Proposals for refreshing the Cloud First policy and strengthening cloud adoption across the public service

1 This paper seeks agreement to a refreshed Cloud First Policy and agreement to carry out further work to increase public sector adoption of cloud computing.

2 Refreshing the Cloud First Policy (the Policy) will make it easier for agencies to deliver on Government priorities. The work is being progressed to ensure public service agencies can effectively utilise changes in technology to provide better public services, help meet emissions targets and better ensure Māori interests are reflected in their use of cloud technology. It supports the Strategy for a Digital Public Service and the Digital Strategy for Aotearoa.

3 Cloud computing enables new ways of working and can provide improved security, flexibility, resilience, insights and innovation. Cloud will be an important feature of any digital economy and with the arrival of billions of dollars of investment in onshore hyperscale[Footnote 1] cloud services, there will be opportunities and options not previously available in Aotearoa.

4 The 2012 Cloud First Policy is no longer in sync with either the advancements in technology or changes in societal and Government priorities. A refresh of the Policy is timely. The proposed refresh will provide greater clarity, guidance and support to agencies in their consideration of cloud and cloud adoption.

5 Four changes to the Policy are recommended: reflect societal shifts and commitment to Government priorities (for example, Te Tiriti o Waitangi (Te Tiriti) and sustainability); reflect evolving cloud technology by revoking the Infrastructure-as-a-Service (IaaS) Cabinet directive [CAB Min (12) 23/12 refers]; refresh considerations for security and jurisdictional risk; and strengthen the Government Chief Digital Officer’s (GCDO) mandate for cloud digital investment.

6 To enable system-wide transformation and tackling of deeper barriers to adoption of cloud by the public service, a second phase of work is recommended. This phase would seek to identify further Government interventions and potential investments that would enable optimisation of existing and planned new public sector transitions to cloud.

7 Cloud enables the delivery and management of technology solutions over the Internet. Cloud computing lets an agency access services, such as computing power, storage, and databases, on an as-needed basis from cloud providers rather than owning, buying, or maintaining physical data centres and servers. Compared to legacy and on-premise environments, cloud users can pursue outcomes with speed, insights, and flexibility. A more technical description of cloud, its service and deployment models can be found in Appendix A. In this paper, cloud refers to public cloud unless otherwise specified.

8 On 20 August 2012, Cabinet agreed that an all of government (AoG) ‘cloud first’ approach be taken for the government’s cloud adoption [CAB-MIN (12) 29/8A refers]. Further additions to the policy in 2013 and 2016 recognised that, to maximise the benefits of public cloud, consistent, secure adoption of cloud was needed [CAB Min (13) 20/13, CAB (13) 37/6B and CAB-16-MIN-0316 refers].

9 There are many potential benefits of a cloud first approach, including increased security and reduced risk, increased continuity, resilience and flexibility for agencies to scale and deliver services as needed, utilise new tools to gather insights and innovate, and ultimately, accelerate digital transformation of the public service. These advantages could be seen in agency responses to COVID-19. Further information on the benefits of cloud computing and New Zealand case studies can be found in Appendix B. Public service transition to cloud also provides an opportunity to support broader economic and sector development, through commercial scale, security, interoperability, workforce development and innovation.

10 The Policy requires agencies[Footnote 2] to:

11 Since the 2016 refresh, cloud technologies and service offerings have matured significantly. A growing New Zealand-based cloud infrastructure sector has developed (for example, Spark, Datacom, Kyndryl and Catalyst Cloud). More recently, three major global cloud providers (Microsoft, Amazon Web Services (AWS), and Google Cloud) and several other specialist hyperscale data centre providers have announced plans to create onshore cloud infrastructure. With billions of dollars of announced investments in the New Zealand cloud ecosystem, this new infrastructure will provide options and opportunities not previously available.

12 It is timely to adjust the Policy to align with societal and Government commitments (such as Te Tiriti and sustainability); make it fit for purpose in terms of security in an evolving digital environment, and support agencies to adopt cloud solutions to position the public service to deliver for communities now and in the future.

13 We recommend four changes to the Policy: reflect societal shifts and commitment to government priorities; reflect evolving cloud technology by revoking the IaaS Cabinet directive [CAB Min (12) 23/12 refers]; refresh considerations for security and jurisdictional risk; and strengthen the requirement for agencies to use cloud services under the GCDO’s mandate for cloud digital investment.

