CSPs to maintain a secure cloud environment. • Procuring agencies should ensure contracts stipulate the continuous monitoring Step 5: requirements of CSPs (including incident notifications and security control change Continuous Monitoring notifications). • Source: Data Classification Matrix and Cloud Assessment Framework • Countries can take steps to further mature their secure cloud procurement efforts through development of “enabling” policies such as: • A “Cloud First” Principle • Development of standard cloud contract templates (such as Call-Off Contracts, Minimum Terms, Master Agreements, etc.) Step 6: • Creation of an online Marketplace of CSOs or an online listing of CSOs available Enabling Policies for procurement • Source: Boxes 3.1 and 3.4 of the Institutional and Procurement Practice Note on Cloud Computing. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 34 >>> Appendix 2. Comparison Table of Case Studies Metrics Japan Australia UK South Africa Dubai Institutional Coordination Mechanisms Cloud First Yes Yes Yes Yes –through a Yes Principle? regulatory order, not a national policy Institutional Centralized Hybrid Model Hybrid Model Decentralized Hybrid Model Framework Model Model Data Classification and Security Framework Data ISMAP considers Unclassified Official Restricted OPEN Classification one data (Unofficial, Secret Confidential SHARED- classification level: Official, Official: Top Secret Secret Confidential Confidential 2 Sensitive) Top Secret SHARED- Classified Sensitive (Protected, SHARED-Secret Secret, Top Secret Data Residency Risk-based Risk-based Risk-based Public cloud data Handling of decision decision decision must always SHARED data recommended for recommended recommended reside within the outside the UAE each agency for each agency for each agency borders of South is prohibited handling sensitive Africa (with limited and classified data exceptions) Security Japanese Cloud Security None required; Refers to CSP Security Controls Industrial Standard Controls Matrix 14 Cloud Security national laws and Standard (JIS) (based on (based on NIST Principles agency-specific (based on ISO ISO 27000 family) SP 800-37) recommended information 27000 family security and CSA Cloud requirements Controls Matrix) Security Uses third-party Uses third-party UK’s G-Cloud Each procuring Uses third-party Assessments “ISMAP Assessors” “IRAP Assessors” Framework agency assesses “Certification for CSP security for CSP security requires CSPs CSPs based Bodies” for assessments assessments to self-declare upon national CSP security cybersecurity and departmental assessments and data information privacy-related security standards information Continuous Annual Reassessments 24-month Contracts cannot Basic reviews Monitoring reassessments every 24 months maximum exceed 5 years every 12 months for CSPs on the for IRAP-approved G-Cloud Contract and full re- ISMAP Cloud CSPs and their certifications Service List cloud services every three years EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 36 Metrics Japan Australia UK South Africa Dubai Procurement Arrangements Procurement “Cloud Service “Cloud “Digital Agency-specific “eSupply” Model List” Marketplace” Marketplace” Selecting CSPs Open Tendering Competitive Selection off Follows the Selection off the system on the bidding the Digital requirements of eSupply ISMAP Cloud process (RFQ) Marketplace Public Service Service List within Cloud Cloud Computing Marketplace Determination and Directive Contracting Case-by-case Contracts under Call-Off Contracts Follows the Case-by-case Methods the Cloud under G-Cloud requirements of Marketplace panel Framework Public Service arrangement Cloud Computing Determination and Directive EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 37 >>> Annex 1. Japan’s ISMAP Program 1. Brief History and Background centralized approach toward cloud security governance for procuring agencies in Japan, called the Information System of Japan’s Cloud Security Security Management and Assessment Program (ISMAP).44 Governance Under the Basic Framework, the ISMAP system administers the government’s preapproval process for cloud procurements, similar to the FedRAMP program in the United States. Over the past five years, the Japanese government has established new policies to promote government In June 2020, the Japanese government began ISMAP adoption of commercial cloud services. Most notably, the operations and published the Basic Regulation for Japanese government adopted the Cloud Adoption Policy for ISMAP, which outlines the framework for cloud service Government Information Systems in June 2018. This policy preapproval activities.45 promoted a cloud-by-default or cloud first principle that calls on procuring agencies to prioritize cloud adoption over on- premises computing networks.41 2. Institutional Coordination The Japanese government has also developed new Mechanisms cybersecurity policies. For example, Japan’s June 2018 Future Investment Strategy and the July 2018 Cybersecurity ISMAP is a centralized government-led system that aims Strategy both promote cybersecurity evaluations of cloud to streamline the Japanese government’s preapproval services for public use.42 process for commercial cloud services for procuring agencies. Japan’s Basic Regulation for ISMAP and supporting In response to the need for secure cloud services, Japan’s documents detail the roles for all organizations involved Ministry of Internal Affairs and Communications (MIC) and in ISMAP. Ministry of Economy, Trade and Industry (METI) organized the “Study Group on Security Assessment of Cloud Services” Key Organizations from August 2018 through December 2019.43 In January 2020, the Study Group issued a report on its findings, which called The Cybersecurity Strategic Headquarters (“the for a centralized system to preapprove cloud services. Headquarters”) was established by the 2014 Basic Act on Cybersecurity. The Headquarters is responsible for promoting Also in January 2020, Japan’s Cybersecurity Strategy Japan’s cybersecurity and is chaired by the Chief Cabinet Headquarters established the Basic Framework of the Secretary.46 It also decides the Basic Framework for the Security Assessment System for Cloud Services in ISMAP system. Government Information Systems, which developed a EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 39 Under the Basic Framework, the National Center of Incident Coordination Among Organizations Readiness and Strategy for Cybersecurity (NISC), the Digital Agency, MIC, and METI are responsible for Japan’s Basic Regulation for ISMAP50 and its supporting administration and operation of ISMAP. documentation have created the framework governing the coordination among the various organizations involved • NISC collaborates with industry, academia, as well as in ISMAP. the public and private sectors to promote cybersecurity in Japan, including the oversight of ISMAP. Overall, the Japanese government promotes a centralized system wherein ISMAP is responsible for cybersecurity • The Digital Agency (previously the National Strategy assessments of cloud services. Approved cloud services Office of Information and Communications Technology), are added to the ISMAP Cloud Service List, from which MIC, and METI are government ministries that also procuring agencies can issue Tenders. support the administration and operation of ISMAP. The Headquarters sets the Basic Framework policy The Basic Framework also defines two organizations creating ISMAP. In turn, NISC, the Digital Agency, MIC, responsible for decision-making and operation of ISMAP: and METI report on the system operation status to the ISMAP Steering Committee, which decides on items such as • ISMAP Steering Committee is the highest organ of registrations to the ISMAP Assessor List and the ISMAP Cloud decision-making for the operation of ISMAP. It establishes Service List. the rules for ISMAP and is charge of the general operations of ISMAP. The Headquarters has designated NISC as the The ISMAP Steering Committee is the ultimate decision- secretariat of the ISMAP Steering Committee. maker on additions to the ISMAP Assessor List and ISMAP Cloud Service List. The ISMAP Steering Committee • ISMAP Operations Support Organization handles delegates technical and operational activities to IPA, which the administrative tasks of the ISMAP Steering reports to the ISMAP Steering Committee on the results of the Committee. The Japanese government has designated technical evaluations of Assessors and CSPs. IPA delegates the Information-technology Promotion Agency (IPA) its reviews of ISMAP Assessors to JASA. as the ISMAP Operations Support Organization. In this role, IPA provides practical and technical support for To register ISMAP Assessors, JASA provides an evaluation ISMAP operations. report of a potential assessor to IPA, which in turn submits its report to the ISMAP Steering Committee. The evaluation • IPA assigns responsibility for the evaluation and report helps the ISMAP Steering Committee to decide whether management of ISMAP Assessors to the Japan or not to register a company onto the ISMAP Assessor List. Information Security Audit Association (JASA). To assess cloud services, CSPs must select an assessor ISMAP Assessors are third-party organizations (typically from the ISMAP Assessor List to conduct a security assessment companies) responsible for conducting information security of its proposed cloud service. The ISMAP Assessor provides assessments on cloud services under application for ISMAP its assessment report to the CSP and then the CSP submits certification. A company must request the ISMAP Steering the report to the IPA with relevant application documents. The Committee to be registered on the “Approved Assessor List.”47 IPA conducts technical evaluation of the cloud service based After being assessed by JASA and added to this list, the on the assessment report and application documents, and ISMAP Assessor may conduct security assessments on behalf submits an examination report to ISMAP Steering Committee of ISMAP. As of July 2022, there are five ISMAP Assessors on with its opinion on whether or not to register the cloud service. the Approved Assessor List.48 The ISMAP Steering Committee has the ultimate discretion Japanese government agencies (or “procuring agencies”) on whether or not to register the cloud service onto the procure cloud services offered within ISMAP. Procuring ISMAP Cloud Service List, based upon the IPA’s technical agencies are responsible for issuing tenders for cloud services evaluation report of the cloud service (Figure A1.1). In turn, on the “ISMAP Cloud Service List.”49 As of July 2022, there are procuring agencies may issue a tender for cloud services on 38 cloud services – also called cloud service offerings (CSOs) the ISMAP Cloud Service List. – from 27 CSPs on the ISMAP Cloud Service List. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 40 > > > F I G U R E A 1 . 1 - Basic Framework of ISMAP The ISMAP Steering Committee Highest decision- making body of the system Register Register Report on system operation status Reports on audit agency technical review results Refer to and cloud service technical review results Procurement ISMAP ISMAP Ministry Cloud Assessor Delegation of technical support Service List related to practice and evaluation Advice List related to system operation System Steering NISC Committee Secretariat IPA: Information-technology Promotion Agency Digital Agency Supervise Entrustment of services Refer to related to the evaluation Report of supervisory and management of evaluation results METI supervisory bodies JASA MIC Application for registration of Evaluation and audit institution management of audit institutions Ministries and agencies responsible for the system Request for supervision CSP Assessor Source: ISMAP. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 41 3. Data Classification and Security Framework The Japanese government has developed a security framework Overall, these two policies require procuring agencies to to support ISMAP’s preapproval process and procurement strongly consider the potential risks of the handling of data of secure cloud services. The Japanese government’s data that may become subject to foreign laws and regulations when classification framework supports the ISMAP’s preapproval selecting cloud service offerings. process. The ISMAP process also provides a robust process to preapprove the cybersecurity of a cloud service by adding it Security Controls to the ISMAP Cloud Service List. ISMAP developed its security controls under the Data Classification assumption that cloud services will handle data classified as “Confidential 2” information. The security controls are The Japanese government uses only one data based upon Japanese Industrial Standard (JIS) Q 27001, classification type for ISMAP: “Confidential 2” information. 27002, 27014, 27017, which correspond to the ISO/IEC family, This data classification level is the most frequently used by Japan’s Common Standards for Cybersecurity Measures for the Japanese government. Confidential 2 corresponds to the Government Agencies and Related Agencies, and FedRAMP “Moderate” Impact Level of the US government’s FedRAMP, Moderate controls based upon NIST 800-53 (Rev. 4).52 which is defined by the National Institute of Standards and Technology (NIST) FIPS PUB 199: Standards for Security The ISMAP Steering Committee published the Control Categorization of Federal Information and Information Criteria of ISMAP in June 2020 (updated in April 2022),53 Systems as: which organizes ISMAP controls around three criteria: “The loss of confidentiality, integrity, or availability • Governance Criteria. ISMAP’s Governance Criteria could be expected to have a serious adverse effect on guide review of a CSP’s ability to guide and manage its organizational operations, organizational assets, or information security activities of its organization. These individuals.…A serious adverse effect means that, for criteria are based upon JIS Q 27014:2015 controls, which example, the loss of confidentiality, integrity, or availability are closely aligned with ISO/IEC 27014:2013. might: (1) cause a significant degradation in mission capability to an extent and duration that the organization is • Management Criteria. ISMAP’s Management Criteria able to perform its primary functions, but the effectiveness guide the of review a CSP’s ability to establish, implement, of the functions is significantly reduced; (2) result in operate, monitor, maintain, and improve its information significant damage to organizational assets; (3) result in security management. These criteria are based upon JIS significant financial loss; or (4) result in significant harm to Q 27001:2014 controls, which are closely aligned with individuals that does not involve loss of life or serious life ISO/IEC 27001:2013. threatening injuries.”51 • Operation (or ‘Controls’) Criteria. ISMAP’s Operation Data Residency Criteria determine a CSP’s technical security requirements (e.g., access controls) typically implemented by its IT/ Japan’s data residency posture is based upon two key policies: cybersecurity team. These criteria are based upon JIS Q 27002:2014 controls, which are closely aligned with • “Basic Policy on Usage of Cloud Service for Governmental ISO/IEC 27002:2013, and JIS Q 27017:2016, which are Information Systems” (September 10, 2021) calls on the closely aligned with ISO/IEC 27017:2015. ISMAP also use of cloud services that operate data centers in locations maps its Control Criteria to NIST 800-53 (Rev. 4) and to where Japanese laws and treaties have jurisdiction. Japan’s Common Standards for Cybersecurity Measures for Government Agencies and Related Agencies. • “Common Standards for Cybersecurity Measures for Governmental Agencies” (July 7, 2021) notes that As illustrated in Figure A1.2, the three categories represent agencies should assess risks resulting from the handling the flow of responsibility from the CSP’s governing body of data in places under foreign jurisdiction. (Governance Criteria) to its management team/administrators EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 42 (Management Criteria) (administrators) to its IT/cybersecurity professionals (Controls Criteria). Moreover, the number of controls increases for each category down the Criteria list. > > > F I G U R E A 1 . 