4 Conditions for using cloud computing in the public sector
Many enterprises are uncertain about the legal framework conditions governing the use of cloud computing.17 The review of the legislation in chapter 3 shows that there is considerable scope for the lawful use of cloud services by enterprises in Norway – including those in the public sector.
Principles for using cloud computing
In addition to the need for legislative clarification, the ICT industry and public sector enterprises are also calling for clear guidelines from central government regarding the use of cloud computing.
The Government has therefore established some principles for the use of cloud services in the public sector:
- Cloud computing shall be assessed on the same basis as other solutions when considering major changes or reorganisation of ICT systems or operations:
- when procuring systems or major upgrades
- when undertaking extensive replacements of hardware
- when existing operating agreements expire
- When they offer the most appropriate and cost-effective solution and when no particular obstacles stand in the way of using them, cloud services should be chosen.
- The chosen solution must satisfy the agency’s requirements for information security. This means that enterprises must know the value of their own systems and data, and perform a risk assessment of the chosen solution.
Although cloud services may offer several advantages, they may not always be the best solution. Several factors may make other development or operating solutions better suited to meeting the needs of an enterprise, such as special requirements for national security, or if cloud services would not prove cost-effective given the enterprise’s current systems and infrastructure. The Government will therefore not establish a cloud first policy; however, the principles will help ensure that cloud services are considered when public agencies need to procure new ICT systems or operating solutions.
The principles for using cloud services were included in the Circular on Digitisation for 2016. The Circular on Digitisation presents an overview of orders and recommendations for digitisation that apply to all ministries, regular government administrative bodies, administrative bodies with special authority and government administrative enterprises.
The Circular on Digitisation sets out requirements for architecture and standards for public agencies.
Although municipalities and counties are not included in the circular, the principles give an important signal to them, too, and they may of course choose to follow the principles if they so wish.
The principles will be followed up with support, guidelines and tools in order to aid public sector organisations with the procurement of cloud services.
The need for guidance and control
The public sector has a particular need to ensure control over who manages information and where this is done. The form and degree of control required will depend on the type of information processed by the respective organisations. A range of control mechanisms are available:
Contracts
If needed, a contract can stipulate specific requirements for data processing and storage. A standard contract from the service provider could well be used, provided it guaranteed the use of specific technologies or standards, or met requirements for specific certifications in such a way as to satisfy the requirements imposed on public sector enterprises. Mechanisms for revision and contract management could also be negotiated, if specific needs warranted it.
Prequalification of service providers
Service providers could prequalify for processing specific types of information, either generally or for specific sectors. The Norwegian Ministry of Local Government and Modernisation will assess whether it is possible and desirable to establish a marketplace for cloud services for use in the public sector in Norway. Such a marketplace could serve as a form of prequalification of service providers. In the UK G-cloud, companies can be accredited for managing data requiring a specific security level.18
Entering into common agreements on behalf of the public sector
The state could enter into agreements with suppliers of data centres/cloud services on behalf of the public sector. Such agreements could be put out to tender in the market and contain requirements that satisfied the needs of agencies with the most stringent security requirements for processing and storing information. This is also a form of contractual control, but the contract would be negotiated and monitored by central authorities rather than by individual organisations.
Designated data centres for government agencies or the public sector
Central government could establish one or multiple data centres that satisfied the most stringent security requirements, for use either by central government agencies or by the entire public sector.
Through various meetings and activities, the Norwegian Ministry of Local Government and Modernisation has mapped the need for control associated with cloud services and ICT operation in the public sector. This work involved examining the landscape for public data centres in Norway along with the futures plans and needs of public sector enterprises.19
Central government agencies and municipalities and county municipalities have been involved in this work. Through these activities, a no need was identified for central government to negotiate common operating agreements on data centres or to establish a common data centre specifically for central government agencies or public sector enterprises. These alternatives are therefore not discussed further in the strategy.
The investigations conducted by the Norwegian Ministry of Local Government and Modernisation clearly revealed that what public sector enterprises needed most was guidance from central government to ensure good procurement practices and that the contracts they enter into are balanced, and satisfy Norwegian regulations. The enterprises also indicated that procuring cloud services would be simpler and more secure if some form of prequalification, approval or accreditation of suppliers were in place.