14 The Policy sets the direction for the public service but on its own, will not drive widespread cloud uptake. Despite several attempts to increase cloud adoption across the public service, cloud uptake across the public service remains uneven and lower than expected. For example, only 32.5 percent of public service systems[Footnote 3] are hosted in the cloud.

15 We are proposing to build upon the Policy to begin to address underlying issues contributing to inconsistent uptake of cloud technologies. These are varied, complex and interlinked, but broadly include:

16 We seek agreement to four proposals that will provide clarity to the Policy, support agency capability and capacity and lay the foundation for further work to support system-wide interventions and investment for transformation. The proposals are not intended to be additional barriers to cloud but provide guidance and support on how to approach issues agencies are facing or need to address.

17 A summary of proposed changes to the Policy and supporting arrangements are provided as Appendix C.

18 There is an opportunity to include Te Ao Māori perspectives in the Policy. The current Policy is silent on the Crown’s Te Tiriti obligations and questions around Māori data and Māori data sovereignty. Inclusion would acknowledge Te Tiriti and would represent a world first for incorporating indigenous considerations into national cloud policies. This has the potential to provide mutual benefits to both Iwi and Māori and the public service, including increased trust in public service agencies and their use of cloud, and appropriate protection of Māori data determined by tikanga and kawa (protocols).

19 Under DIA’s Mana Ōrite[Footnote 5] agreement, we directed officials from DIA to work in partnership with Statistics NZ and the Data Iwi Leaders Group (DILG) to consider Māori expectations and interests in the public service’s use of cloud. Representatives across Iwi and Māori, Crown agencies and cloud service providers held a series of wānanga to explore a range of issues related to Government use of cloud capabilities, including for Māori data stewarded by Public Service departments.

20 Informed by those discussions, and building on Te Mana Raraunga[Footnote 6] Māori Data Sovereignty Principles, the call for Tino Rangatiratanga, Wai262, and partnership with the DILG and Te Kāhui Raraunga[Footnote 7], the following principles for the Policy are proposed:

21 We seek agreement that agencies consider the above principles when making decisions about adopting cloud. Building and strengthening relationships between the public service and iwi/Māori will be critical to supporting agencies’ consideration of Māori expectations and interests as part of their cloud adoption.

22 Guidance to support the public service’s capability to consider these principles is in development and expected to be completed by March 2023. This guidance has been developed in partnership with DILG and the guidance is expected to align to and be informed by the Māori Data Governance Model in development between Stats NZ and DILG.

23 While defining Māori data and Māori data sovereignty is outside the scope of the Cloud First Policy[Footnote 8], Te Kāhui Raraunga’s definitions and perspectives, such as on jurisdictional risk in relation to Māori data sovereignty, including a preference for storing Māori data onshore where practicable, will be presented as part of the guidance.

24 The linkages and relationships between the role of the GCDO, the Government Chief Data Steward (GCDS), Iwi and Māori and cloud providers is evolving. Digital and data are deeply connected, and it will be critical to ensure consistency with Te Tiriti across both systems, including on issues such as jurisdictional risk.

25 In alignment with Government’s aim to transition New Zealand to net-zero emissions economy, we recommend Cabinet agree to include consideration of high-level sustainability principles in the refreshed Policy. If utilised well[Footnote 9], cloud offers the potential to contribute to achieving the carbon reduction aims of the Carbon Neutral Government Programme.

26 There is an opportunity to incorporate mātauranga taiao (environmental knowledge) into the Policy and support digital transformation in a way that promotes sustainability for future generations. To support this, we propose Cabinet direct officials from the Ministry for the Environment (MfE), Ministry of Business, Innovation and Employment (MBIE), and DIA to work with Iwi/Māori to develop high-level principles that would seek to encourage and support sustainable adoption and use of cloud.

27 Agencies have indicated their support to adopt cloud in sustainable ways but acknowledge the lack of guidance in this space. We propose to direct MBIE (Procurement System Lead) and DIA (Digital System Lead) officials to produce updated guidance in line with the high-level principles to support agencies to adopt cloud technologies in sustainable ways through their procurement activities.

28 In 2012, as part of accelerating the functional leadership for better public services, Cabinet directed agencies to use services from the IaaS panel agreement [CAB Min (12) 23/12 refers]. The intent was to encourage agencies to use common cross-government processes, tools or infrastructure and reduce investment in traditional in-house technology in favour of cloud. Much of the technology supplied through the IaaS panel agreements now conflicts with global definitions of public cloud and is creating confusion for agencies who are considering transitioning to cloud. We recommend Cabinet revoke the directive to encourage the public sector to refocus on the ‘cloud first’ objectives of the Policy.

