The last few months have seen a number of government information technology (IT) departments around the world move towards adopting cloud computing as one of the solutions deployed to delivered services to their citizens. Countries as diverse as Slovenia and Saudi Arabia are recognizing that cloud computing can ultimately mean more agile government services – with more predictable cost, reduced infrastructure overheads and increased efficiency and responsiveness. Government adoption of this technology, beyond the traditional first movers such as Estonia, represents a strong validation of how far cloud computing has come in the past few years.
However, moving important workloads to cloud requires more than just pressing a button. Governments have explored different approaches towards ensuring that the cloud services they use address their privacy, security, availability and other concerns. A particularly prescriptive approach was developed by the U.S. government, which with the Federal Risk and Authorization Management Program (FedRAMP) introduced a laundry list of requirements that need to be met before a particular cloud vendor can be engaged. Other governments have issued guidelines that leave more room for the vendors to determine how to a particular requirement should be met, recognizing the pace of innovation makes inflexible policy making impossible. One such example are the New Zealand’s Requirements for cloud computing and the associated Security and Privacy Considerations, which together represent a robust risk based approach towards adopting cloud computing.
To assists governments in understanding the principles of cloud security, Microsoft frequently responds to government consultations and works with others in the industry to drive awareness and understanding of how cloud services differ from on-premise computing. We also share information to help different agencies evaluate the ability of Microsoft’s cloud services to meet the requirements they put in place. To extend the example given above, we have recently published documents specifically aimed to address the New Zealand Security and Privacy Considerations for Microsoft Azure, Microsoft Office 365, Microsoft Dynamics CRM Online and Microsoft Intune which are available for download at the following links:
Moreover, we seek to drive best practices by consolidating different approaches we have seen and highlighting those that have been proven to drive best security outcomes. For instance, to support governments as they think through their approaches to information and communication technology (ICT) policy and transition to cloud services, Microsoft in 2015 developed Transforming Government: A cloud policy framework for innovation, security, and resilience, which I blogged about before. The paper presents and describes six policy principles, which seek to help government ICT decision-makers develop a framework for secure cloud computing adoption. The principles are designed to support governments as they develop cloud policies that strategically advance innovation, enable flexibility in cloud architecture choice, and demonstrate data awareness to ensure security of critical data. With the principles, we also seek to help governments evaluate risks, leverage global standards to manage those risks, and establish transparent processes for developing requirements and evaluating cloud service providers. Each principle is accompanied by what we perceive as a best practice implementation, often by governments around the world, which highlights how the principles can be practically realized. More detailed papers specific to cloud security will follow in the coming months.
Ultimately, we hope our work will enable governments to take advantage of cloud computing, unlock innovation potential in their countries, and improve the security and resiliency of their services. We look forward to continuing to partner with governments as they achieve these and other ICT goals.