The Government wants to set up mechanisms to help public sector enterprises make sure that they have the necessary control through sound procurement practices and contracts that satisfy government requirements, and through contract management. As a starting point, entering into contracts that satisfy the identified requirements, and ensuring proper contract management, ought to offer sufficient control to public sector enterprises not subject to the Security Act.
Contractual control
Contracts and agreements constitute the key mechanism for regulating the relationship between customer and supplier. In the consumer market, a long-standing challenge has been that end-user licence agreements are long and difficult to understand, and often set unreasonable terms. The consumer has no influence over the content of such agreements.
The situation in the corporate market is more nuanced. Although standard agreements are used there, too, since standardised services and purchasing processes help make cloud services affordable, the tendency has been towards more balanced agreements than in the consumer market. This is partly the result of increasingly stringent government requirements and more informed customers. The best for all parties would be to use standard agreements that also satisfy customers’ requirements. To realise this, it is vital that public authorities – preferably at European level – reach agreement on common requirements. Such requirements could either be cross-sectoral or sector-specific. Norway’s early adoption of technology in many areas puts us in a favourable position in terms of influencing suppliers who are keen to win reference customers in the public sector. At the same time, it is important that Norway also works actively with the EU on establishing common standards and requirements.
Cloud service procurements are poorly suited to standardised frameworks such as the Government Standard Terms and Conditions (SSA). It will therefore be important to establish checklists to enable public sector enterprises to ensure that their supplier’s standard agreements do not violate Norwegian regulations and that they cover the same areas as in the government standard terms and conditions. Developing such checklists will form part of the guidance work performed by the Agency for Public Management and eGovernment (Difi).
It is of course possible for public sector enterprises to use cloud computing even if they have specific requirements and need to negotiate specific terms and conditions. In such cases, the process of purchasing cloud services will be more like the traditional procurement process.
Regardless of whether a standard agreement is used or special terms are negotiated, it is important to make sure that mechanisms for contract management are in place. One such mechanism could be to have an independent third party perform audits to check that suppliers honour their contractual obligations. It is important to make sure that such third parties are fully independent of the supplier.
Guidance from the Agency for Public Management and eGovernment (Difi)
The Ministry of Local Government and Modernisation will charge Difi with the task of establishing a team of experts and an online resource where public sector enterprises can seek guidance on cloud computing. In the long term, the guidance would ideally be adapted to different target groups with similar requirements and needs and to sector-specific needs.
Such a resource must cover all the stages in the procurement process, and not only the legal issues associated with the procurement itself. Relevant issues and tasks could be:
- How to conduct the procurement process correctly when a cloud service is considered the best option.
- Risk assessments adapted to the complexity and needs of different types of enterprises, ideally with examples of best practice.
- Requirements for data processing agreements.
- Templates and guidelines for setting up a cost-benefit analysis for using cloud services.
- Best practice for chosen solutions, ideally with examples from different types of representative enterprises, such as primary and lower secondary schools, municipal administrations or general practitioner clinics.
- How to ensure contract management through, for example, supervision and independent third-party audits.
Difi’s service will be directed at public sector enterprises – including municipalities – but will also be relevant to suppliers to the public sector. However, there is a clear need for this type of resource in business and industry, particularly for small and medium-sized enterprises. Difi’s resources for the public sector could serve as a model for a similar service directed at business and industry; for example, under the auspices of one or multiple industry organisations.
Sectoral information value assessment
Public information can be divided into three categories:20
- information that should only be stored in Norway
- information that can be stored abroad but that can be returned to Norway if necessary, subject to specific conditions
- information that can be stored abroad without being subject to specific conditions
The individual sectors are best qualified to evaluate in which category their information belongs. Many sectors have already begun work on assessing their requirements for using cloud computing or on developing guidelines for their sectors. The Government will ask all sectoral authorities to prepare assessments of the information in their respective sectors and of how it can be processed using cloud computing.