29 Cloud services represent an opportunity to increase the digital capabilities of agencies. They can also reduce risk, increase resilience, and enable agencies to improve their security posture, for example through secure configuration, cloud monitoring and data protection. The policy refresh has identified three areas of cloud security that need to be addressed to allay concerns and support the secure uptake of cloud services. We are proposing to update how agencies manage jurisdictional risk, guidance for the cloud risk assessment process and how data centre certification is implemented.

30 Jurisdictional risk is the potential for foreign governments to compel access to, or interfere with, information stored in the cloud through their own legal frameworks. It is seen as a risk associated with the use of public cloud for hosting government data and may have contributed to the low speed of transition to cloud across government. It is important this risk is not overstated.

31 The level of jurisdictional risk can vary depending on:

32 Any jurisdictional risk needs to be considered alongside other risks and benefits relating to cloud. Using cloud services presents productivity, digital and service transformation, cost, and enables cyber security benefits.

33 DIA and Department of Prime Minister and Cabinet (DPMC) promulgated advice to government agencies on jurisdictional risk in 2017. Changes since 2017 have prompted us to review our position on jurisdictional risk, including major hyperscale providers building onshore capabilities in New Zealand, legal changes in some jurisdictions that New Zealand agencies use cloud services from, and a less benign geopolitical environment.

34 The updated advice on jurisdictional risk is the public service can continue to manage jurisdictional risks when using cloud services. Jurisdictional risk will very rarely be a conclusive reason to avoid cloud services.

35 We consider the main impact of jurisdictional risk relates to RESTRICTED information. Therefore, we are proposing to modify the Cloud First policy to include a policy preference that agencies use onshore cloud services for storing and creating RESTRICTED information as suitable onshore services become available. We note this policy change would require a consequential amendment to the Protective Security Requirements (PSR) policy managed by the NZSIS.

36 This new policy preference will set a clear expectation with agencies that, while they continue to use and adopt cloud services for RESTRICTED and below, over time RESTRICTED information should be hosted in a New Zealand based cloud service, where possible. With the arrival of onshore hyperscale data centres, the balance of benefits and risks for different information may change.

37 Continued change in technology and geopolitics means up-to-date guidance on jurisdictional risk will continue to be needed. Without this guidance, concerns about jurisdictional risk may slow down, or stop cloud uptake. Therefore, we seek direction for DIA supported by the National Cyber Policy Office (NCPO), National Cyber Security Centre (NCSC) and the Ministry of Foreign Affairs and Trade (MFAT) to provide public service agencies with updated jurisdictional risk advice by August 2023, and with new advice being issued as required by changes in the geopolitical or legal environment, and at least every five years after that.

38 To manage risks and make good, informed decisions, agencies need support and guidance when taking up cloud services. The NCSC updated its advice and security requirements for public cloud in the New Zealand Information Security Manual (the NZISM) in September 2022 with a dedicated chapter for public cloud specific guidance and controls. This chapter supports agencies to understand shared responsibility models, security governance, data protection and security monitoring efforts in cloud.

39 Under the Cloud First policy, agencies are required to complete a risk assessment. We propose DIA and NCSC produce updated guidance to replace the current Cloud Risk Assessment tool (also known as the ‘105 questions’) to make it easier for agencies to understand and treat cloud risks in a consistent manner, by March 2023. The current tool is complex and we need to make it easier for agencies to understand and address cloud considerations so they can confidently take up cloud services.

40 A centralised certification process for new hyperscale[Footnote 10] cloud data centres in New Zealand is under development. This new system will provide clarity on certification for hosting government data, with standardised requirements and an assessment tool to ensure consistency across providers. This process will help provide confidence in physical and personnel security posture, as well as mitigate against any ownership, control and supply chain risks.[Footnote 11] We note each agency will still be responsible for accreditation and management of residual and agency-specific risks.

41 Continuing with the current decentralised approach would mean each agency would be required to undertake their own certification process. Although not mandatory, we expect providers and agencies will support the process as centralised certification would enable streamlining of agency certification and accreditation processes, with reduced duplication of work. The costs of the centralised certification are expected to be met by providers (with the fee charged to providers based on the cost of the certification).

