Around the world, organizations big and small are moving to the cloud to achieve more, faster. Cloud computing is no longer considered solely a transformative new generation of technology but a platform to enable ever greater efficiencies, deliver big data analytics, and empower the Internet of Things. As KPMG recently put it: “The question is no longer: ‘How do I move to the cloud?’ Instead, it’s ‘Now that I’m in the cloud, how do I make sure I’ve optimized my investment and risk exposure?’”.
While the first wave of cloud adopters has largely been from the private sector, in recent years, governments are increasingly and incrementally adopting a cloud-first approach – instructing their ministries, departments and agencies to choose cloud services whenever possible. Those countries have understood that cloud computing provides a secure, efficient and cost-effective alternative to traditional on-premises systems. In addition, they are recognizing the innovative potential that cloud computing brings, allowing them to work more closely with their citizens and deliver more intuitive e-government services.
However, the fundamentally different nature of cloud computing has meant that governments are uncertain about how to best adjust to and optimize for the distinct challenges and opportunities that cloud services introduce. Understanding how to make the right policy, operational, and procurement decisions can be difficult with any new technology, and doing so can seem especially daunting with cloud computing because it has the potential to alter the paradigm of how business is done.
To support governments as they think through their approaches to information and communication technology (ICT) policy and transition to cloud services, Microsoft has developed Transforming Government: A cloud policy framework for innovation, security, and resilience. This white paper is the first in our series of cloud security policy publications, advancing ideas and cloud security concepts about which later papers will provide more detail.
The paper presents and describes six policy principles, which seek to help government ICT decision-makers develop a framework for secure cloud computing adoption. The principles are designed to support governments as they develop cloud policies that strategically advance innovation, enable flexibility in cloud architecture choice, and demonstrate data awareness to ensure security of critical data. With the principles, we also seek to help governments evaluate risks, leverage global standards to manage those risks, and establish transparent processes for developing requirements and evaluating cloud service providers. Each principle is accompanied by what we perceive as a best practice implementation, often by governments around the world, which highlights how the principles can be practically realized.
Later papers will go into more detail on relevant international standards and best practices for data governance, mitigating cloud security risks, and structuring government policy decisions and responsibilities – building on the framework provided today and focusing on the questions that we frequently hear from government customers. Ultimately, this series of papers seeks to enable governments to take advantage of cloud computing, unlock innovation potential in their countries, and improve the security and resiliency of their services. We look forward to continuing to partner with governments as they achieve these and other ICT goals.