The Personal Data Act will likely determine how some sectors categorise their information. Personal data will fall under category 2 or category 3, provided EU requirements for transfers of personal data abroad are satisfied. The Norwegian Data Protection Authority has prepared useful guides on the storage and processing of personal data in cloud computing. Other sectors may have to take into consideration sector-specific regulations, such as the Health Registries Act or the Regulation on Emergency Preparedness. These sectors must conduct their own analyses based on their particular information and needs. Such analyses must consider what circumstances might require information to be returned to Norway, how it could be regulated in contracts with suppliers, and how it would be achieved in practice.
Sensitive information is probably the most important type of information that will fall under category 1, though some sectors or enterprises may well consider other types of information to be so critical that storage in Norway is seen as the only option.
It is important that public sector enterprises seeking guidance have an authoritative resource where they can be sure that the information on data classification is up to date and correct, regardless of sector. Difi’s task will therefore also entail coordinating and harmonising the work of the respective sectors. This work should be conducted in close cooperation with the Norwegian National Security Authority.
Certification requirements
A wide range of certification schemes relevant to cloud services are available. Many suppliers also choose to follow requirements issued by the EU or individual countries. Some examples of such requirements are:
- international standards, such as ISO 27001
- requirements issued by national authorities, the EU’s model clauses or the EU–US Privacy Shield
- standards that are not international but that have been accepted as de facto standards in their respective areas, such as FedRAMP, SOC, UK G-Cloud and Singapore MTCS
- standards associated with specific sectors, such as HIPAA (health), FISC (finance) and PCI DSS (payment cards)
The leading cloud service providers, such as Google, Amazon and Microsoft, hold most of the certifications. Smaller providers often select certifications that are relevant to their specific sector or to the markets at which their services are targeted. Obtaining certifications in many areas – and maintaining them – is a costly process for small service providers. Universal agreement on a smaller set of standards that cover the main areas of cloud computing would be seen as beneficial.
We know that common EU requirements – such as for processing personal data or for security certification – often prompt cloud service providers to adapt their services and standard agreements to meet such requirements. This makes it easier for enterprises to assess the services available. The Government therefore wants to contribute to EU efforts to implement common criteria for cloud services at different levels.
Examples of standards and certifications
ISO 27001: | ISO 27001:2013 specifies requirements for information security management systems. This standard forms the basis for most certification schemes. |
ISO 27018: | ISO 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. |
SOC1, SOC2, SOC3: | Service Organization Control reports. Reports developed by the American Institute of Certified Public Accountants (AICPA). SOC1 reports on financial data. SOC2 reports on control mechanisms more specific to data storage and processing, such as security, accessibility, processing integrity, confidentiality and data protection. SOC3 covers the same elements as SOC2 but on a higher, less technical level. |
FedRAMP: | Federal Risk and Authorization Management Program. A standardised approach to verification of security, authorisation and monitoring for cloud services used by federal agencies in the United States. |
UK G-Cloud: | Enterprises seeking high-level security accreditation in the UK framework, G-Cloud, can apply for this. The National Technical Authority for Information Assurance (CESG) is the accrediting body. |
MTCS: | Multi-Tier Cloud Security. From Singapore. An open certification scheme for cloud service providers, based on ISO 27001. Three levels of security certification (Tiers 1 to 3) meet stringent information security requirements. Certification is performed by independent certifying bodies such as DNV-GL and the British Standards Institution (BSI). |
HIPAA: | Health Insurance Portability and Accountability Act. US law regulating the processing of patient information. An independent third party checks that the data processor complies with the law. |
FISC: | Center for Financial Industry Information Systems. From Japan. Security guidelines for financial information systems. |
PCI DSS: | Payment Card Industry Data Security Standard. Global certification standard for organisations processing payment card transactions. |
A marketplace for cloud services aimed at the public sector
The Government wants to see a form of prequalification and/or accreditation scheme established for cloud service providers. The Norwegian Ministry of Local Government and Modernisation will investigate potential models for a marketplace for cloud services aimed at the public sector and consider possible implementation in Norway. Such a marketplace would provide a measure that would make it easier for enterprises to assess cloud services as an alternative when procuring new ICT systems and may include mechanisms for self-declaration, prequalification and/or accreditation for different security levels. The investigation with be carried out in 2016.