42 Legacy systems, in particular on-premise, can present multiple challenges, such as to security, continuity, resiliency and cost-effectiveness.[Footnote 12] Maintaining effective and secure on-premise systems is possible but requires active and skilled management. The on-going range of historical and bespoke applications in the public sector, including those critical for service delivery, presents risks that should be surfaced.

43 In line with the ‘cloud first’ default intent of the Policy, we propose an additional requirement that future investment in on-premise ICT infrastructure, whether new or from baseline, be on an exceptions basis. Investment in on-premise IT should be considered only when specified criteria[Footnote 13] are met or with the approval of the GCDO.

44 The proposed default position of cloud over on-premise investment signals the need to consider and plan for transition from these systems rather than continually invest further for potentially less functionality, higher costs and risks.

45 There will be cases where continued, or new investment in on-premise infrastructure will be appropriate.[Footnote 14] This proposed default position will support visibility of these issues and proactive consideration of whether there are other more appropriate cloud options.

46 In May 2022, Cabinet expanded GCDO’s mandate over digital investment. This mandate, among other things, supports and enables the GCDO to drive strategically aligned decisions within specified categories and thresholds, to direct agencies to follow system investment priorities or adoption of cross-government processes, tools or infrastructure [CAB-22-MIN-0200]. This extension of GCDO’s mandate to on-premise investment aligns with this direction, and the current mandate for agencies to have plans for the use of public cloud but provides more specificity as to the content of that plan. Therefore, we propose to extend GCDO’s investment mandate to manage the approval of non-cloud technology under the refreshed Cloud First policy.

47 The proposal is not intended to conflict with the requirements and accountabilities of Ministers and chief executives under the Public Finance Act 2020 (PFA). The GCDO will continue to operate within the context of the PFA while providing clearer direction and support to agencies to achieve the aims of the Policy.

48 Building on existing requirements, the proposed additions to the Policy will require agencies to:

49 The proposals above will provide greater clarity and focus on the policy, as well as provide the guidance and tools to move to cloud appropriately, securely and effectively. However, the Cloud First Policy has been in place for a decade and successive governments have not yet fully realised the benefits from cloud-based digital transformation of the public service. It is our opinion policy alone will not be sufficient to move the dial on cloud uptake.

50 To comprehensively realise the benefits of the Policy, consideration of other possible interventions and investment in cloud is needed. Possible areas of further work include consideration of centralised support (technical and financial) for prioritisation and sequencing of cloud transitions and interventions to support upskilling of the public sector in cloud technologies and operating models.

51 We are seeking Cabinet agreement for the Minister of the Digital Economy and Communications and the Minister Responsible for the Government Communications Security Bureau to carry out further work, informed by Phase One, to assess interventions and investment to address barriers to cloud adoption across the public service.

52 For proposals one to three, the GCDO will communicate the changes to agencies and suppliers, provide refreshed guidance and tools and support agencies on a case-by-case basis as they adopt cloud services.

53 For proposal four, the GCDO will communicate the new expectations regarding on-premise infrastructure investment for the next budget/financial year (2023/24). The GCDO will undertake a stocktake of current and proposed on-premise investment. This would build on information already known to the system, such as through the annual investment intentions survey, and seek additional information from agencies where there are gaps. GCDO will engage with agencies to understand where on the cloud adoption path they are, provide guidance to support planning/transition, and what future support may be required.

54 Subject to Cabinet approval, the Minister for the Digital Economy and Communications and the Minister Responsible for the Government Communications Security Bureau will instruct officials to begin work to develop additional interventions and possible investment to address barriers to cloud uptake. This will include working closely with stakeholders including central government agencies, DILG and other Iwi and Māori representatives and industry.

55 There are no immediate financial implications associated with this paper. The proposals (for example, guidance) outlined in the refreshed Policy will be managed out of baseline for each agency involved, except the centralised data centre certification process, which is expected to be implemented based on recovery of costs of certification from providers.

56 However, these proposals will require agencies to apply the Policy to their Digital and ICT strategies and there may be implications to delivery from within existing baselines.

57 A broad range of agencies have noted constraints of the current CAPEX IT investment model slowing transitions to the OPEX cloud consumption model. The cost of migrations, where legacy and cloud systems may need to operate in parallel for a period exerts pressure on baselines and decisions to adopt, or not adopt, cloud. The scarcity of cloud skills within the public and private sector can also impact on an agency’s ability to apply the Policy.