2 - Structure of ISMAP’s Control Criteria Governance criteria Governing body Management criteria Administrator Work implementer Controls criteria Individual security measures Source: ISMAP. Preapproval Process updating these Control Criteria to ensure its security controls are up-to-date. The Japanese governments’ Basic Regulation on ISMAP outlines the preapproval process and requirements STEP 2, Pre-Procurement Examination. CSPs request under ISMAP.54 ISMAP has a four-step process for Japanese ISMAP Assessors to conduct a security assessment of their procuring agencies: cloud service based upon ISMAP’s Control Criteria. The Assessment Report is then submitted through the CSPs STEP 1, Development of Criteria. As noted above, ISMAP themselves to IPA and the ISMAP Steering Committee to has developed Control Criteria for Confidential 2 information review the entire cloud service application, including the handled by Japanese procuring agencies. This framework uses Assessment Report, to determine whether or not to register three types of criteria covering Governance, Management, and the cloud service. If approved, the cloud service is registered Operation, respectively. ISMAP is responsible for regularly onto ISMAP’s Cloud Service List. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 43 STEP 3, Procurement. A Japanese procuring agency • The renewal process is meant to provide regular reviews interested in procuring a cloud service first issues a tender for of each cloud service’s security posture and fidelity to cloud services on the ISMAP Cloud Service List. CSPs can ISMAP’s Control Criteria. then respond to a Tender issued by a procuring agency. In turn, the Japanese procuring agency can enter into a procurement Each CSP must also report to the ISMAP Steering Committee agreement with a CSP for its preferred cloud service on the without delay when there are changes to the information of its ISMAP Cloud Service List. cloud service described in the ISMAP Cloud Service List, or when there are significant control changes or circumstances STEP 4, Examination for Renewal. The effective registration that could result in such changes to its cloud service during period for a cloud service on ISMAP’s Cloud Service List is the 16-month period. 12 months. In addition, CSPs must immediately send a summary report • CSPs must apply for the renewal of their cloud service to the ISMAP Steering Committee if there is an information registration by the end of the 12-month effective security incident which could have a significant impact on period, after receiving the assessment report from the cloud service users. In such a case, the ISMAP Steering ISMAP Assessor. Committee may request the CSP to have an Assessor conduct a reassessment of the CSP’s cloud service. Based upon the • The registration remains effective after the expiration results of the Assessment, the ISMAP Steering Committee of the 12-month effective period until such time that the may continue or cancel the cloud service’s registration on the ISMAP Steering Committee decides whether to continue ISMAP Cloud Service List. Similarly, the effective registration or cancel the registration. This period lasts 16-months. period for an Assessor on ISMAP’s Assessor List is 24 months. It includes a 12-month assessment period of the CSP, a Assessors must apply for the renewal of the registration by the three-month preparation period for the assessment report end of the effective period. of ISMAP Assessor, and a one-month preparation period for the CSP’s application. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 44 > > > F I G U R E A 1 . 3 - Four-Step Process of ISMAP Basic Flow of ISMAP • The basic framework of ISMAP is a system for registering cloud services through an assessment process to evaluate whether a cloud service properly implements each criterion which is based on international standards. • Government agencies, in principle, must procure services which are listed in the ISMAP Cloud Service List. Development Pre-procurement Examination Procurement of criteria examination for Renewal Cabinet Secretariat (NISC, Digital Agency), MIC, METI, and IPA (JASA)* Advice Develop Supervision Supervision Selection Procuring agencies Continue registration Control Revoke Presentation of criteria registration specifications Procurement requires the registration NISC: National center of Incident readiness and Strategy for Cybersecurity ISMAP Cloud Service List Digital Agency Presentation of Tender assessment report Presentation of MIC: Ministry of Internal Affairs Application for assessment report and Communications registration of service Procurement METI: Ministry of Economy, Assessor Trade and Industry IPA: Information-technology Assessment Assessment Promotion Agency request request Assessment Assessment JASA: Japan Information Security Audit Association Cloud service provider (per service) Source: ISMAP. Note: The IPA provides practical and technical support for operation, and cosigns evaluation, and management of assessor to JASA. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 45 4. Procurement Arrangements ISMAP outlines a process for procuring agencies to issue • Cost evaluations depend on the type of contract. For tenders for cloud services on the ISMAP Cloud Service List. example, procuring agencies seeking multi-year contracts evaluate the total cost of cloud services over the multiyear As noted above, a Japanese procuring agency interested in period. In addition, procuring agencies evaluate the unit purchasing a cloud service must issue a tender for cloud price when purchasing cloud services on a “per account” services on the ISMAP Cloud Service List to begin the basis (not a fixed quantity). procurement process. Agencies generally employ an open tendering system: the agencies develop requirements, issues The specific method of contracting varies depending on a Request for Tenders, conducts bidding and bid openings, characteristics of each project. Payment methods are also examines the proposals from providers, and then enters into a determined on a case-by-case basis by each procuring contract with the chosen provider. agency. Some additional considerations that procuring agencies may consider of the vendors during the procurement • Registration on the ISAMP Cloud Service List is generally processes include female participation and advancement in considered a requirement for providers wishing to the company’s workplace, support for childcare, and wage submit proposals. increase policies. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 46 >>> Annex 2. Australia’s Anatomy of a Cloud Assessment and Authorization Framework 1. Brief History and Background of Australia’s Cloud Security Governance The Australian government’s original cloud policy, the 2014 strategy retains Australia’s cloud first principle. Australia has Australian Government Cloud Computing Policy, created also developed additional guidance to complement DTA’s a cloud first principle for procuring agencies and sought Secure Cloud Strategy, including: to reduce duplication and fragmentation of cloud services implementation.55 This policy led to the creation of Australia’s • Anatomy of a Cloud Assessment and Authorization, Cloud Services Certification Program (CSCP), administered which guides CSPs, cloud consumers, and IRAP by the Australian Cyber Security Centre (ACSC) under the assessors on the government’s new cloud service Australian Signals Directorate (ASD). Under this system, ASD assessment process.59 managed a “Certified Cloud Services List” (CCSL), from which government entities could select cloud services.56 • Cloud Security Assessment Report Template, which assists IRAP assessors in compiling the report required to Starting in 2017, the Australian government began to evaluate and authorize a CSP.60 reform its cloud security framework. In 2017, the Digital Transformation Agency (DTA) began coordinating with • Information Security Manual (ISM), which provides a other government bodies to review the current system and cybersecurity framework that organizations use to protect develop a new Secure Cloud Strategy to replace the 2014 their information and systems.61 Cloud Computing Policy. Complementing this work, an ASD- led independent review found that the ASD did not have the • Cloud Security Controls Matrix (CSCM), which capacity to certify every cloud service onto the CCSL in a complements the Cloud Security Assessment Report timely manner. This centralized system created bottlenecks Template by providing information on cloud computing and undermined Australian procuring agencies’ ability to fully security controls.62 leverage all cloud services being offered on the market.57 In 2020, the ASD ceased CSCP activities and withdrew • Protective Security Policy Framework (PSPF), which the CCSL as the government transitioned to the Secure provides mandatory guidance and obligations to Cloud Strategy. ensure cloud services are suitable for the handling of government data.63 In 2018, the DTA published the Secure Cloud Strategy,58 last updated in September 2021, which is now the • In addition to these publications, the ACSC features a key policy document underpinning the Australian series of Cloud Computing Security Considerations for government’s cloud consumption and aligns with ASD’s CSPs and tenants.64 cloud assessment and authorization system. The updated EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 48 2. Institutional Coordination Mechanisms The Australian government has established a bureaucratic security experience on systems using the ISM and regime to support cloud security governance. The supporting publications. Australian government’s Anatomy of a Cloud Assessment and • Show evidence of relevant ICT and auditing qualifications. Authorisation guidance document describes the institution • Complete an IRAP new starter training course. coordination mechanism for its cloud security governance. The • Undertake the ASD new starter examination. document outlines the key organizations responsible for cloud security, their relationships, and their key rules, regulations, In turn, CSPs hire IRAP Assessors to assesses the CSP’s and guidelines. cloud services and to produce a CSP Security Fundamentals and Cloud Services Report. The CSP may, in turn, submit the Key Organizations report to procuring agencies interested in using their services.68 ICT professionals approved to serve as IRAP Assessors are DTA leads Australian government strategy and policy efforts listed in the ACSC Registrar.69 As of July 2022, there were related to information and communications technology (ICT) approximately 200 IRAP Assessors in Australia. investments and digital service delivery.65 DTA is responsible for the publication and periodic updates of the Secure Australian public sector organizations (or “procuring Cloud Strategy, which promotes a whole-of-government agencies”) are responsible for assessing their own cloud strategy on secure cloud procurements that align with ACSC service needs and security requirements to inform procurement guidance. DTA also hosts the Australian government’s Cloud of a cloud service. Some procuring agencies, state and Marketplace within its BuyICT Online Platform. local governments, government owned corporations and universities, may not require IRAP-assessed cloud services ASD leads Australia’s intelligence, cybersecurity, and offensive if they have lower security requirements. Those procuring cyber operations.66 Within the ASD, ACSC works with industry, agencies that do require IRAP-assessed cloud services refer to residents, and government organizations on matters related the CSP Security Fundamentals and Cloud Services Reports to cybersecurity incidents and threat mitigations.67 ACSC produced by IRAPs as a basis for their own risk assessments provides guidance for cloud security, supply chain security, to determine if the cloud service meets their security needs. and gateway and cross domain guidance, among other things. The procuring agency’s Authorizing Officer (AO) is the final Key ACSC publications related to cloud security include the decision-maker on whether or not a commercial cloud service Anatomy of a Cloud Assessment and Authorization, Cloud meets the agency’s security requirements and does not Security Assessment Report Template, Cloud Security exceed its risk tolerances. Controls Matrix, Cloud Computing Security Considerations, and Cloud Computing Security for Tenants. Coordination Among Organizations The Attorney-General’s Department publishes guidance DTA and ACSC are the primary organizations responsible for government agencies. The Department’s PSPF sets a for policy guidance of government cloud security. DTA’s number of government protective security policies that are Secure Cloud Strategy outlines a decentralized approach for integrated into the ACSC’s Anatomy of a Cloud Assessment cloud security. Agencies are expected to develop their own and Authorisation procedures. cloud strategies and plans using the Secure Cloud Strategy as a foundation, with support from various ACSC guidance IRAP Assessors are ICT professionals from either the documents, such as the Anatomy of a Cloud Assessment private sector or the Australian government endorsed by and Authorisation. ASD to provide information security services. To be certified as an IRAP Assessor, an ICT professional must undergo a The DTA also hosts a Cloud Marketplace70 from which certification review process conducted by the ASD, in which procuring agencies can find and engage CSPs that they must prove the following qualifications: have cloud services that may fit their needs. The Cloud Marketplace includes over 300 CSPs. The Cloud Marketplace • Demonstrate Australian citizenship. also includes cloud services that are not IRAP-assessed. • Demonstrate a minimum of five years of technical ICT experience, with at least two years of information EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 49 CSPs interested in entering into Australia’s public sector Cloud Services Report to determine whether the CSP and its market should consider hiring an IRAP Assessor to review related cloud services meet the agency’s risk profile. Other its company and suite of cloud services. The resulting CSP considerations in this decision-making process include a cloud Security Fundamentals and Cloud Services Report can be service’s integration with the agency’s existing ICT system, shared with any interested procuring agency. Many procuring achieving Value for Money, environmental considerations, and agencies request the IRAP assessment report when issuing a data residency. The procuring agency and CSP are also Request for Quote (RFQ) on the Cloud Marketplace. responsible for continuously monitoring and assurance of the cloud service. For example, CSPs must hire an IRAP Ultimately, each procuring agency is responsible for Assessor to conduct a reassessment every 24 months. developing its own cloud procurement security strategy tailored to its value case, workforce plan, best-fit cloud Figure A2.1 presents the relationships and coordination model, and service readiness assessment. An agency mechanisms described. may review an IRAP’s CSP Security Fundamentals and > > > F I G U R E A 2 . 1 - Notional Framework of Australia’s Institutional Mechanisms for Secure Cloud Procurements Digital Transformation Agency Attorney-General’s Department Policies and DTA manages Digital Transformation Agency guidance Cloud Marketplace CSPs (with and without IRAP Assessments) inform the join Cloud Marketplace Australlian Signals Directorate below activities Cloud Marketplace CSPs Australian Cyber Security Centre DTA manages ACSC Cloud Marketplace IRAP Assessors oversees IRAP review CSPs Procuring Agencies IRAP Assessors Source: World Bank. 3. Data Classification and Security Framework The Australian government has a robust data classification documents outlining the process to procure secure cloud system for government data/information. It also has its own service for Australian public agencies. These documents enact unique security framework, the Information Security Manual the Australian government’s policies on data classification, (ISM). The government has published numerous guidance security controls, and preapproval processes. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 50 Data Classification The PSPF outlines the Australian government’s data classification system, based upon Confidentiality, Integrity, and Availability (CIA) requirements, as detailed in Figure A2.2 below. > > > F I G U R E A 2 . 