New Zealand: The Department of Internal Affairs has just made publicly made available a paper on “Requirements for Cloud Computing” that is mandated for all agencies. It’s been a long time coming and in general, is a valuable document. Not only for agencies, but for any company with a risk averse approach to buying Cloud services.
The document and edict effectively introduce a risk based framework for Cloud services. If an agency wants to buy a Cloud service then as part of the evaluation process this framework must be used. This makes sense. We already know that most government agencies are already utilising Cloud services from a variety of onshore and offshore service providers with more joining the trend every week.
Better, it shows that the DIA is moving to a guidance and support role as opposed to a edict and control role. This document will save hundreds of thousands in consulting fees because it effectively outlines a robust risk framework for choosing Cloud services that agencies otherwise would have had to employ specialist resource to do. It’s free, and not just for government, for anyone. The document contains over one hundred questions that could be used to build RFP’s for any agency or company wanting to consume Cloud services.
There is some interesting content in the document.
Firstly, Data Sovereignty is now based on a risk assessment as opposed to earlier indications that the DIA might forbid agencies from storing information in offshore Clouds.
“Once agencies have identified the legal jurisdictions where their data will be held, they should assess whether or not it is appropriate to store their data in the service. This may require them to seek specialist legal and/or security advice. Agencies without access to specialist resources are encouraged to seek advice from the Government Chief Information Officer (GCIO).”
In other words, storing data outside of New Zealand is allowed provided that it meets certain criteria.
The government has empowered DIA to mandate changes to existing Cloud services that agencies consume.
“when necessary, the GCIO may direct State Service agencies to modify their use of cloud services.”
One assumes that this means if a Cloud service is seen as a high risk and, or, not meeting the framework, the GCIO can order the agency to retire it or move it to one that is. You wouldn’t expect this to be exercised, primarily because a) how does the GCIO actually know what Cloud services an agency is using and b) cost.
The framework is very complete. It takes into account not only the technical aspects of a Cloud service, but also the management of those services, service level agreements, business continuity, and a host of other considerations that are important when evaluating risk. I.e. More of a business focus as opposed to a technology focus.
This appears to mark a turning point for DIA, or an additional service to their catalog, that we haven’t seen before. That of trusted adviser. Agencies can directly talk to DIA for help with Cloud evaluation. Not only does this present a common view of the world it also means that agencies can save a lot of money on consultants at the front end of Cloud evaluation.
This is a great document.
To be slightly cheeky, as a last thought, it would be very interesting to see if the existing Infrastructure as a Service (IaaS) providers would pass the risk framework. I.e. If we evaluated IBM, Datacom, and Revera, where would they fall on the risk profile spectrum?
Also, even if they were to “pass” that risk framework, where would they score against other Cloud providers? I.e. Would it be less risky for agencies to use Amazon or Rackspace?
This could be an answer we’ll never know, as one of the downsides of Cloud evaluation is that the larger players often won’t answer these questions. After all, they don’t have too. However, if they don’t, then they certainly will find themselves precluded from getting any agency Cloud business.