58 The consideration of the preference, over time, for RESTRICTED information to be hosted in New Zealand-based data centres where a suitable service exists, could have financial implications. Hyperscale cloud providers are not yet operating onshore and when services commence, it is likely to take time before a wide range of services are available. It may be onshore hosting of information will prove to be more costly than offshore services. However, by signalling this preference now, agencies will also have the opportunity to design their systems and contracts in anticipation of possible movement of data onshore.

59 There are no immediate financial implications associated with Phase Two. However, identifying broad outcomes and possible levers for change will outline whether investment is needed to address the challenges affecting public service adoption of cloud technologies. Transformational change is unlikely to occur without some additional investment, even if temporary and there may be financial impacts from the decisions made by agencies.

60 The paper makes assumptions about the availability of new funding in future Budgets. If assumed funding is not included in the Budget package, elements of Phase Two will need to be funded through reprioritisation of affected agencies’ existing baselines or reconsidered.

61 The proposals in this paper do not have any legislative implications.

62 A Regulatory Impact Analysis is not required for this paper.

63 The Climate Implications of Policy Assessment (CIPA) team has been consulted and confirms the CIPA requirements do not apply at this stage as the threshold for significance is not met. Any emissions impacts will be reassessed and disclosed to Cabinet following the outcome of the investigation.

64 The proposed Policy refresh, and phase two approach have no direct impacts on population groups. However, the benefits it confers to public services are expected to have positive flow on effects to any businesses and individuals who interact with those services. This covers a broad range of demographics but is likely to disproportionately affect Māori, Pacific, and other minority groups, especially individuals from lower socio-economic backgrounds through their interactions with various public services.

65 The benefits to population groups will likely compound over time as agencies learn to better utilise cloud to provide services more efficiently and take advantage of technology developments. More work would need to be done to properly establish the impacts on population groups.

66 There are no human rights implications resulting from the decisions in this Cabinet paper. Work undertaken as a result of decisions made will be designed to be consistent with the New Zealand Bill of Rights Act 1990, Human Rights Act 1993 and Privacy Act 2020.

67 The following agencies were consulted on this paper: Accident Compensation Corporation (ACC), DPMC, Inland Revenue (IR), Kāinga Ora, Land Information New Zealand (LINZ), MBIE, Ministry of Education (MoE), MfE, MFAT, Ministry of Justice (MOJ), Ministry for Primary Industry (MPI), Ministry of Social Development (MSD), New Zealand Customs Service (NZCS), New Zealand Defence Force (NZDF), New Zealand Police (NZP), New Zealand Transport Agency (NZTA), Oranga Tamariki, Parliamentary Service, Public Service Commission (PSC), Stats NZ, Te Arawhiti, Te Puni Kokiri (TPK), Te Whatu Ora (HNZ) and The Treasury.

68 The majority of agencies endorsed the general direction and support for public cloud adoption. There was strong interest and support for guidance in how agencies should approach Māori data, the improved cloud risk assessment guidance as well as the centralised data centre certification process. The proposed additional GCDO mandate was considered useful in providing a clear signal discouraging on-premise investment and the expected shift in mindset. As the position recognised there are unique needs of agencies that will allow for on-premise investment, no agency indicated concern the mandate will create substantial difficulties.

69 A public launch of the Cloud First Policy Refresh is planned for the second quarter of 2023. This would be an opportunity to refocus the public sector on cloud, engage with providers and the public on the benefits of cloud while also acknowledging potential concerns and tools for mitigation.

70 GCDO, with the support of relevant agencies, will host a public sector focussed event to lift understanding of cloud, the Policy, guidance and tools available. The refreshed policy will also be disseminated via other channels, such as digital.govt.nz and the Cloud Capabilities Network community of practice.

71 Communications will also aim to ensure the Policy remains distinct from other issues it may be linked or confused with, such as data sovereignty, Māori data sovereignty, digital identity, use of data for artificial intelligence or development of algorithms, and questions around the private sector’s, including large multinationals, use of data. Frequently asked questions will be prepared and shared with agencies to support engagement with the public and communities.

72 In accordance with Cabinet Office Circular CO (18) 4 – Proactive Release of Cabinet Material: Updated Requirements, we intend to proactively release this paper on the Department of Internal Affairs’ website, subject to any redactions that may be warranted under the Official Information Act 1982, within 30 business days of Cabinet decisions.