2 - Australian Government’s Data Classification System (PSPF Policy 08 – Sensitive and classified information) Sensitive information Security classified information OFFICIAL: UNOFFICIAL OFFICIAL Sensitive PROTECTED SECRET TOP SECRET No business 1 Low 2 Low to 3 High 4 Extreme 5 Catastrophic impact business medium business business business impact business impact impact impact impact Compromise No damage. No or Limited Damage to Serious Exceptionally of information This insignificant damage to the national damage to grave confidentiality information damage. This an individual, interest, the national damage to would be does not form is the majority organisation organisations interest, the national expected to part of official of routine or government or individuals. organisations interest, cause duty. information. generally if or individuals. organisations compromised. or individuals. Source: Protectivesecurity.gov.au. Unclassified information is divided into three subcategories: Classified information is also divided into three subcategories: UNOFFICIAL, OFFICIAL, and OFFICIAL: Sensitive. PROTECTED, SECRET, and TOP SECRET. • The UNOFFICIAL category includes information with no • The PROTECTED category includes information with a impact on the agency’s activities and would not cause the high impact on agency operations and a risk of damage agency any damage in the event of an attack. to the national interest, organization in question, or an individual. • The OFFICIAL category includes information that has a low-to-medium business impact and would result in no • The SECRET category includes information with an damage, insignificant damage, or limited damage. This extreme impact on organization operations, in which a information includes routine information or is limited to an compromise would result in serious damage to the national individual or organization. interest, the organization in question, or an individual. • The OFFICIAL: Sensitive category includes Official • The TOP SECRET category includes information with a information that would have low-to-medium impact with catastrophic impact on organization operations, which limited damage on an agency. would cause exceptionally grave damage to the national interest, the organization in question, or an individual. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 51 The Australian government has established conditions 1. Strategic level represents the highest level of assurance for the types of data that can be handled by CSPs. The and is only available to CSPs that allow the government government allows CSPs without security clearances to store, to specify ownership and control conditions. A Certified process, and communicate data at or below the OFFICIAL: Strategic CSP offers additional protections, including Sensitive level. CSPs that store, process, or communicate increased security controls, compared to a Certified data classified at and above the PROTECTED level are Assured CSP. required to have personnel who hold security clearances at the commensurate level. The government may also 2. Assured level provides safeguards against change of allow employees of CSPs temporary access to information ownership or control through financial penalties that are at or below the SECRET level for personnel without a aimed at minimizing the transition costs should a CSP security clearance on a case-by-case basis. These types alter its profile. Government customers with a low-risk of access opportunities are tightly supervised by Australian profile handling sensitive data, which has been deemed government entities. by the government customer to not need additional security protections, may seek the services of a Certified Data Residency Assured CSP. Australia does not have any explicit law prohibiting the 3. Uncertified level offers minimal protections to storing or processing of Australian data overseas. But government. Government customers may use the services ACSC “recommends cloud consumers use CSPs and of an Uncertified CSP to host nonsensitive data or where cloud services located in Australia for handling their their internal risk assessment determines it appropriate. sensitive and security-classified information.”71 The ACSC further notes that, “CSPs that are owned, based and solely Security Controls operated in Australia are more likely to align to Australian standards and legal obligations, and this reduces the risk ACSC’s cloud security control framework is outlined in of any data type being transmitted outside of Australia.”72 the ISM and its associated CSCM. The ISM organizes its Again, however, the government only advises (but does not security controls under four categories: govern, protect, require) procuring agencies to keep more sensitive data within detect, and respond. These controls are used to inform Australian boundaries. procuring agency security risk management plans for their selected cloud service. The ISM draws the foundation of In addition, the DTA’s Hosting Certification Framework its guidance from NIST’s Special Publication (SP) 800-37, (HCF) outlines the certification process for CSPs to host Risk Management Framework for Information Systems and sensitive or classified data.73 Procuring agencies are Organizations: A System Lifestyle Approach for Security required to use HCF-certified services and associated and Privacy.75 infrastructure to handle data at the OFFICIAL: Sensitive and PROTECTED classification level. There are three levels under the HCF:74 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 52 > > > T A B L E A 2 . 1 - ISM Security Control Principles76 Category Principle Govern G1: Chief Information Security Officer provides leadership and oversight of cyber security. G2: The identity and value of systems, applications, and data is determined and documented. G3: Confidentiality, integrity, and availability requirements for systems are determined and documented. G4: Security risk management processes are embedded in organizational risk management. G5: Security risks are identified, documented, managed, and accepted before systems are authorized and continuously monitored. Protect P1: Systems are designed, deployed, maintained, and decommissioned according to their value, confidentiality, integrity, and availability. P2: Systems are delivered and supported by trusted suppliers. P3: Systems are configured to reduce their attack surface. P4: Systems are administered in a secure and accountable manner. P5: Security vulnerabilities in systems are identified and mitigated in a timely manner. P6: Only trusted and supported operating systems, applications, and computer code can execute on systems. P7: Data is encrypted at rest and in transit between different systems. P8: Data communicated between different systems is controlled and inspectable. P9: Data applications and configuration settings are backed up in a secure and proven manner on a regular basis. P10: Only trusted and vetted personnel are granted access to systems, applications, and data. P11: Personnel are granted the minimum access to systems, applications, and data required for their duties. P12: Multiple methods are used to identify and authenticate personnel to systems, applications, and data. P13: Personnel are provided with ongoing cyber security awareness training. P14: Physical access to systems, supporting infrastructure, and facilities is restricted to authorized personnel. Detect D1: Event logs are collected and analyzed in a timely manner to detect cyber security threats. D2: Cyber security events are analyzed in a timely manner to identify cyber security incidents. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 53 Table A2.1 continued Category Principle Respond R1: Cyber security incidents are reported internally and externally to relevant bodies in a timely manner. R2: Cyber security incidents are contained, eradicated, and recovered from in a timely manner. R3: Business continuity and disaster recovery plans are enacted when required. Source: Cyber Security Principles | Cyber.gov.au. The CSCM complements the ISM by providing guidance CSP and its cloud services. An IRAP Assessor must take on the scoping of cloud security assessments by several steps to prepare for the assessment process, such as: classification level. For example: • Confirm the intended classification of the data to be • Cloud services using OFFICIAL (including OFFICIAL: handled by the CSP and its cloud services. Sensitive) data include 726 security controls • Identify the ISM security controls that are in scope of the • Cloud services using PROTECTED data include 726 data classification level. security controls • Take any tailoring actions to the ISM security controls to • Cloud services using SECRET include 783 ensure organizational risk will be mitigated. security controls • Cloud services using TOP SECRET include 791 In turn, the Cloud Assessment and Authorization process security controls consists of two phases: Ultimately, the CSCM is considered guidance for IRAP PHASE 1: CSP security fundamentals and cloud Assessors, which are responsible for determining on a case- services assessment. by-case basis the relevant ISM security controls to be included in an assessment.77 IRAP assessors can provide security In Phase 1A, the IRAP Assessor reviews the security of the assessments for CSPs at or below the SECRET level. company and each of its cloud services against the applicable ISM security controls. The IRAP Assessor produces CSP ISM and its corresponding CSCM are the sole standard Security Fundamentals and Cloud Services Report.79 During against which the IRAP Assessor should review a the assessment, an IRAP Assessor may accept some CSP, although international frameworks may be useful inherited controls of CSPs and cloud services that have references for the IRAP Assessor. Indeed, the ACSC notes: already undergone an IRAP assessment. For example, a “International standards and certifications vary in the level of CSP offering SaaS may inherit security controls from another assurance they provide, and none exist that completely align CSP’s IaaS upon which it is built. to the security controls in the ISM. For this reason, when assessing a CSP and its cloud services for use by cloud In Phase 1B, an IRAP Assessor or the procuring agency consumers, there is no substitute for a CSP being assessed by itself must assess a different, new, or significant change to a an IRAP assessor against the security controls in the ISM.”78 cloud service that was not assessed in the original Phase 1A. These are typically narrower, less-intensive, and less time- Preapproval Process consuming assessments. ACSC’s Anatomy of a Cloud Assessment and Authorisation In Phase 1C, the CSP may send the IRAP Assessor’s CSP outlines the preapproval process for cloud procurements Security Fundamentals and Cloud Services Report to any under the Cloud Security Strategy. interested procuring agency for its review. The procuring agency’s AO determines if the cloud service meets its security The Australian government outlines a standard requirements and risk tolerance. methodology by which an IRAP Assessor must assess a EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 54 > > > F I G U R E A 2 . 3 - Phase 1 of the Cloud Assessment Process for Australian Procuring Agencies Cloud Consumer IRAP Assessor or IRAP Assesor Cloud Consumer Phase 1b (if required) Phase 1a Assess supplementary Phase 1c Assess the CSP and its or new cloud services Review CSP Security Start cloud services against not in scope of the CSP Fundamentals and the PSPF, ISM, and Security Fundamentals Cloud Services Report. Secure Cloud Strategy. and Cloud Services Assessment. Supplementary, CSP Sexurity New, and Updated Authoring Fundamentals and Cloud Services Officer Approval Cloud Services Report Assessment Report Source: Anatomy of a Cloud Assessment and Authorisation | Cyber.gov.au. PHASE 2: Cloud consumer systems assessment In Phase 2B, the procuring agency must provide to the AO and authorization an “Authorization Package” including the CSP Security Fundamentals and Cloud Services Report, the Phase 2A In Phase 2A, the procuring agency or IRAP Assessor evaluates report, and any other supplemental information. The AO any cloud systems developed by the agency to ensure they makes the final decision on whether or not to approve the meet the agency’s security requirements and risk tolerance. cloud service. This process underscores the shared responsibility between the procuring agency and the CSP on ensuring cybersecurity of the cloud environment. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 55 > > > F I G U R E A 2 . 4 - Phase 2 of the Cloud Assessment Process for Australian Procuring Agencies Cloud Consumer or IRAP Assesor Cloud Consumer Phase 2a Phase 2b Assessment of Review Cloud Cloud Consumer Authorisation Package. developed systems. Cloud Authorisation Authoring Package Officer Approval Source: Anatomy of a Cloud Assessment and Authorisation, Cyber.gov.au. ALL PHASES: Continuous Monitoring. The procuring to any procuring agency that requests it. Procuring agencies agency and CSP must conduct continuous monitoring that perform their own supplementary, new, and updated and assurance to provide ongoing awareness of evolving cloud services assessments under Phase 1B of the cloud information security risks, vulnerabilities, and threats. CSPs security guidance are also encouraged to share these reports must keep the procuring agencies informed of changes to with other procuring agencies and the CSP. These procedures their security fundamentals that impact their security baseline allow for the reuse of assessment reports, thus streamlining and that of the procuring agency’s systems. Moreover, the and standardizing the preapproval process for procuring cloud CSP and its cloud services must undergo reassessments by services. Moreover, the standardized use of the CSP Security an IRAP Assessor every 24 months. Fundamentals and Cloud Services Report allows procuring agencies to compare CSPs more easily to one another and Reuse of IRAP Assessments. A CSP can make its CSP determine which CSP best meets their needs. Security Fundamentals and Cloud Services Report available EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 56 4. Procurement Arrangements ACSC’s Anatomy of a Cloud Assessment and Authorisation During the procuring agency’s evaluation of vendor outlines the requirements for cloud procurements under the responses to its RFQ, the agency must take into Cloud Security Strategy. consideration several factors such as: The DTA’s Cloud Marketplace offers a centralized • Security requirements, including an IRAP assessment, location for procuring agencies to find CSPs and their if needed. cloud services.80 The Cloud Marketplace includes more than 300 CSPs—some IRAP-assessed and others not. The • Achieving value-for-money throughout the life of a Cloud Marketplace is a panel arrangement: suppliers under procurement is a core component of the Australia’s the arrangement are appointed to supply services for a set Procurement Rules for it procuring agencies. Total cost period of time under agreed terms and conditions. CSPs on of ownership consideration is included in the value-for- the Cloud Marketplace must make a maximum and minimum money perspective. for the price range available to buyers in the online catalogue. • Climate change impacts. DTA adds CSPs to its Cloud Marketplace through periodic “market refreshes” approximately every 12 to 18 months • Benefits to the Australian economy (for relevant for the life of the marketplace, which is three years in its procurements above $4 million). initial term (2021-2024), with the possibility of two 1-year extensions. During a refresh, DTA releases a Request for Once a procuring agency selects its vendor, it creates a Tender on the Australian Government’s tendering platform, contract under the Cloud Marketplace panel arrangement. Austender. CSPs may use this tender process to join and DTA offers a contract template for procuring agencies add their cloud services to the Cloud Marketplace. They are entering into a procurement with a CSP on the Cloud required to submit a cloud service to be evaluated by DTA, Marketplace Most agencies buy subscription-based units over which determines if the service should be added onto the a period, up to three