Example: UK G-Cloud – Digital Marketplace
G-Cloud is a framework for procurement of cloud computing services aimed at the public sector in the UK. The framework opens for supplier applications at regular intervals (every 6 to 9 months).
Suppliers register details about their company, what services they provide, and price information on a dedicated website. The services must satisfy the NIST definition of cloud computing. Suppliers also register information about themselves and how their service is delivered, their approved security level, etc. Registration is largely based on self-declaration.
Public sector enterprises can use the Digital Marketplace to search for suppliers. They can request more information if, for example, they have special security requirements. They can also select suppliers directly without going through the traditional procurement process. The UK authorities regard the conditions for public procurements to be satisfied by announcing registration in the framework. The prices stated in the framework are transparent, so suppliers may amend their prices to become more competitive.
An important idea behind G-Cloud and Digital Marketplace is that it should be easier for small and medium-sized companies to compete for public-sector contracts.
Source: UK Cabinet Office – Government Digital Service.
Coordinating the establishment of new data centres
Agencies or sectors who define their information to fall under category 1 (information that should be only be stored in Norway) may well want to establish a dedicated data centre or possibly buy services from a (Norwegian) provider who can deliver high-security services.
In such cases, the Government wants to facilitate better utilisation of existing data centre resources in the public sector. Government agencies requiring high-security services must consider the possibility of utilising free capacity from – or cooperating with – other agencies with similar needs. This requires gaining an overview of the organisation and capacity of public data centres, first and foremost in central government agencies. Difi will have responsibility for implementing such a system.
Example: Skyscape
Actors in the UK market have set up a data centre that meets the needs of public agencies with particularly stringent security requirements. Skyscape is a provider of infrastructure services (IaaS) in the UK G-Cloud procurement framework. Skyscape consists of an alliance of different suppliers: the partly state-owned defence technology company QinetiQ, VMWare, Cisco, EMC and Ark Data Centres. The company's data centres and cloud services are accredited by the UK authorities for data classified up to OFFICIAL-SENSITIVE. Skyscape is also accredited by the Health and Social Care Information Centre (HSCIC) for supplying services to the National Health Service.
Skyscape is generally not used by public agencies with low security requirements. For example, the UK's HM Revenues & Customs (HMRC) has chosen Google Apps in a cloud solution for office support. Under the agreement, it is accepted that data can be stored in Google's data centres located outside the UK.
Sources: Skyscapecloud.com, digi.no, Financial Times
Systems that process classified and sensitive information, including electronic documents subject to the Protection Instruction, must in principle be located in Norway. Enterprises who are subject to the Security Act would have to make special assessments if they wanted to use services in the public cloud. In such cases they should consult the Norwegian National Security Authority.
Measure: Make it easier for public and private enterprises to consider cloud computing as an alternative when procuring new ICT services
The Government will:
- Establish resources to support agencies in assessing and procuring cloud services:
- In the short term, existing material will be collated and adapted to provide guidance on cloud service procurements.
- In the long term, a more comprehensive resource will be established to provide guidance on cloud service procurements in the public sector. Important areas where guidance is needed are: information value assessment, risk assessment, and information security. This work must be coordinated with the sectors' own assessments of information and development of guidance material.
- This resource will make recommendations for certifications or standards which cloud service providers targeting given sectors should satisfy. Each sector must determine which standards or certifications should apply in their area.
- It is natural for such a resource to be established under the auspices of the Agency for Public Management and eGovernment (Difi) and that the work be incorporated into the ICT procurement guidance service provided by Difi. The expert resource will initiate cooperation with relevant industry organisations so that they – should they so wish – can use Difi's resources to provide guidance to their members.
- Charge the Norwegian Ministry of Local Government and Modernisation with examining and assessing different models for a potential marketplace/procurement framework for cloud services aimed at the public sector.
- Facilitate better utilisation of existing public data centre resources for agencies with a need for such stringent controls that they are considering buying high-security services or establishing their own data centres in Norway. In such cases, agencies must assess the possibility of utilising free capacity from – or cooperating with –other agencies with similar needs. This requires gaining an overview of the organisation and capacity of existing data centres, first and foremost in the public sector. Difi will have responsibility for implementing such a system.