73 The Minister for the Digital Economy and Communications, and the Minister Responsible for the Government Communications Security Bureau recommend the Committee:

1 note agencies face several interdependent and complex challenges when considering cloud adoption;

2 note if the public service is not supported to invest in and adopt cloud services there is a risk the potential benefits of cloud computing will not be realised;

3 note the Cloud First Policy has become diluted in focus and policy does not reflect changes in technology, society or government priorities;

4 note the refresh of the Cloud First Policy represents a significant opportunity to include Te Ao Māori perspectives and would represent a world first for incorporating indigenous considerations into national cloud policies;

5 note if utilised well, cloud offers the potential to contribute to achieving the carbon reduction aims of the Carbon Neutral Government Programme;

6 note that the 2012 directive on the use of Infrastructure-as-a-Service is out of step with technological change and policy aims;

7 note addressing security, including jurisdictional risk concerns, actual and perceived, would support cloud adoption;

8 note legacy, on-premise infrastructure can pose challenges to management of security risks, transformation of service delivery and transition to cloud;

9 note that the proposals in the paper are not intended to conflict with the Public Finance Act 1989 requirements related to responsibilities and accountabilities of Ministers and chief executives;

10 reconfirm the existing Cloud First Policy, that directs agencies to:

11 agree that agencies consider accountability, ethics, transparency, and collaboration in relation to Māori data, when making decisions about adopting cloud services;

12 agree that agencies make adoption decisions which consider high-level sustainability principles in the public sector’s use of cloud;

13 agree to revoke the 2012 Infrastructure-as-a-Service directive to provide greater clarity to the Cloud First Policy;

14 agree that over time RESTRICTED information should be hosted in a New Zealand based data centre, where a suitable onshore service exists;

15 agree that agencies will not invest in on-premise ICT infrastructure unless specified criteria are met or approved by the Government Chief Digital Officer (GCDO);

16 note the Department of Internal Affairs, in partnership with Statistics NZ and the Data Iwi Leaders Group, is working on guidance to support the public service’s capability to give effect to Māori interests when making decisions about adopting cloud;

17 direct officials from the Ministry for the Environment, Ministry for Business, Innovation and Employment, and Department of Internal Affairs to work in association with Iwi and Māori to develop high level principles to encourage and support sustainable adoption and use of cloud technologies;

18 direct officials from the Ministry of Business, Innovation and Employment, and Department of Internal Affairs to produce updated guidance in line with the high-level principles to support agencies to adopt cloud technologies in sustainable ways through their procurement activities;

19 direct the GCDO, supported by the National Cyber Policy Office, National Cyber Security Centre and Ministry of Foreign Affairs and Trade to produce updated guidance to agencies on jurisdictional risk of cloud by August 2023, and thereafter as needed, and at least every five years;

20 note the creation of a centralised certification process for onshore hyperscale data centres to provide confidence to providers and agencies that the facilities have appropriate physical and personnel security, as well as ownership and contractual requirements to host RESTRICTED and below information;

21 note that the GCDO will undertake, with agencies, a stocktake of current and planned expenditure within specified criteria regarding on-premise infrastructure, provide regular reporting on progress and support agency transition to cloud;

22 note the challenges of limited capacity and capability, financial resourcing and system-wide prioritisation remain;

23 invite the Minister for the Digital Economy and Communications and the Minister Responsible for the Government Communications Security Bureau to carry out further work and report back to Cabinet by April 2024 with options to address these challenges;

24 note further detailed investigation will seek to address barriers raised by agencies and will include estimating different levels of intervention and investment required;

25 note that delivery of some elements of Phase Two of the Cloud First Policy will require funding through future Budgets for affected agencies, and if assumed funding is not included in future Budget packages, elements of Phase Two of the Cloud First Policy will need to be funded through reprioritisation of existing baselines or reconsidered; and

26 note officials will undertake targeted engagement with agencies and relevant groups such as the Data Iwi Leaders Group and other Iwi and Māori representatives and industry to inform the work referred to in recommendation 23.

27 note the GCDO will lead, supported by relevant agencies, engagement with the public sector and providers on the refreshed Cloud First Policy;

28 note communication of the refresh will include explaining the benefits of cloud, acknowledging potential concerns and highlighting tools for mitigation while drawing a distinction between the Policy and other issues outside the scope of the refresh.

1 The National Institute of Standards and Technology (NIST), United States Commerce Department, defines cloud computing (cloud) as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable Information Technology (IT) resources (for example, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”.[Footnote 15]

2 NIST’s definition outlines the cloud model is composed of five characteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service), three service models (Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) and four deployment models (public, private, community, and hybrid). The image below [replaced with text] depicts how cloud works and shows an example of a shared responsibility model:

How cloud works

Using secure firewalls, cloud enables the delivery and management of programmes and data systems over the internet to:

• corporations
• remote offices
• family-owned businesses
• mobile users.