years. In addition, procuring agencies Cloud Marketplace. The DTA’s considerations for additions to must pay a two percent buyer Central Administration Fee the Cloud Marketplace include technical and security criteria, (CAF) for contracts valued at AU$25,000 or more. The CAF is company structure and management, financial considerations, capped at AU$200,000 for contracts with a value greater than and whether the proposed cloud service is deemed to be AU$10 million. value-for-money. In addition to the refresh process, CSPs on the Cloud Marketplace may also add other cloud services to Cloud services purchased on the marketplace are their catalogue of offerings. suitable for simple procurements of Commercial off-the- shelf (COTS) cloud solutions, along with more complex The Cloud Marketplace is a procurement mechanism. cloud solutions. As such, each procuring agency seeking a cloud service must undergo a competitive bidding process under an In addition, for procuring agencies choosing not to use the RFQ. There is an expectation that the competitive bidding Cloud Marketplace, as the Cloud Marketplace is not a helps to achieve the best value for money for the procuring mandatory procurement mechanism, DTA also provides agency. A CSP may undercut its own catalogue prices on the a Cloud Sourcing Contract Template to provide procuring Cloud Marketplace (even below its published lowest price) agencies a model contract with a CSP, along with a Cloud during a bidding. But a CSP may not charge more than their Services Minimum Terms Template to help clarify minimum maximum price listed on the Cloud Marketplace. terms between the two parties.81 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 57 >>> Annex 3. UK’s Digital Marketplace and G-Cloud Framework 1. Brief History and Background In 2015, the UK’s Government Digital Service (GDS) established the “GOV.UK PaaS,” a cloud hosting platform of UK’s Cloud Security for public sector digital services for use by both public Governance and non-public sector organizations running public sector digital services.91 However, GDS announced in July 2022 that it would discontinue GOV.UK PaaS, partly because the platform could not keep up with the service offerings of Since 2013, the UK government has promoted the public major public cloud providers such as AWS and Azure. sector adoption of cloud services through its Cloud First Policy, which stipulates that when procuring new or existing services, procuring agencies should consider and fully evaluate potential cloud solutions first before considering any 2. Institutional Coordination other option.82 The UK government also clarifies that cloud Mechanisms first prioritizes public cloud solutions, rather than community, hybrid, or private deployment models.83 The UK government has numerous organizations that To promote ICT offerings, the UK government established promote its cloud first policy and associated preapproval and the Digital Marketplace84 in 2014 to be a centralized procurement process. catalogue of approved ICT services including cloud for UK procuring agencies. Administered by the Crown Commercial Key Organizations Service (CCS), the Digital Marketplace carries over 31,000 cloud services that can be procured using the G-Cloud GDS under the UK Cabinet Office that is responsible for Framework, a mechanism that eases the procurement process leading the UK government’s digital transformation. In this for procuring agencies.85 Vendors must meet certain minimum capacity, GDS develops and maintains the UK government’s cybersecurity and data privacy requirements to be registered IT platforms, products, and services. GDS developed the onto the Digital Marketplace. Digital Marketplace, which is now managed by the CCS. In addition to the Digital Marketplace, CCS promotes CCS under the UK Cabinet Office that facilitates procurements a common cloud procurement process across the UK of commercial services by the public sector. In this capacity, public sector through its Cloud Compute (RM6111) CCS administers the Digital Marketplace and negotiates the Framework.86 There are nine hyperscalers on the Cloud Cloud Compute Framework on behalf of the UK government. Compute Framework: AWS, Fordway, Frontier Technology LTD, Google Cloud, IBM, Microsoft, Oracle, UKCloud, UKFast. The Central Digital and Data Office (CDDO) under the UK The Cloud Compute Framework offers procuring agencies the Cabinet Office leads digital, data, and technology functions opportunity to directly contract with hyperscalers. Procuring for the UK government. The CDDO promotes various cloud agencies may issue direct award or competitive bids under the and security policies for procuring agencies, such as the Cloud Compute Framework. Overall, this Framework aims to Technology Code of Practice (TCoP), which outlines the allow procuring agencies to save time and cost when procuring cloud first policy and offers guidance on securing government hyperscaler services such as cloud storage and hosting. technology programs. Procuring agencies are encouraged to follow the National NCSC is the primary cybersecurity agency of the UK Cyber Security Centre’s (NCSC) Cloud Security Guidance government, working collaboratively with domestic and when seeking to procure a cloud service.87 Originally international partners to promote cybersecurity. NCSC published in 2018, the Guidance offers insights into how routinely publishes various cybersecurity guidance documents organizations can choose cloud services and also outlines 14 to inform procuring agencies and others on cybersecurity best Cloud Security Principles to help organizations implement and practices. NCSC also partners with the IASME Consortium92 maintain sound cloud security over the lifetime of a cloud service to facilitate the “Cyber Essentials” certification,93 a recognized procurement. The Cloud Security Guidance is complemented UK government cybersecurity standard certification. by various UK government publications, including the Security UK public sector organizations or procuring agencies Policy Framework,88 the Minimum Cyber Security Standard,89 procure the cloud services from the Digital Marketplace or and the Risk Management Guidance.90 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 59 the Cloud Compute Framework. These entities are ultimately negotiates the Cloud Compute Framework with hyperscalers. responsible for working with CSPs to ensure the security of Procuring agencies may purchase cloud services through this the cloud service across the lifetime of its procurement. prearranged Framework. Coordination Among Organizations The NCSC offers guidance and advice on cloud security to procuring agencies. In this capacity, NCSC serves an As the primary commercial procurement arm of the UK advisory role, as opposed to a regulatory or oversight role government, CCS administers the Digital Marketplace. for the cloud security of procuring agencies. In addition to its CCS receives technical support from other UK government 14 Cloud Security Principles (Table A3.1), NCSC also offers organizations, such as the GDS and CDDO, to fulfill these a lightweight approach to cloud security, which provides responsibilities. CCS and its partners support procuring guidance for agencies seeking to conduct a “rapid but reliable” agencies in procuring commercial cloud services through assessment of cloud services that process less-sensitive data. on-demand support and published guidance. CCS also > > > T A B L E A 3 . 1 - NCSC’s 14 Cloud Security Principles Principle 1 Data in transit protection Principle 2 Asset protection and resilience Principle 3 Separation between customers Principle 4 Governance framework Principle 5 Operations security Principle 6 Personnel security Principle 7 Secure development Principle 8 Supply chain security Principle 9 Secure user management Principle 10 Identify and authentication Principle 11 External interface protection Principle 12 Secure service administration Principle 13 Audit information and alerting for customers Principle 14 Secure use of the service Source: NCSC, UK. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 60 Ultimately, each procuring agency is responsible for leveraging NCSC’s guidance to help ensure adequate cybersecurity risk management when procuring a cloud service. > > > F I G U R E A 3 . 1 - Notional Framework of the UK’s Institutional Mechanisms for Secure Cloud Procurements Central Digital and Data Office Digital Transformation Agency Government Digital Service Policies and guidance inform CCS manages Cloud CCS manages the below activities Compute Framework Digital Marketplace Cloud Compute Framework Digital Marketplace/CSPs National Cyber Security Center (Hyperscalers) Agencies review and NCSC guidance informs select cloud services cloud cybersecurity posture Procuring Agencies Source: World Bank. 3. Data Classification and Security Framework The UK government has a data classification policy for UK Data Classification government data. NCSC also offers guidance on securing cloud systems but does not include any mandatory security The UK Cabinet Office’s Government Security Classifications control framework for procuring agencies seeking to purchase (May 2018) is the official data classification policy of the UK cloud services. government. It promotes a three-tiered data classification system: OFFICIAL; SECRET; AND TOP SECRET. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 61 > > > F I G U R E A 3 . 2 - The UK’s Data Classification System Official Secret Top Secret The majority of information Very sensitive information HMG’s most sensitive that is created or processed that justifies heightened information requiring the by the public sector. This protective measures to highest levels of protection includes routine business defend against determined from the most serious operations and services, and highly capable threat threats. For example, where some of which could have actors. For example, where compromise could cause damaging consequences if compromise could seriously widespread loss of life or lost, stolen, or published in the damage military capabilities, economic wellbeing of the media, but are not subject to a international relations or country or friendly nations. heightened risk profile. the investigation of serious organized crime. Source: May-2018_Government-Security-Classifications-2.pdf, publishing.service.gov.uk. Unlike other case studies, the UK bases its classification • OFFICIAL-LOCALLY SENSITIVE or LOCSEN refers to system only on confidentiality requirements. The sensitive information that locally engaged staff overseas UK government states that a high integrity or availability cannot access. requirements do not lead to a higher data classification within its system. Within this general framework, the UK • OFFICIAL-SENSITIVE PERSONAL refers to particularly government can provide more specific descriptors to sensitive information relating to an identifiable its data. For example, organizations may apply a descriptor individual, where inappropriate access could have to an “OFFICIAL” marking to identify certain categories of damaging consequences. sensitive information and indicate the need for common sense precautions to limit access. In these cases, the UK The vast majority of public sector data is considered government may classify data as “OFFICIAL-SENSITIVE OFFICIAL. In fact, the UK government has estimated that [DESCRIPTOR]”. Some examples include: the official classification covers up to 90 percent of all public sector business.94 • OFFICIAL-SENSITIVE COMMERCIAL refers to market- sensitivity information that may be damaging to HMG or to a commercial partner if improperly accessed. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 62 Data Residency • Risk Management Guidance.101 • Secure Development and Deployment Guidance.102 The UK government does not have any strict data residency requirements for cloud services. Indeed, Preapproval Process according to the CDDO: “There is no government policy which directly prevents departments or services from storing Procuring agencies may buy commercial cloud services cloud-based data in any specific country, however you need through the Digital Marketplace or the Cloud Compute to consider the implications of where you host your data.”95 As Framework. Each option includes certain requirements to such, each public sector agency is expected to make a risk- promote the cyber risk management of the procuring agency. based judgment on whether it can allow transfer of government data outside the UK, based upon the sensitivity of its data Digital Marketplace. The first step in assessing and and information. preapproving the cloud security of a cloud service is registration to the Digital Marketplace. CSPs in the Security Controls Digital Marketplace must agree to the terms of the G-Cloud Framework agreement,103 a contractual agreement between The UK government does not subscribe to one type of the CSP and CCS. The G-Cloud Framework is updated every cybersecurity standard or set of security controls when two years. CSPs must transition to the updated G-Cloud procuring cloud services. For example, the UK government Framework every two years, although there is some flexibility does not mandate a specific set of security controls or for extensions on this timeline. certifications necessary to be added to the Digital Marketplace. The G-Cloud Framework requires suppliers to self-declare The G-Cloud Framework requires suppliers to issue a various cybersecurity-related information and accept some self-declaration of conformity to various cybersecurity cybersecurity conditions in order to be added to the Digital and data privacy-related information, such as any Marketplace – see Section 4 on Procurement Arrangements security certifications and its efforts to protect the integrity, below. The self-declaration forms are available on the UK confidentiality, and security of the procuring agency data held government’s GitHub page.96 or used by the CSP.104 The G-Cloud Framework also requires each to self-declare that it accepts the following conditions: Moreover, the possession of third-party security certifications is considered beneficial. CSPs with security • The CSP must maintain IT security that follows good certifications such as NCSC’s Cyber Essentials or the ISO/ industry practice to prevent unauthorized access to IEC 27000 family may be considered more trustworthy for government data. UK procuring agencies. In addition, NCSC encourages procuring agencies to refer to its 14 Cloud Security • The CSP must immediately notify CCS and its procuring Principles when choosing a cloud service to meet security agency of a security and/or personal data breach and needs. Organizations can also use them as guidance on how take all necessary steps to recover from and investigate to securely configure their own cloud systems. the breach. Furthermore, the UK government’s Service Manual • The CSP must comply with UK’s data protection legislation Guidance on Securing Information for Government which requires organizations to meet various requirements Services97 offers guidance to public agencies on how such as the EU’s General Data Protection Regulations to secure OFFICIAL data. The Service Manual guides (GDPR) to help ensure data privacy protections. organizations on how to develop security protocols for services that use OFFICIAL data and information.98 For example, • The CSP must permit CCS or a third-party auditor under the Service Manual calls on government teams to consider CCS’s direction to conduct an audit of its cybersecurity the CIA, non-repudiation, and privacy considerations of its posture, if requested. data and information when developing security plans. The Service Manual also refers to additional resources that can NCSC also outlines a four-step process105 for procuring be consulted by procuring agencies to manage security risks: agencies to securely procure public cloud services from the Digital Marketplace: • Securing Your Cloud Environment.99 • Security Policy Framework.100 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 63 > > > F I G U R E A 3 . 