Shared responsibility model

Users have the flexibility to choose which IT services they want managed in the cloud, based on their preferences. For example, the shared responsibility model looks different for:

• on premise — you manage all layers
• Infrastructure as a Service
• Platform as a Service
• Software as a Service.

3 IaaS is a capability provided to the consumer to provision processing, storage, networks, and other fundamental computing resources where the consumer can deploy and run software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (for example, host firewalls).

4 PaaS is a capability provided to the consumer to deploy onto the cloud infrastructure, applications (consumer-created or acquired) created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage. However, the consumer has control over the deployed applications and may control configuration settings for the application-hosting environment.

5 SaaS is a capability provided to the consumer to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various devices through either a web browser (for example, web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, except for limited user-specific application configuration settings. For example, Web-based email and Google Documents or Microsoft Office 365 are all SaaS.

6 The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

7 Public Cloud services are those offered widely through the Internet and available to anyone who wants to purchase them. Typically, these services are made available by large service providers who are offering IaaS, PaaS and SaaS products. Examples: Microsoft Azure / Microsoft 365, AWS, Google Cloud.

8 The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (for example, business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

9 Private Cloud services are only available to a specific/defined set of users who are on a private, internal network, or a network for their organisation run over the Internet using security controls to separate it from the public Internet environment.

10 The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (for example, mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

11 The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (for example, cloud bursting for load balancing between clouds).

12 Hybrid Cloud is not simply a mixture of public and private cloud resources to run your workloads, it is about providing a connected cloud experience. Many agencies often use hybrid cloud to build in resilience and Disaster Recovery capability, etcetera.

13 Multi-Cloud is the deliberate use of multiple cloud computing and storage services from multiple public cloud providers for the same general class of IT solutions or workloads (for example, AWS, Azure, GCP) in a single joined-up architecture. This also refers to the distribution of cloud infrastructure assets, software, applications, etc. across several cloud-hosting environments. It is much more common in infrastructure as a service (IaaS) and converged IaaS/platform as a service (PaaS) scenarios than SaaS.

1 Cloud does have a number of attributes that can make it less secure than more traditional approaches to IT. These include:

2 Cloud does have a number of attributes that can make it less secure than more traditional approaches to IT. These include:

3 Using cloud enables agencies to focus their limited security resources on security in the cloud. Cloud services, particularly cloud provided by large public cloud providers, also have a number of benefits that can offset the ‘less secure’ attributes. These are set out below.

4 Concentrating on securing a relatively small amount of different technology components means deeper, consistent security on narrow services, rather than thin security on a wide variety. It also means that expertise about these services can be built up and shared across agencies and projects as staff learn secure approaches and how to replicate them.

5 Keeping systems up to date is both one of the most critically recognised security controls, and widely accepted as difficult to do well in-house. Cloud services homogeneity, and asset management tools make it easier and faster to patch and update systems, and to have good visibility of current software versions being used.

6 Security services are built into the cloud platforms, not added later, and as such are easier to adapt and change over time.

7 Due to the investment being made in security, the focus, and the innovation being used in cloud services, cloud providers can make a compelling case for attracting candidates in the competitive cyber security market.

8 Cloud operators must comply with various regulatory frameworks and laws of countries they operate in. While this brings with it jurisdictional risk, there are also significant benefits to consumers from the investment cloud providers make to meet these standards. The consistent technology used to build a cloud provider’s platform ensures that some countries regulatory standards can be met for all customers (not limited sets) and also drives the regulatory bodies towards developing more consistent security standards.

9 Cloud platforms are highly visible and valuable targets that are constantly tested for vulnerabilities, leading to more refined defensive and detection capabilities rapidly evolving through their services. Threat actors and security teams are in a constant arms race, with the lowest cost (in terms of time and effort) systems typically being compromised first. Cloud providers implement tiered defence strategies across standardised services leading to a consistent security posture without weak points.

10 The claim that cloud is “more secure” can seem counter-intuitive. However, “more secure than what?” is a key part of assessing cloud security. Overall, the public service has a low cyber security maturity, many agencies have limited IT and cyber security resources, and are undergoing service and digital transformations.

11 When compared to the complexity, costs and expertise required to upgrade security in legacy IT environments, cloud enables agencies to leverage secure-by-design services to more easily improve their security posture, security architecture and detect and contain threats.