3 - NCSC’s Four-Step Process for Procuring Public Cloud Services Step 1 Step 2 Step 3 Step 4 Know your Choose a cloud Use the cloud Continue to business provider that meets service securely. monitor and requirements, your needs. manage the risks. including an understanding of the data that will be used. Source: NCSC. Cloud Compute Framework: Hyperscalers listed 1. Cloud Hosting. PaaS or IaaS services for processing under the Cloud Compute Framework also agree to and storing data, running software, or networking— baseline cybersecurity requirements under the terms of for example, content delivery networks or load the Framework.106 balancing services. 2. Cloud Software. Applications (SaaS) that are 4. Procurement Arrangements accessed over the internet and hosted in the cloud, such as accounting tools or customer service management software. CCS’s Digital Marketplace and the Cloud Compute Framework 3. Cloud Support. Services to help procuring agencies to set provide centralized locations for procuring cloud services. up and maintain their cloud software or hosting services— Within this context, each individual agency is ultimately for example, migration services or ongoing support. responsible for ensuring adequate cybersecurity when procuring and using cloud services. In the procurement phase, procuring agencies can purchase a cloud service on the Digital Marketplace in one of two ways: Digital Marketplace: The Digital Marketplace provides procuring agencies the option to buy pay-as-you-go cloud • First, if only one supplier in the Digital Marketplace services on government-approved, short-term contracts meets its needs or requirements, then the procuring through CCS’s eSourcing tool. Each service includes pricing agencies can issue a direct award by issuing a Call-Off information for potential buyers. The Digital Marketplace Contract to that G-Cloud supplier. CCS provides procuring offers three categories or lots of cloud services for UK agencies a standardized template for the G-Cloud procuring agencies: Call-Off Contracts.107 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 64 • Second, if the procuring agency has multiple suppliers that special functionalities above-and-beyond COTS offerings, it meet its needs or requirements, it can either select the may coordinate with the CCS to issue a Request for Tender lowest-priced cloud service or conduct a more thorough for such specialized cloud services. Procuring agencies that review of the best value purchase based upon numerous choose to procure a CSP service outside of the G-Cloud factors, including total cost of ownership, technical merit Framework may choose longer-term contracts, if desired. and functional fit, and service management.108 The procuring agency must simply provide justification for Cloud Compute Framework: Procuring agencies may which procurement method it uses – lowest-priced versus work directly with hyperscalers to issue direct award of best value. Ultimately, the procuring agency will enter into contract or undergo a competitive bid under the Cloud a Call-Off Contract with its selected cloud service. Compute Framework. The Digital Marketplace also features built-in protection • Under a direct award, a procuring agency must develop against vendor lock-in. For example, the maximum length requirements and then assess the requirements against of a G-Cloud contract from the Digital Marketplace is normally the available hyperscaler offerings to determine which 24 months. Procuring agencies have the option to annually service best meets its needs. Considerations can include extend the contract by one year and then another year to quality of service, pricing, and total cost of ownership. In a maximum of four years, if desired. The CDDO also offers turn, a procuring agency can issue a Call-Off Contract to guidance on its website for organizations on how to manage the hyperscaler of its choosing. lock-in in the cloud by ensuring the ease and affordability of moving a system and data from one CSP to another (a concept • Under a competitive bid, a procuring agency must develop called “portability”).109 requirements, share the requirements with hyperscalers, and then invite them to propose a cloud solution that The UK government has implemented several policies meets its needs and provides associated pricing details. to promote continuous monitoring of cloud security After the procuring agency evaluates the proposals based solutions purchased on the Digital Marketplace, including: on cost and quality, it issues a Call-Off Contract to the (1) the G-Cloud Framework, which requires CSPs to provide selected hyperscaler. security breach notifications; and (2) CCS, which reserves the right to conduct an audit of a CSP over the course of The Call-Off Contract term under this Framework is up to three a contract. years, with two possible extensions of up to 12 months each for a maximum of five years, if desired. This setup reduces the The G-Cloud Framework typically offers COTS cloud need for procuring agencies to purchase hyperscale compute solutions that can easily be integrated into an ICT services every two years through the G-Cloud Framework. environment. If, however, a procuring agency requires EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 65 >>> Annex 4. South Africa’s Cloud Security Framework 1. Brief History and Background As the South African government continues to deliberate on the finalization of the Draft Policy that broadly pertains of South Africa’s Cloud to the entire country, another government department, the Security Governance Department of Public Service and Administration (DPSA), issued the Public Service Cloud Computing Determination and Directive (“Determination and Directive”) in February South Africa has one of the most advanced digital 2022.112 Directed toward government procuring agencies, it economies in Sub-Saharan Africa. The South African promotes a cloud first policy for the South African government government has begun implementing policies to promote and provides guidance to procuring agencies on the public sector integration of digital technologies, including assessment, adoption, and use of cloud computing services. cloud solutions. For example: It also integrates existing security and privacy laws, including POPIA and MISS. Overall, the Determination and Directive • In 2016, the South African Cabinet adopted the National is South Africa’s primary guidance for procuring agencies ICT Integrated White Paper Policy (“ICT White Paper”), seeking public cloud solutions. that promoted a vision of digital transformation for the public sector, in which ICT would be used to enhance the government’s services to the public. 2. Institutional Coordination • In 2017, South Africa’s Department of Mechanisms Telecommunications and Postal Service (DTPS) published the National e-Government Strategy and Roadmap.110 This policy document builds upon previous The South African government has begun to develop policies like the 2016 ICT White Paper to provide guidance institutional guidance to help in facilitating secure cloud on the “digital transformation of public service in South service purchases within the public sector. Africa into an inclusive digital society where all citizens Key Organizations can benefit from the opportunities offered by digital technologies to improve their quality of life.” DPSA is responsible for the organization and administration of civil services. In this capacity, DPSA’s Determination and Currently, the South African government is deliberating on Directive aims to provide a consistent policy framework across the finalization of its draft National Data and Cloud Policy the South African public sector on cloud service procurements. (“Draft Policy”) published in April 2021 by the Department of Communications and Digital Technologies (DCDT).111 DCDT was formed in 2019 and is responsible for leading South The Draft Policy offers a whole-of-nation policy framework on African government efforts on digital transformation. Within data and cloud that promotes an innovative and open digital DCDT, the State Information Technology Agency (SITA) is infrastructure system. The Draft Policy, once finalized, is responsible for the provision of IT services to the government. expected to incorporate some existing cybersecurity SITA is working to build a Government Private Cloud. and privacy laws and regulations related to public sector cloud computing. For example, the Draft Policy will South African public sector organizations or procuring likely require public cloud systems to abide by the National agencies and their respective Heads of Department (HOD) Cybersecurity Policy Framework (NCPF). The systems will are responsible for assessing and adopting commercial cloud also have to comply with major data security and privacy laws services pursuant to the Determination and Directive. including the Electronics Communications and Transaction Act (ECTA), related to data and database protection; the Coordination Among Organizations Protection of Personal Information Act (POPIA), related to data privacy; the Protection of Information Act (PIA), related to DPSA outlines the policy requirements that must be disclosure of State information; and the Minimum Information implemented by each HOD. Each HOD must follow the Security Standards (MISS), related to data classification guidance while also abiding by any existing departmental and security policy. Moreover, the Draft Policy calls for data information security policies and other security and privacy localization of certain hypersensitive data and information like laws such as POPIA and MISS. Each Department must also defense information. submit to the DPSA an approved Business Case and Risk Assessment related to a cloud service procurement. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 67 > > > F I G U R E A 4 . 1 - Notional Framework of the South Africa’s Institutional Mechanisms for Secure Cloud Procurements Department of Public Department of Communications Service and Administration and Digital Technologies National Data and Cloud Strategy “Public Service Cloud remains in draft form Computing Determination and Detective” Procuring Agencies MISS POPIA Agencies assess and select cloud services ECT Act CSPs PAIA Laws, regulations, policies inform security review of cloud services Departmental Information security policies Source: World Bank. 3. Data Classification and Security Framework South Africa has a data classification system, but it has data classification system that must be adopted by each not yet developed a group of security controls for cloud procuring agency: services preapprovals. • PUBLIC. This information has been explicitly approved by Data Classification management for release to the public. South Africa’s data classification system is prescribed in • CONFIDENTIAL. This information is private or otherwise the MISS.113 sensitive in nature and must be restricted to those with a legitimate business need for access. The unauthorized Under MISS, South African government considers classified disclosure of this information could adversely impact the information as “sensitive information which in the national department or third parties. interest, is held by, is produced in, or is under the control of the State, or which concerns the State, and which must by • SECRET. This classification applies to the most sensitive reasons of its sensitive nature, be exempted from disclosure business information, which is intended strictly for use and must enjoy protection against compromise.” Within this within a department, and restricted to those with a legitimate context, DPSA’s Directive on Public Service Information business need for access. The unauthorized disclosure of Security (published June 2022)114 outlines a three-tier this information could seriously and adversely impact the department or third parties. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 68 The data classification helps each procuring agency • The MISS and the DPSA’s Directive are not cloud-specific, determine the best type of cloud service for its needs. The but rather they outline security requirements for security of Determination and Directive stipulates that the HOD must, as all government agency IT systems. far as practically possible, avoid moving data classified as Secret or Top Secret to public, hybrid, or community clouds. • The DPSA’s Directive offers one specific requirement The Determination and Directive also requires that the HOD on cloud security: the HOD must ensure that “thorough must, as far as practically possible, ensure that data that is due diligence of the service provider’s integrity, legal intended for general public consumption – unclassified data – agreements, physical location, and security must be must be moved to a public cloud. conducted before deciding on a cloud service provider.” Data Residency Existing Information Security and Privacy Laws: Relevant security and privacy laws include: The Determination and Directive states that the HOD must ensure that data always resides within the borders of • Section 72 of POPIA prohibits the government from South Africa. Where this is not practically possible, the HODs transferring personal information about a data subject to must ensure compliance with section 72 of POPIA. a third-party in a foreign country, unless certain conditions are met – for example, the recipient is subject to data Security Controls privacy requirements, the user consents, or the transfer is for the benefit of the user.116 South Africa does not have a centralized set of security controls for the preapproval of cloud services. Instead, • Sections 63-66 of PAIA outline requirements to protect the Determination and Directive calls on each HOD to ensure the data privacy of persons, commercial information, and that the cloud service’s data security conforms to the existing confidential information. 117 departmental information security policy and that it complies with POPIA, the Promotion of Access to Information Act • The ECT Act generally facilitates and regulates electronic (PAIA), ECT Act, and any other laws to which its data may communications and transactions. The Act includes be subject. various provisions related to cryptography, consumer protection, protection of personal information, and Existing Information Security Policies. Each government protection of critical databases.118 department is required to implement a department-specific information security policy, consistent with the MISS and the DPSA’s Directive on Public Service Information Security (published June 2022).115 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 69 4. Procurement Arrangements The Determination and Directive is the top guidance for leverages other government publications for data classification South Africa’s procurement guidance for secure cloud and security requirements. These instructions include computing in the public sector. It provides instructions for numerus cybersecurity and privacy requirements, as shown the pre-procurement, procurement, and post-procurement in Table A4.1 below: activities of a HOD when procuring cloud services. It also > > > T A B L E A 4 . 1 - Key Considerations for South African Procuring Agencies under the Determination and Directive119 Action Detail Pre-Procurement Data Classification All data must be classified according to MISS. HODs should avoid moving data classified as “Secret” or “Top Secret,” to the Public, Hybrid, or Community Clouds. All data intended for public consumption should be moved to Public Clouds. Data Residency Data should reside within the border of South Africa. If this is not practically possible, agencies should ensure compliance with Section 72 of POPIA. Risk Assessment HODs must facilitate a Risk Assessment for reach cloud service they intend to utilize. Cloud Readiness HODs must facilitate a Cloud Readiness assessment before the decision is made to move to Assessment cloud-based computing services. Business Case HODs must facilitate a Business Case for a cloud service that includes the following elements: • Scope of cloud service required. • Budget: short-, medium-, and long term. • Total cost of ownership calculation. • Human resource skills required to support the cloud services environment. • Infrastructure required to enable the cloud service. • Intended benefit of the cloud service. • Outcome of the Risk Assessment. Contract HODs must conclude a valid contract with a CSP before using a cloud service. The contract must include: • Statement that the agency is the owner of the data, which must be maintained, backed-up and secured until returned, transferred, or deleted upon termination of the contract. • Identification of the geographic location for data storage and processing. Its location must allow for adequate governmental control over the data. • Requirement for the safe return/transfer of data should the CSP be acquired. • Specification of what will happen to the data once the contract enders; will it be returned, transferred to another CSP, or deleted. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 70 Table A4.1 continued Action Detail Contract Length Agencies may enter into a medium-term contract – period of more than 3 years but less than 5 years – for cloud services, with allowances for early termination if needed. Cloud Service Consumption Data Security The agency must ensure security of the data on the Public Cloud is in line with existing department information security policies. Scaling Services HODs must oversee agency scaling of cloud service subscription levels. Business Continuity HODs must ensure the agency’s Business Continuity plans are updated and that the agency conducts regular business continuity testing. Data backups HODs must ensure there is an inventory of data and applications during the contract period, and that there are mechanisms to back up the data on the Public Cloud. Cloud Termination Protecting Data The agency must ensure that all data and/or applications are transferred to a new provider, and Applications returned to the department and/or permanently deleted. The Determination and Directive includes a Checklist120 as reviews various pertinent questions for HODs during the part of its Cloud Readiness Assessment requirement to cloud service lifecycle. Some key checklist items related to guide each HOD’s activities during the preprocurement, cybersecurity of the cloud service are detailed below. procurement, and post-procurement phases. The checklist Outlining a Security Plan Have you made an outline of your top security goals and concerns? What types of assets will be managed by the system? Have key assets been listed and rated based on their sensitivity? How assets are currently managed and how will this change when transitioned to the Cloud? Has the right cloud delivery model been assigned based on the assets’ sensitivity? Has the network topology been mapped? EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 71 Enumerating safeguards and vulnerabilities Have the security controls been enumerated, verified, and evaluated? Will all sensitive data stored in the Cloud be encrypted? Are remote connections to the Cloud properly encrypted? Have you evaluated the security risk of the server’s physical location? Are the servers housed in guarded and locked rooms? Have all vulnerabilities been identified and addressed? Are staff properly trained on the new security protocols? Complying with regulations Have you reviewed your cloud service provider’s security policies? Do they comply with POPI Act, PAIA, ECT Act or other regulations your data may be subject to? Have you drafted any contracts or agreements with your cloud service provider to bridge compliance gaps? Location considerations Where is the cloud service provider located? Is the location near your user base (customers or staff)? Will speed be adversely affected by the server’s location? Can you visit the data center where your Cloud will be hosted? Overall, the Determination and Directive offers a succinct framework for South African public sector entities in managing cybersecurity and privacy risks when procuring cloud services. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 72 >>> Annex 5. Dubai’s Cloud Security Risk Management Approach and Procedures 1. Brief History and Background of 2. Institutional Coordination Dubai Cloud Adoption Strategy Mechanisms Dubai, UAE has enacted several polices to promote a The Dubai Electronic Security Center (DESC) oversees the city-wide transition to building a globally leading digital efforts of certification bodies to certify CSPs for government economy overseen by a digital governance structure. procurement. Dubai established the Dubai Digital Authority (DDA) in 2021 to develop and oversee its policies and strategies to promote Key Organizations the city’s digital transformation. The DDA comprises four subcomponents: Dubai Electronic Security Center (DESC), The DDA oversees policies and strategies to promote Dubai’s Dubai Statistics Center (DSC), Dubai Data Establishment digital transformation. The DDA is an umbrella organization (DDE), and Smart Dubai Government Establishment that encompasses four entities respectively focused on (SDGE).121 data, security, statistics, and smart government. Each entity advances DDA’s vision to promote a secure, data-centric As part of its digital promotion, the Dubai Government government and city. Excellence Program (DGEP) has a key performance indicator (KPI) entitled Cloud First. Its government entities The DESC is an entity within the DDA that leads Dubai’s efforts must consider cloud solutions before considering any to ensure the cybersecurity of Dubai. In this capacity, DESC alternatives, and public cloud solutions are preferable for oversees the ISR and coordinates with Certification Bodies systems handling open data. The KPI aims to ensure that all to certify technology vendors for government procurement government entities host eligible applications on the cloud through its CSP Security Standard. by 2025.122 Certification Bodies or third party certifiers are independent DESC leads the Dubai’s efforts to preapprove CSPs for commercial entities accredited by DESC to assess and certify government procurement. DESC’s Cloud Service Provider CSPs seeking government contracts against the CSP Security (CSP) Security Standard establishes requirements and Standard. CSPs can select certification bodies through a public guidance based upon ISO/IEC and CSA standards for CSPs call process. In turn, these bodies do a light touch verification, seeking to work with government agencies.123 The CSP a process of up to two days in which the Certification Body Security Standard aligns with Dubai’s Information Security conducts an on-premises audit to confirm a CSP’s compliance Regulation (ISR),124 a technology-neutral information security with the CSP Security Standard. The Certification Bodies standard for Dubai government entities.125 themselves must have the ISO/IEC 17021-1:2015 certification to be a qualified certifier for DESC. So far, Dubai has approved Dubai has also mandated “Information Security Officer one company as a Certification Body. (ISO)” positions within each government entity to promote cybersecurity akin to the role of a Chief Information Security Procuring agencies are Dubai government and semi- Officer. The ISO positions play a key role for government government entities responsible for procuring cloud services entities seeking to assess the security of certified CSPs that meet their requirements, based upon their data against its security needs during the procurement phase. classification levels and other security and business needs. Dubai offers eSupply as an online portal for CSPs and other Coordination Among Organizations suppliers to participate in online tenders or RFQs published by Dubai procuring agencies. Dubai also has its own cloud Government Agencies. The DDA and its entities work to environment called DubaiPulse, a private government cloud educate and train officials within procuring agencies on how to developed by the DDA with the main aim to publish open data understand their data and secure their ICT systems. and to share the data between government entities. It is also equipped to host sensitive data and workloads for government • DDE trains agency-level officials to be upskilled as data entities, if needed.126 champions who understand and classify the data within their agencies. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 74 • DESC helps to establish ISO positions to oversee security Government and CSPs. The procuring agencies are aspects of their data environments. For larger institutions, ultimately responsible for assessing and purchasing cloud the ISO unit is scaled to match the size of its operations, services from CSPs that are certified by Certification Bodies. based on entity requirements. Each procuring agency should have at least one ISO position reporting directly to • ISR Officers collaborate with data champions, the the head of the agency. This is to ensure independence of Information Security Committee, Head of Agency, and information security functions from IT, as per international others to make a risk-informed decision to procure best practices. Each procuring agency also has an cloud service. Information Security Committee. • DESC aims to enable and empower procuring agencies Government and Certification Bodies. DESC is responsible to have the capacity to conduct these risk-based for approving Certification Bodies, which, in turn, audit the procurements without the need for major oversight. CSPs on DESC’s behalf. The CSPs themselves procure audit services from the Certification Bodies. The DESC is not directly involved with these audit activities. > > > F I G U R E A 5 . 1 - Notional Framework of the Dubai’s Institutional Mechanisms for Secure Cloud Procurements CSPs on eSupply DSC DDE SDGE DESC Oversees CSP Security Standard and approves Certification Bodies CSPs on eSupply CSPs on eSupply Certification Bodies audit CSPs Agencies assess and against the CSP Security Standard procure cloud services Procuring Agencies Source: World Bank. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 75 3. Data Classification and Data Classification Security Framework The DDE established the Dubai Data Classification Framework to enable government entities to classify their data as either Open or Shared. In turn, the DDE reviews and approves Dubai has established the Dubai Data Law, a data classification those classification decisions. The relationships between the scheme and related cybersecurity and data privacy framework different data classification categories are illustrated in Figure that supports its CSP Security Standard. Under Dubai’s A5.2 below: system, the DESC facilitates the certification of a CSP. > > > F I G U R E A 5 . 2 - Categories of Dubai Data Dubai Data SHARED DATA OPEN DATA Shared Data owned by Government Openly disclosed to individuals and Entities is made available for sharing governmental and non-governmental an reuse by other Government organizations, for use, reuse, and Entities, with appropriate controls. sharing with third parties CONFIDENTIAL SENSITIVE SECRET Shareable across Government Shareable within certain groups Shareable in a limited way Entities according to and subject to strict controls between certain individuals and professional responsibilities under strict controls Source: Dubai Data Manual, https://www.digitaldubai.ae/data/regulations. Under this framework, the four levels of data classification are • SHARED-SENSITIVE: Data that, if shared through defined as: unrestricted disclosure or exchange, may cause significant damage to government bodies, companies, or individuals. • OPEN: Data provided by the Dubai government or private sector entities to individuals, to be used or exchanged with • SHARED-SECRET: Data that, if shared through third parties freely or subject to a limit. unrestricted disclosure or exchange, may cause significant damage to the supreme interests of the country • SHARED-CONFIDENTIAL: Data that, if shared through and very high damage to government bodies, companies, unrestricted disclosure or exchange, may cause or individuals limited damage to government bodies, companies, or individuals. CSPs hosting Open Data do not require security certifications. Those datasets EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 76 Data Residency • ISO/IEC 27017:2015. • CSA Cloud Controls Matrix 3.0.1 (Level 2 STAR). The DESC’s CSP Security Standard requires CSPs must • ISR V2.0 (also called ISR:2017). abide by ISR:2017 13.2.1.1.1, which forbids CSPs from handling Shared data for government entities outside Preapproval Process the legal jurisdiction or geographical boundaries of the UAE. Dubai also requests that CSPs handling Shared data There are three key steps in the CSP Security Standard for government entities have a minimum of two data centers certification process: within the country’s geographic jurisdiction to ensure resilience of their services in order to provide cloud services.127 There is • First, a CSP wishing to claim conformance to the CSP an exemption process for procuring agencies seeking to host Security Standard must obtain an ISO/IEC 27001 shared data outsides UAE, based on risk assessment. certification with the ISO/IEC 27017 extension and the CSA Level 2 STAR certification. Moreover, if a procuring agency handles data relevant to the security of Dubai, it is encouraged to consult with • Second, the Certification Body must verify the validity of DESC before seeking public cloud solutions. Indeed, in the CSP’s ISO/IEC and CSA certificates. This audit can these cases, it may be more appropriate for the procuring take as little as a half-day. agency to use the DubaiPulse government cloud, which can host sensitive data. • Third, the Certification Body must verify the CSP’s compliance with three selective ISR V2.0 controls: Security Controls • ISR V2.0 2.1.2 (related to information asset The CSP Security Standard sets out security requirements management). for CSPs and procuring agencies using cloud services. • ISR V2.0 7.4.2.4 (related to media library and resource Compliance with this standard is mandatory for all CSPs protection). wishing to offer cloud services for procuring agencies. • ISR V2.13.2.1.1.1 (related to restricting handling of classified data outside the UAE). The CSP Security Standard is based on the following international and national standards: See Figure A5.3 below for a visual depiction of the • ISO/IEC 27001:2013. certification process. • ISO/IEC 27002:2013. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 77 > > > F I G U R E A 5 . 3 - CSP Security Standard Certification Process Source: https://www.desc.gov.ae/regulations/certifications/. If a CSP uses third-party co-located data centers, the IaaS. The basic principle is that every layer of the cloud certification process must ensure that this arrangement stack should be certified, and if a layer is already certified, is sufficiently secure. Possibilities for such audit checks are: that layer does not need to be recertified. For example, if a SaaS provider contracts a certified hyperscaler such as Azure • Inclusion of the data center(s) in the scope of existing or that has IaaS, it will only need to ensure certification of its new ISO/IEC or CSA certificates. SaaS offering, with the evidence that the underlying layer is certified.128 In terms of continuous monitoring, CSPs certified • Assessment of the third-party controls, including risks under the CSP Security Standard are subject to annual on-site related to third parties, that are applied by the CSP to surveillance audits, where possible, and a recertification audit ensure that adequate security is in place. that takes place every three years. The DESC’s certification process also allows SaaS and PaaS providers to inherit security controls of certified EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 78 4. Procurement Arrangements Each government entity must assess a CSP’s cloud services company may simply register as a supplier on eSupply—there against its own security needs during the procurement phase. is no procurement process for being added to this portal. Procuring agencies may issue RFQs seeking cloud services Procuring agencies can purchase the cloud services of from suppliers on eSupply, and can invite certain CSPs to certified CSPs to handle any Shared data. For Open data, issue a proposal/quotation in response to the RFQ. on the other hand, procuring agencies may choose any cloud service regardless of a CSP’s certification status Under eSupply, the specific procurement requirements with no geographic limitations. for a cloud service varies depending on characteristics of each project. For example, procuring agencies may include Procuring agencies handling Shared data must abide various requirements, such as certification under the CSP by ISR when procuring cloud services. Indeed, the ISR is Security Standard, as part of the RFQ process. Payment intended to give procuring agencies the tools and guidelines methods are also determined on a case-by-case basis by to make risk-based decisions when purchasing cloud services. each procuring agency. Each agency is expected to leverage its ISR Officer(s), Information Security Committee, and data champions to In future, Dubai aims to empower procuring agencies to help make a risk-informed decision when procuring a public use privacy-enhancing tools within their procured cloud cloud service. services. For example, the “bring your own key/encryption” tool is a plug-in that would allow procuring agencies to provide Each procuring agency is ultimately responsible for how their own cryptographic key to a CSP, which can in turn be it purchases a cloud service from a commercial provider. integrated into its cloud solution. Dubai is currently analyzing The Dubai Government’s main online portal, eSupply, enables this technology and the impact it might bring to secure data on suppliers including CSPs to participate in online tenders or the cloud.130 RFQs published by over 40 Dubai procuring agencies.129 Any EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 79 >>> Notes 1. For example, cloud solutions offer potential for increased energy efficiency of IT systems to help promote more environmentally sustainable IT ecosystems. See “Greening GovTech, Embracing a Green Digital Transition, Policy Note,” 2022. World Bank (Chapter 2.2.3.2.2). 2. These case studies differ from the United States’ FedRAMP model, which uses a tiered system to certify cloud services under the Low, Moderate, or High levels based upon security controls developed by NIST. “FedRAMP,” US Government. https://www.fedramp.gov/. 3. Peter Mell and Timothy Grance, The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-145, September 2011. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/ nistspecialpublication800-145.pdf. 4. “Cloud Basics,” General Services Administration. https://cic.gsa.gov/basics/cloud-basics. 5. Cloud Basics. 6. Cloud Basics. 7. Vendor lock-in refers to a situation wherein a customer becomes dependent on a product or service regardless of quality, making it difficult to switch vendors. 8. Peter Mell and Timothy Grance, The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-145, 2011. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-145.pdf. 9. Peter Mell and Timothy Grance. 10. Peter Mell and Timothy Grance. 11. Peter Mell and Timothy Grance. 12. World Bank, 2022, Government Migration to Cloud Ecosystems : Multiple Options, Significant Benefits, Manageable Risks, https://openknowledge.worldbank.org/ handle/10986/37556. 13. “Certification,” ISO. https://www.iso.org/certification.html. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 80 14. “Accreditation vs. Certification in Conformity Assessment,” ANSI National Accreditation Board. https://anab.ansi.org/accreditationvscertificationinconformityassessment. 15. “Certification,” ISO. 16. “Conformity Assessment,” NIST. https://www.nist.gov/conformity-assessment. 17. This Index rates countries based upon key aspects of four World Bank GovTech focus areas – enhancing service delivery, supporting core government systems, mainstreaming citizen engagement, and GovTech enablers – with a score of 1 being the highest maturity and 0 being the lowest maturity. 18. This Index rates countries based upon three dimensions of e-government (online services, telecommunications infrastructure, and human capital), with a score of 1 being the highest e-governance performance and 0 being the lowest e-governance performance. 19. This Index rates countries based upon capacity to promote a cloud-centric digital economy, with a score of 10 being the highest capacity and 0 being the lowest capacity. 20. “Australian Government Cloud Computing Policy (Version 3.0),” Australian Government (Department of Finance), October 2014. https://www.ospi.es/export/sites/ospi/documents/ documentos/Australian-Government-cloud-computing-policy.pdf. 21. “Secure Cloud Strategy (Version 3),” DTA, October 2021. https://www.dta.gov.au/sites/ default/files/2021-10/DTA%20Secure%20Cloud%20Strategy%20-%20October%20 2021%20v3%20%28update%29.pdf. 22. “ISMAP Came into Operation,” MIC, June 3, 2020. https://www.soumu.go.jp/main_sosiki/ joho_tsusin/eng/pressrelease/2020/6/03_6.html. 23. “Government Cloud First policy,” CDDO, February 3, 2017. https://www.gov.uk/guidance/ government-cloud-first-policy. 24. “About Digital Dubai,” Digital Dubai. https://www.digitaldubai.ae/about-us. 25. “Public Service Cloud Computing Determination and Directive,” DPSA, February 2, 2022. https://www.michalsons.com/wp-content/uploads/2022/04/ egovernment_02_02_2022.pdf. 26. “National Data and Cloud Policy (Draft),” DCDT, April 1, 2021. https://www.gov.za/sites/ default/files/gcis_document/201711/41241gen886.pdf. 27. “Management Standards,” ISMAP. https://www.ismap.go.jp/csm/ja?id=kb_article_ view&sysparm_article=KB0010028&sys_kb_id=277195e71b985910f18c65fa234bcbb8& spa=1. 28. “Information Security Manual,” ACSC. 29. “Cloud Security Controls Matrix,” ACSC. 30. “Cloud security guidance,” NCSC. https://www.ncsc.gov.uk/collection/cloud. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 81 31. Azure provides an example of Total Cost of Ownership Calculator: https://azure.microsoft. com/en-us/pricing/tco/calculator/. Another Total Cost of Ownership Calculator example from AWS is provided: https://calculator.aws/#/. 32. Managing technical lock-in in the cloud – GOV.UK, www.gov.uk. 33. “Cloud Procurement: Best Practices for Public Sector Customers,” AWS, January 2017. https://docplayer.net/100520847-Cloud-procurement-best-practices-for-public-sector- customers.html. 34. PII is defined as any piece of information that confirms an individual’s identity. A person’s PII can include their Address; National Insurance Number or Social Security Number; Driver’s license; Financial information, including bank accounts; and Medical records. See: https://www.isms.online/iso-27002/control-5-34-privacy-and-protection-of-pii/. 35. Personal data classification and protection aligns with Chapter 6 of the World Development Report 2021 (WDR21), “Data policies, laws, and regulations: Creating a trust environment.” 36. The sharing and processing of public data can help to increase economic value. This policy effort aligns with the WDR21’s overall message that data produces economic value when processed and shared. 37. Source: Microsoft. 2021. “Best Practices for a Competitive Data Ecosystem” (internal document shared with authors). 38. Source: A Roadmap from Cross-Border Data Flows: Future Proofing Readiness and Cooperation in the New Data Economy, World Economic Forum, June 2020 white paper. https://www3.weforum.org/docs/WEF_A_Roadmap_for_Cross_Border_Data_ Flows_2020.pdf. 39. The government approved the amendments to the Law on Management of State Information Resources; Ministry of the Economy and Innovation of the Republic of Lithuania (lrv.lt), March 23, 2022. 40. See “CLOUD Act Resources,” US Department of Justice. https://www.justice.gov/dag/ cloudact. 41. “ISMAP Came into Operation,” MIC, June 3, 2020. https://www.soumu.go.jp/main_sosiki/ joho_tsusin/eng/pressrelease/2020/6/03_6.html. 42. ISMAP Came into Operation. 43. “Study Group on Security Assessment of Cloud Services Compiles its Discussion Results into Report,” METI, January 30, 2020. https://www.meti.go.jp/english/ press/2020/0130_002.html. 44. Study Group on Security Assessment of Cloud Services. 45. “ISMAP Overview,” ISMAP. https://www.ismap.go.jp/csm?id=kb_article_view&sysparm_ article=KB0010301. 46. National Center of Incident Readiness and Strategy for Cybersecurity (NISC). https://www.nisc.go.jp/eng/index.html. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 82 47. “Assessors List,” ISMAP. https://www.ismap.go.jp/csm?id=audit_institution_list. 48. Interview with IPA on July 20, 2022. 49. “Cloud Service List,” ISMAP. https://www.ismap.go.jp/csm?id=cloud_service_list. 50. “ISMAP Overview,” ISMAP. https://www.ismap.go.jp/csm?id=kb_article_view&sysparm_ article=KB0010301. 51. “Standards for Security Categorization of Federal Information and Information Systems, FIPS 199,” NIST, February 2004. https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf. 52. “ISMAP Overview,” ISMAP. https://www.ismap.go.jp/csm?id=kb_article_view&sysparm_ article=KB0010301. 53. “Management Standards,” ISMAP. https://www.ismap.go.jp/csm/ja?id=kb_article_ view&sysparm_article=KB0010028. 54. “ISMAP Overview,” ISMAP. https://www.ismap.go.jp/csm?id=kb_article_view&sysparm_ article=KB0010301. 55. “Australian Government Cloud Computing Policy (Version 3.0),” Australian Government (Department of Finance), October 2014. https://www.ospi.es/export/sites/ospi/documents/ documentos/Australian-Government-cloud-computing-policy.pdf. 56. Justin Hendry, “DTA pushes Commonwealth to adopt more cloud,” IT News, February 1, 2018. https://www.itnews.com.au/news/dta-pushes-commonwealth-to-adopt- more-cloud-484234. 57. Justin Hendry, “DTA pushes Commonwealth to adopt more cloud.” 58. “Secure Cloud Strategy (Version 3),” DTA, October 2021. https://www.dta.gov.au/sites/ default/files/2021-10/DTA%20Secure%20Cloud%20Strategy%20-%20October%20 2021%20v3%20%28update%29.pdf. 59. “Anatomy of a Cloud Assessment and Authorisation,” ACSC. https://www.cyber.gov.au/ acsc/view-all-content/publications/anatomy-cloud-assessment-and-authorisation. 60. “The Cloud Security Assessment Report Template,” ACSC. 61. “Information Security Manual,” ACSC. 62. “Cloud Security Controls Matrix,” ACSC. 63. “Protective Security Policy Framework,” Attorney-General’s Department, Australia. https://www.protectivesecurity.gov.au/. 64. “Cloud Computing Security Considerations,” ACSC. https://www.cyber.gov.au/acsc/view- all-content/publications/cloud-computing-security-considerations. 65. “Digital Transformation Agency.” https://www.dta.gov.au/. 66. “Australian Signals Directorate.” https://www.asd.gov.au/. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 83 67. “Australian Cyber Security Operations Centre.” https://www.cyber.gov.au/. 68. “Who are IRAP Assessors?” ACSC. https://www.cyber.gov.au/acsc/view-all-content/ programs/irap/who-are-irap-assessors. 69. “IRAP Assessors,” ACSC. https://www.cyber.gov.au/acsc/view-all-content/programs/irap/ irap-assessors. 70. “Cloud Marketplace,” BuyICT, DTA. https://www.buyict.gov.au/sp?id=marketplace_landing &marketplace=20d4561edb261c106529773c349619b7&kb=KB0010616&path=buying. 71. “Cloud Marketplace,” BuyICT, DTA. 72. “Cloud Marketplace.” 73. “Hosting Certification Framework,” DTA. https://www.dta.gov.au/our-projects/hosting- strategy/hosting-certification-framework. 74. “Framework Overview,” DTA. https://www.hostingcertification.gov.au/framework. 75. “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, SP 800-37 Rev. 2, NIST, December 2018. https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final. 76. “Cyber Security Principles,” ACSC. https://www.cyber.gov.au/acsc/view-all-content/advice/ cyber-security-principles. 77. “Cloud Security Controls Matrix,” ACSC. 78. “Anatomy of a Cloud Assessment and Authorisation,” ACSC. https://www.cyber.gov.au/ acsc/view-all-content/publications/anatomy-cloud-assessment-and-authorisation. 79. “IRAP resources,” ACSC. https://www.cyber.gov.au/acsc/view-all-content/programs/irap/ irap-resources. 80. “Cloud Marketplace,” DTA. https://www.buyict.gov.au/sp?id=marketplace_landing&market place=20d4561edb261c106529773c349619b7&path=buying&kb=KB0010616. 81. Cloud Sourcing Contract Template; Cloud Services Minimum Terms. 82. “Government Cloud First policy,” CDDO, February 3, 2017, https://www.gov.uk/guidance/ government-cloud-first-policy. 83. Government Cloud First policy,” CDDO. 84. “Digital Marketplace,” CCS. https://www.digitalmarketplace.service.gov.uk/. 85. “Ultimate Guide to G-Cloud,”AdviceCloud. https://advice-cloud.co.uk/ultimate-guide-gcloud/. 86. “Cloud Compute,” CCS. https://www.crowncommercial.gov.uk/agreements/RM6111. 87. “Cloud security guidance,” NCSC. https://www.ncsc.gov.uk/collection/cloud. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 84 88. “Security policy framework,” UK Government, February 8, 2022, https://www.gov.uk/ government/publications/security-policy-framework/hmg-security-policy-framework. 89. “Minimum Cyber Security Standard,” UK Government, June 25, 2018, https://www.gov.uk/government/publications/the-minimum-cyber-security-standard. 90. “Risk management guidance,” NCSC. https://www.ncsc.gov.uk/collection/risk- management-collection. 91. “Security,” GOV.UK Platform as a Service. https://www.cloud.service.gov.uk/security/. 92. https://www.ncsc.gov.uk/blog-post/announcing-iasme-consortium-as-our-new-cyber- essentials-partner. 93. “About Cyber Essentials,” NCSC. https://www.ncsc.gov.uk/cyberessentials/overview. 94. “Introducing the Government Security Classifications Core briefing for 3rd Party Suppliers,” UK Cabinet Office, October 2013. https://assets.publishing.service.gov.uk/ government/uploads/system/uploads/attachment_data/file/251481/Government-Security- Classifications-Supplier-Briefing-Oct-2013.pdf. 95. “Cloud guide for the public sector,” CDDO, February 8, 2021. https://www.gov.uk/government/publications/cloud-guide-for-the-public-sector/cloud- guide-for-the-public-sector. 96. “Digital Marketplace Frameworks: G-13 Cloud Declarations,” Github. digitalmarketplace-frameworks/frameworks/g-cloud-13/questions/declaration at main · Crown-Commercial-Service/digitalmarketplace-frameworks · GitHub; “Digital Marketplace Frameworks: G-13 Cloud Services,” Github. digitalmarketplace-frameworks/frameworks/ g-cloud-13/questions/services at main · Crown-Commercial-Service/digitalmarketplace- frameworks · GitHub. 97. “Securing your information,” UK Government, May 21, 2018. https://www.gov.uk/service- manual/technology/securing-your-information. 98. However, the UK government notes that “if your service handles information that’s classified as ‘secret’ or ‘top secret,’ then you should ask for specialist advice from your department or agency security team.” 99. “Securing your cloud environment for services,” UK Government. https://www.gov.uk/ service-manual/technology/securing-your-cloud-environment. 100. “Security policy framework,” UK Government, February 8, 2022. https://www.gov.uk/ government/publications/security-policy-framework/hmg-security-policy-framework. 101. “Risk management guidance,” NCSC. https://www.ncsc.gov.uk/collection/risk- management-collection. 102. “Secure development and deployment guidance,” NCSC. https://www.ncsc.gov.uk/ collection/developers-collection. 103. “G-Cloud 12 Framework Agreement,” CCS. https://assets.publishing.service.gov. uk/government/uploads/system/uploads/attachment_data/file/927650/G-Cloud-12- Framework-Agreement.pdf. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 85 104. “Digital Marketplace Frameworks: G-13 Cloud Declarations,” Github. digitalmarketplace-frameworks/frameworks/g-cloud-13/questions/declaration at main · Crown-Commercial-Service/digitalmarketplace-frameworks · GitHub; “Digital Marketplace Frameworks: G-13 Cloud Services,” Github. digitalmarketplace-frameworks/frameworks/ g-cloud-13/questions/services at main · Crown-Commercial-Service/digitalmarketplace- frameworks · GitHub. 105. “Introduction to cloud security,” NCSC. https://www.ncsc.gov.uk/collection/cloud/ introduction-to-cloud-security. 106. RM6111-Framework-Terms-v3.3.docx (live.com). 107. “G-Cloud 12 Call-Off Contract,” CCS. https://assets.crowncommercial.gov.uk/wp-content/ uploads/G-Cloud-12-Call-Off-Contract-v16-PDF.pdf. 108. “Ultimate Guide to G-Cloud,” AdviceCloud. https://advice-cloud.co.uk/ultimate-guide-gcloud/. 109. “Managing technical lock-in in the cloud,” CDDO, December 17, 2019. https://www.gov.uk/ guidance/managing-technical-lock-in-in-the-cloud. 110. “National e-government strategy and roadmap,” DTPS. November 10, 2017. https://www.gov.za/sites/default/files/gcis_document/201711/41241gen886.pdf. 111. “National Data and Cloud Policy (Draft)”, DCDT, April 1, 2021. https://www.gov.za/sites/ default/files/gcis_document/201711/41241gen886.pdf. 112. “Public Service Cloud Computing Determination and Directive,” DPSA, February 2, 2022. https://www.michalsons.com/wp-content/uploads/2022/04/ egovernment_02_02_2022.pdf. 113. “Minimum Information Security Standards,” South African Government, December 4, 1996. https://www.sita.co.za/sites/default/files/documents/MISS/Minimum%20Information%20 Security%20Standards%20(MISS).pdf 114. “Directive on Public Service Information Security,” DPSA, 2022. https://www.dpsa.gov.za/ dpsa2g/documents/ogcio/2022/egov_21_06_2022_directive.pdf. 115. Directive on Public Service Information Security, DPSA. 116. “Protection of Personal Information Act,” South African Government, November 26, 2013. https://www.dffe.gov.za/sites/default/files/legislations/popia04of2013_vol581no37067.pdf. 117. “Promotion of Access to Information Act of 2000,” South African Government, February 2, 2000. http://juta/nxt/print.asp?NXTScript=nxt/gateway.dll&NXTHost=jut (dffe.gov.za). 