12 However, security of the cloud comes down to selecting a good cloud provider, and implementing and maintaining good security controls.

13 A selection of successful case studies are outlined below, demonstrating the public sector optimising the benefits of cloud. Cloud computing was found to be particularly important during COVID-19 lockdowns. One of the key digital capabilities that were observed in agencies better placed for remote working during COVID-19 lockdowns was a higher level of adoption of cloud services. It is critical that this momentum and key insights on agency resilience are not lost.

1 Subject to Cabinet agreement to the proposals outlined in the Cabinet paper, the following additions will be made to the existing Cloud First Policy.

2 The Policy will require public sector agencies to:

3 Under DIA’s Mana Ōrite agreement, officials from DIA and Stats NZ have worked in partnership with Te Kāhui Raraunga (representing the Data Iwi Leaders Group[Footnote 18]) on the development of guidance for agencies in their consideration of cloud.

4 The toolkit outlines steps agencies can take to build their capability to understand te ao Māori perspectives on cloud, to build their relationships with Iwi and Māori and consider how Māori interests are reflected in decisions related to cloud service adoption or use. It will be a living document that will evolve with the development of the Māori Data Governance model.

5 Subject to further development between agencies and Iwi and Māori, the expectation is the initial principles would be flexible to allow requirements to become more prescriptive as work in this area progresses. Methodologies to measure environmental impacts, critically for emissions, are essential for enabling organisations to understand and manage the environmental impact from cloud services and technologies. This is important for Carbon Neutral Government Programme participants, the industry, as well as the wider economy.

6 The IaaS panel agreements will expire in 2026 and 2027. It is recognised it will take several years for some agencies to fully transition to cloud services, and there will be some instances where IaaS services are still required beyond expiry of the current agreement.

7 A project to design a replacement for the IaaS panel agreements that has a more flexible set of arrangements as well as a common approach to support agencies using cloud services has been initiated. This project will provide a pathway to continue IaaS services beyond the current agreements and a managed transition to cloud services, thereby ensuring continuity and reliability in the service. Design of the new service will be completed by June 2023, with implementation to follow.

8 Officials advise replacing the IaaS agreements will not significantly impact agency ability to use cloud services. This is because agencies typically require a wider range of services than those available from the IaaS panel agreements and there are multiple all-of-government commercial options currently available to agencies for this.

9 Before agencies move to cloud, they must undertake a risk assessment. Guidance is provided in the Cloud Computing Information Security and Privacy Considerations (2014). Accompanying this document is a Cloud Risk Assessment (CRA) tool in the form of an excel spreadsheet covering the questions used as a prompt for gathering the information needed for agencies to assess their risk. Officials from DIA, in consultation with NCSC will produce an updated and streamlined Cloud Risk Discovery Tool to better support agencies.

10 In addition to security issues and the expected new jurisdictional risk preference, the new tool and accompanying guidance will also support agencies to understand and manage other considerations and risks, including:

11 Updated jurisdictional risk guidance for agencies will also be developed by DIA, supported by NCPO, NCSC and MFAT.

12 By March 2023, a finalised certification process, cost model, and standardised legal certification agreement are planned to be ready for implementation. Certification is expected to be funded by fees paid by providers (based on the cost of delivering certification) and could be scaled up in the event providers seek expansion. DIA, supported by subject matter experts from GCSB, NZSIS and OIO, will be the Certification Authority.

13 The design of the system has drawn on the Australian Hosting Certification Framework as well as insights from the UK Centre for the Protection of National Infrastructure. Engagement with key agencies (GCSB, NZSIS, DPMC, DIA, OIO, MBIE, NZDF) and providers was also undertaken.

14 The Government Chief Digital Officer’s (GCDO) mandate to collect information from all government departments on their digital investment was strengthened in March 2022 [GOV-22-MIN-002].

15 The establishment of the Digital Investment Office (DIO) will support the development of solid baseline data for monitoring and reporting, and ongoing work to form an evidence base for future system-wide prioritisation of investment.

16 A refresh of definitions has been completed as part of the redesign of the cloud guidance on Digital.govt.nz. These definitions are based on and reference the widely accepted National Institute of Standards and Technology (NIST), United States Commerce Department definitions.

17 Public sector capability and capacity to transition to cloud has been identified as a significant barrier. The CCN is a community of practice aimed at supporting and growing public sector cloud knowledge and capability. It is vendor agnostic and hosts case studies, training events and other information sharing events.