118. “Electronic Communications and Transactions Act, 2002,” South African Government, August 2, 2002. https://www.gov.za/sites/default/files/gcis_document/201409/a25-02.pdf. 119. “Public Service Cloud Computing Determination and Directive,” DPSA, February 2, 2022. https://www.michalsons.com/wp-content/uploads/2022/04/ egovernment_02_02_2022.pdf. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 86 120. See pages 14-18 of “Public Service Cloud Computing Determination and Directive,” DPSA, February 2, 2022. https://www.michalsons.com/wp-content/uploads/2022/04/ egovernment_02_02_2022.pdf. 121. “About Digital Dubai,” Digital Dubai. https://www.digitaldubai.ae/about-us. 122. “KPI Card (Percentage of Applications Hosted on Cloud),” Dubai Government Excellence Program. 123. “Certifications,” Dubai Electronic Security Center. https://www.desc.gov.ae/regulations/ certifications/. 124. “Information Security Regulation Version 2.0,” Dubai Electronic Security Center, 2017. 125. “Standards and Policies,” Dubai Electronic Security Center. https://www.desc.gov.ae/ regulations/standards-policies/. 126. “Dubai Pulse”, https://www.dubaipulse.gov.ae/. 127. Conversation with Bushra Al Blooshi, July 28, 2022. 128. Conversation with Bushra Al Blooshi, July 28, 2022. 129. “eSupply,” Government of Dubai. https://esupply.dubai.gov.ae/esupply/web/index.html. 130. Conversation with Bushra Al Blooshi, July 28, 2022. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 87 >>> References AdviceCloud. “Ultimate Guide to G-Cloud.” https://advice-cloud.co.uk/ultimate-guide-gcloud/. Amazon Web Services. 2017. Cloud Procurement: Best Practices for Public Sector Customers. January 2017. https://docplayer.net/100520847-Cloud-procurement-best-practices-for-public- sector-customers.html. ANSI National Accreditation Board. 2022. “Accreditation vs. Certification in Conformity Assessment.” Webinar. September 29, 2022. https://anab.ansi.org/ accreditationvscertificationinconformityassessment. Australian Attorney-General’s Department. “Protective Security Policy Framework.” https://www.protectivesecurity.gov.au/. Australian Cyber Security Centre. 2021. “Anatomy of a Cloud Assessment and Authorisation.” October 2021. https://www.cyber.gov.au/acsc/view-all-content/publications/anatomy-cloud- assessment-and-authorisation. Australian Cyber Security Centre. 2021. “Cloud Computing Security Considerations.” October 2021. https://www.cyber.gov.au/acsc/view-all-content/publications/cloud-computing- security-considerations. Australian Cyber Security Centre. 2022. “Cloud Security Controls Matrix.” December 1, 2022. https://www.cyber.gov.au/sites/default/files/2022-12/Cloud%20Controls%20 Matrix%20Template%20%28December%202022%29.xlsx. Australian Cyber Security Centre. 2022. “Cyber Security Principles.” June 16, 2022. https://www. cyber.gov.au/acsc/view-all-content/advice/cyber-security-principles. Australian nCyber Security Centre. 2022. “Information Security Manual.” December 1, 2022. https://www.cyber.gov.au/sites/default/files/2022-12/Information%20Security%20Manual%20 %28December%202022%29.pdf. Australian Cyber Security Centre. 2022. “The Cloud Security Assessment Report Template.” July 2022. https://www.cyber.gov.au/sites/default/files/2022-07/Cloud-Security-Assessment- Report-Template-06-July-2022.docx. Australian Cyber Security Centre. “Australian Cyber Security Operations Centre.” https://www.cyber.gov.au/. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 88 Australian Cyber Security Centre. “IRAP Assessors.” https://www.cyber.gov.au/acsc/view-all- content/programs/irap/irap-assessors. Australian Cyber Security Centre. “IRAP Resources.” https://www.cyber.gov.au/acsc/view-all- content/programs/irap/irap-resources. Australian Cyber Security Centre. “Who are IRAP Assessors?” https://www.cyber.gov.au/acsc/ view-all-content/programs/irap/who-are-irap-assessors. Australian Department of Finance. 2014. Australian Government Cloud Computing Policy (Version 3.0). October 2014. https://www.ospi.es/export/sites/ospi/documents/documentos/ Australian-Government-cloud-computing-policy.pdf. Australian Department of Public Service and Administration. 2022. Public Service Cloud Computing Determination and Directive. February 2, 2022. https://www.michalsons.com/wp- content/uploads/2022/04/egovernment_02_02_2022.pdf. Australian Digital Transformation Agency. 2021. Secure Cloud Strategy (Version 3). https://www.dta.gov.au/sites/default/files/2021-10/DTA%20Secure%20Cloud%20Strategy%20 -%20October%202021%20v3%20%28update%29.pdf. Australian Digital Transformation Agency. “Cloud Marketplace.” https://www.buyict.gov.au/ sp?id=marketplace_landing&marketplace=20d4561edb261c106529773c349619b7&kb=KB001 0616&path=buying. Australian Digital Transformation Agency. “Digital sourcing contract templates”. December 2020. https://www.buyict.gov.au/sp?id=resources_and_policies&kb=KB0010684&kb_ parent=KB0010686 (note: link under the subheading “Cloud Services Minimum Terms Template”). Australian Digital Transformation Agency. “Digital sourcing contract templates”. December 2020. https://www.buyict.gov.au/sp?id=resources_and_policies&kb=KB0010684&kb_ parent=KB0010686 (note: link under the subheading “Cloud Sourcing Contract Template”). Australian Digital Transformation Agency. “Digital Transformation Agency.” https://www.dta.gov.au/. Australian Digital Transformation Agency. “Framework Overview.” https://www.hostingcertification.gov.au/framework. Australian Digital Transformation Agency. “Hosting Certification Framework.” https://www.dta.gov.au/our-projects/hosting-strategy/hosting-certification-framework. Australian Signals Directorate. “Australian Signals Directorate.” https://www.asd.gov.au/. Digital Dubai. “About Digital Dubai.” https://www.digitaldubai.ae/about-us. Digital Dubai. “Regulations.” https://www.digitaldubai.ae/data/regulations. Dubai Electronic Security Center. 2017. Information Security Regulation (Version 2.0). Dubai Electronic Security Center. “Certifications.” https://www.desc.gov.ae/regulations/ certifications/. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 89 Dubai Electronic Security Center. “Standards and Policies.” https://www.desc.gov.ae/regulations/ standards-policies/. Dubai Smart Government. “Dubai Pulse.” https://www.dubaipulse.gov.ae/. Dubai Smart Government. “eSupply.” https://esupply.dubai.gov.ae/esupply/web/index.html. Hendry, Justin. 2018. “DTA pushes Commonwealth to adopt more cloud.” IT News. February 1, 2018. https://www.itnews.com.au/news/dta-pushes-commonwealth-to-adopt-more- cloud-484234. International Standards Organization. “Certification.” https://www.iso.org/certification.html. Japan Information System Security Management and Assessment Program. “Assessors List.” https://www.ismap.go.jp/csm?id=audit_institution_list. Japan Information System Security Management and Assessment Program. “Cloud Service List.” https://www.ismap.go.jp/csm?id=cloud_service_list. Japan Information System Security Management and Assessment Program. “Management Standards.” https://www.ismap.go.jp/csm/ja?id=kb_article_view&sysparm_ article=KB0010028&sys_kb_id=277195e71b985910f18c65fa234bcbb8&spa=1. Japan Ministry of Economy, Trade, and Industry. 2020. “Study Group on Security Assessment of Cloud Services Compiles its Discussion Results into Report.” January 30, 2020. https://www.meti.go.jp/english/press/2020/0130_002.html. Japan Ministry of Internal Affairs and Communications. 2020. “ISMAP Came into Operation.” June 3, 2020. https://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/pressrelease/2020/6/03_6.html. Japan National Center of Incident Readiness and Strategy for Cybersecurity. “National Center of Incident Readiness and Strategy for Cybersecurity.” https://www.nisc.go.jp/eng/index.html. Mell, Peter and Grance, Timothy. 2011. The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards and Technology (NIST Special Publication 800-145). September 2011. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/ nistspecialpublication800-145.pdf. Microsoft. 2021. “Best Practices for a Competitive Data Ecosystem” (internal document shared with authors). Microsoft. 2022. “Defending Ukraine: Early Lessons from the Cyber War.” June 22, 2022. https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from- the-cyber-war/. Microsoft. 2022. “Extending our vital technology support for Ukraine.” November 3, 2022. https://blogs.microsoft.com/on-the-issues/2022/11/03/our-tech-support-ukraine/. Microsoft. 2022. “Special Report: Ukraine - An overview of Russia’s cyberattack activity in Ukraine.” April 27, 2022. https://www.iisf.ie/Microsoft-Special-report-Ukraine-Russia-Cyberattack-activity. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 90 Oracle and KPMG. 2020. Demystifying the Cloud Shared Responsibility Security (Volume 2). https://www.oracle.com/a/ocom/docs/cloud/oracle-ctr-2020-shared-responsibility.pdf. South African Department of Communications and Digital Technologies. 2021. “National Data and Cloud Policy (Draft).” April 1, 2021. https://www.gov.za/sites/default/files/gcis_ document/202104/44389gon206.pdf. South African Department of Public Service and Administration. 2022. Directive on Public Service Information Security. June 7, 2022. https://www.dpsa.gov.za/dpsa2g/documents/ogcio/2022/ egov_21_06_2022_directive.pdf. South African Department of Telecommunications and Postal Services. 2017. National e-government strategy and roadmap. November 7, 2017. https://www.gov.za/sites/default/files/ gcis_document/201711/41241gen886.pdf. South African Government. 1996. Minimum Information Security Standards. December 6, 1996. https://www.sita.co.za/sites/default/files/documents/MISS/Minimum%20 Information%20Security%20Standards%20(MISS).pdf. South African Government. 2002. Electronic Communications and Transactions Act, 2002. August 2, 2002. https://www.gov.za/sites/default/files/gcis_document/201409/a25-02.pdf. South African Government. 2013. Protection of Personal Information Act. November 26, 2013. https://www.dffe.gov.za/sites/default/files/legislations/popia04of2013_vol581no37067.pdf. South African Revenue Service. 2000. “Promotion of Access to Information Act of 2000.” October 15, 2021. https://www.sars.gov.za/legal-counsel/primary-legislation/promotion-of- access-to-information-act-2000-paia/. TurningCloud Solutions. 2021. “4 Cloud Deployment Models: Their advantages and disadvantages.” June 21, 2021. https://www.turningcloud.com/blog/cloud-deployment-models/. UK Cabinet Office. 2013. Introducing the Government Security Classifications Core briefing for 3rd Party Suppliers. October 2013. https://assets.publishing.service.gov.uk/government/ uploads/system/uploads/attachment_data/file/251481/Government-Security-Classifications- Supplier-Briefing-Oct-2013.pdf. UK Cabinet Office. 2018. “Government Security Classifications.” https://assets.publishing. service.gov.uk/government/uploads/system/uploads/attachment_data/file/715778/May-2018_ Government-Security-Classifications-2.pdf. UK Cabinet Office. 2018. “Minimum Cyber Security Standard.” June 25, 2018. https://www.gov. uk/government/publications/the-minimum-cyber-security-standard. UK Cabinet Office. 2022. “Security policy framework.” December 2, 2022. https://www.gov.uk/ government/publications/security-policy-framework/hmg-security-policy-framework. UK Central Digital and Data Office. 2019. “Managing technical lock-in in the cloud.” December 17, 2019. https://www.gov.uk/guidance/managing-technical-lock-in-in-the-cloud. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 91 UK Central Digital and Data Office. 2021. “Cloud guide for the public sector.” February 8, 2021. https://www.gov.uk/government/publications/cloud-guide-for-the-public-sector/cloud-guide-for- the-public-sector. UK Central Digital and Data Office. 2022. “Government Cloud First policy.” July 21, 2022. https://www.gov.uk/guidance/government-cloud-first-policy. UK Crown Commercial Services. “Cloud Compute.” https://www.crowncommercial.gov.uk/ agreements/RM6111. UK Crown Commercial Services. “Digital Marketplace.” https://www.digitalmarketplace.service. gov.uk/. UK Crown Commercial Services. “Digital Marketplace Frameworks: G-13 Cloud Declarations.” digitalmarketplace-frameworks/frameworks/g-cloud-13/questions/declaration at main · Crown- Commercial-Service/digitalmarketplace-frameworks · GitHub. UK Crown Commercial Services. “Digital Marketplace Frameworks: G-13 Cloud Services.” digitalmarketplace-frameworks/frameworks/g-cloud-13/questions/services at main · Crown- Commercial-Service/digitalmarketplace-frameworks · GitHub. UK Crown Commercial Services. G-Cloud 12 Call-Off Contract (RM1557.12). 2022. https://assets.crowncommercial.gov.uk/wp-content/uploads/G-Cloud-12-Call-Off-Contract-v16- PDF.pdf. UK Crown Commercial Services. G-Cloud 12 Framework Agreement (RM1557.12). 2022. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/ file/927650/G-Cloud-12-Framework-Agreement.pdf. UK Government. 2018. “Securing your information.” May 21, 2018. https://www.gov.uk/service- manual/technology/securing-your-information. UK Government Platform-As-A-Service. “Security.” https://www.cloud.service.gov.uk/security/. UK National Cyber Security Centre. 2018. “Risk management guidance.” November 16, 2018. https://www.ncsc.gov.uk/collection/risk-management-collection. UK National Cyber Security Centre. 2018. “Secure development and deployment guidance.” November 22, 2018. https://www.ncsc.gov.uk/collection/developers-collection. UK National Cyber Security Centre. 2019. “Announcing IASME Consortium as our new Cyber Essentials Partner.” October 7, 2019. https://www.ncsc.gov.uk/blog-post/announcing-iasme- consortium-as-our-new-cyber-essentials-partner. UK National Cyber Security Centre. 2021. “Securing your cloud environment for services.” February 15, 2021. https://www.gov.uk/service-manual/technology/securing-your-cloud-environment. UK National Cyber Security Centre. 2022. “Cloud security guidance.” May 10, 2022. https://www.ncsc.gov.uk/collection/cloud. UK National Cyber Security Centre. 2022. “Introduction to cloud security.” May 10, 2022. https://www.ncsc.gov.uk/collection/cloud/introduction-to-cloud-security. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 92 UK National Cyber Security Centre. “About Cyber Essentials.” https://www.ncsc.gov.uk/ cyberessentials/overview. US Department of Justice. 2022. “CLOUD Act Resources.” November 29, 2022. https://www.justice.gov/criminal-oia/cloud-act-resources. US Federal Risk and Authorization Management Program. “Securing Cloud Services.” https://www.fedramp.gov/. US General Services Administration. “Cloud Basics.” https://cic.gsa.gov/basics/cloud-basics. US National Institute of Standards and Technology. 2004. Standards for Security Categorization of Federal Information and Information Systems, FIPS 199. February 2004. https://nvlpubs.nist. gov/nistpubs/fips/nist.fips.199.pdf. US National Institute of Standards and Technology. 2018. Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (SP 800-37 Rev. 2). December 2018. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-37r2.pdf. US National Institute of Standards and Technology. “Conformity Assessment.” https://www.nist. gov/conformity-assessment. World Bank. 2022. “Greening GovTech, Embracing a Green Digital Transition, Policy Note.” Note: Draft. World Bank. 2022. Government Migration to Cloud Ecosystems: Multiple Options, Significant Benefits, Manageable Risks. Report. June 10, 2022. https://documents.worldbank.org/en/ publication/documents-reports/documentdetail/099530106102227954/p17303207ce6cf0420bc d006737c2750450. World Economic Forum. 2020. A Roadmap from Cross-Border Data Flows: Future Proofing Readiness and Cooperation in the New Data Economy. June 2020. https://www3.weforum.org/ docs/WEF_A_Roadmap_for_Cross_Border_Data_Flows_2020.pdf. EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT <<< 93 Supported by the GovTech Global Partnership - www.worldbank.org/govtech