© Crown copyright 2021
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: firstname.lastname@example.org.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/cloud-guide-for-the-public-sector/cloud-guide-for-the-public-sector
Properly implemented cloud technology can improve speed of delivery, increase security and create opportunities for organisations to innovate. Government organisations and functions need to work together more effectively across functions to take full advantage of these benefits.
As the heads of the commercial and digital functions, our responsibility is to help our respective functions to work well together and with other government stakeholders. We want to make sure we can get the best value from the public purse while still building the best digital services for citizens.
We have held workshops of senior commercial and technical experts from across government. We have discussed how they use cloud, the challenges they face and the help they need as they develop their cloud strategies in future. The ask from organisations is clear; they want us to work together, and with them, to help them to make informed decisions about their cloud strategy. They also want us to give them independent advice on how they should create and implement their roadmaps.
This has led to a number of cross-government and cross-functional working groups being set up to focus on the most important issues facing organisations today.
This cloud guide, also known as ‘The One Government Cloud Strategy’ (OGCS), includes lock-in, commercial, technical, security, operations, people and related issues. It aims to support the government by providing an effective way to gain benefits from using the cloud and other hosting solutions.
From those working groups and our user research, we have published a range of guidance encouraging government organisations to adopt a more cross-functional approach to their cloud strategies. With this collection, we aim to bring all of that guidance together into one place, including security, commercial, digital, technology, skills and culture considerations from across government and the wider public sector.
We recognise that one size does not fit all when it comes to the use of public cloud, as many of the organisations we have spoken to have taken valid, and sometimes opposing, strategic decisions. This is often because either cloud technology is so versatile that the same outcome can be achieved in different ways, or because organisations have made decisions based on their unique maturity or capability.
By using this guide, we hope you will understand why working cross-functionally is so important as part of a modern technology strategy and we hope that you will use the guide as you deliver cloud services in your organisation.
Alison Pritchard, Director General, Government Digital Service
Gareth Rhys Williams, Government Chief Commercial Officer
Purpose of this guide
This guide, also known as the one government cloud strategy, is for government workers responsible for:
- deciding and setting cloud strategy
- implementing migrations to cloud
- managing cloud usage
This guide covers how to:
- enable cross-functional collaboration throughout the cloud lifecycle
- realise best practice cloud service usage
- maximise commercial, technical, security, and people capabilities
The Cloud First Policy
When procuring new or existing services, public sector organisations should consider and fully evaluate potential cloud solutions first before considering any other option. The policy was reassessed in 2019 and remains a flagship technology policy.
Read more about the Cloud First policy.
Government organisations that combine functional capability can get more from the cloud, while maintaining value for money and a high standard of delivery. For example, a joint technical and commercial approach to cost optimisation reduced a Home Office portfolio’s cloud spend by 40%.
Any cloud strategy will need expertise from a number of functions to deliver it effectively. There are four functions essential for a successful cloud strategy:
- digital and technology - responsible for building and managing cloud estates and providing advice to produce the best technical solutions
- commercial - responsible for the planning and negotiation of contracts with cloud service providers and managing the continuing relationship
- security - responsible for reliable continuity of quality services by making sure processes and controls are in place to protect systems, networks and data from deliberate exploitation
- human resources - responsible for recruiting, re-skilling, developing, deploying and retaining people
Longer term, your organisation might want to consider creating a central multi-disciplinary and cross-functional team to help improve cloud delivery. This team would facilitate, support and advise on best cloud practices for your organisation and act as a central point of contact for cloud service providers.
Choosing a hosting strategy
You’ll need to consider which cloud services are the most appropriate for your organisation. Base your decisions on your organisation’s requirements, its level of cloud capability and the implications of your choice. It is important that you know how to choose between a single, hybrid or multi-cloud solution and when you need to consider cloud concentration risk.
Read more about creating and implementing a cloud hosting strategy.
Assessing the commercial case
Cloud services procurement and implementation typically follow the programme business case approval process, alongside and within each organisation’s own spend controls and governance.
You should follow Crown Commercial Services’ contract management standards to make sure you:
- agree contracts of appropriate length
- retain ownership of intellectual property of your products and services
- retain access to any data held by third parties
Buying frameworks from the Digital Marketplace or G-Cloud can make this easier.
Read more about how to assess the commercial case.
Using Memorandums of Understanding
Crown Commercial Service is implementing a common cloud procurement process with multiple cloud service providers, as part of the One Government Cloud Strategy (OGCS).
The benefits to government organisations include baseline commercial, technical, security and legal principles across government with each cloud service provider.
The Memorandums of Understanding (MoUs) use the combined purchasing power of the government to achieve better commercial results, such as agreeing greater discounts for smaller departments and reducing negotiation time for government and providers.
Read more about the MoU programme
Balancing technical lock-in
While there is more flexibility available in the cloud, there is a risk you can become dependent on the products and services from particular providers. This is called lock-in, where switching from one technology or provider to another is difficult, time consuming and disproportionately expensive.
Read more about how your organisation can balance the benefits and risks of cloud lock-in.
When using the cloud, your bills will change according to your usage. To realise the full financial benefits of using the cloud, you need to:
- be flexible in how you budget for cloud services
- put in place systems and processes to monitor your spending
- design your applications to take advantage of the cloud cost model
Read more about how you can manage your spending in the cloud.
Offshoring and data residency
Offshoring is where any part of the service you are receiving, relating to data you are storing, is conducted outside of the UK. This includes where data and services are physically located, who manages the services, and who has access to the data. It also includes when your data resides in the UK but might be accessed by provider personnel based in other countries.
There is no government policy which directly prevents departments or services from storing cloud-based data in any specific country, however you need to consider the implications of where you host your data. It is the responsibility of each government department to take risk-based decisions about their use of cloud providers for the storage of government data.
When making this decision, you should consider the:
- ICO guidance on adequacy
- ICO guidance on data protection and the international transfer of data
- European Commission guidance on the adequacy of the protection of personal data in non-EU countries
- NCSC cloud principles
More guidance on offshoring and data residency will be available soon.
Cloud services can have native security advantages over local or on premises technology. While organisations can have less visibility of the underlying infrastructure and operations, cloud providers can use economies of scale to provide a level of security that would be economically or operationally infeasible for many organisations.
You must understand your organisation’s security needs to determine your level of confidence that a cloud service is secure enough to handle your data.
The National Cyber Security Centre (NCSC) has written a blog about how they chose their cloud provider, including what questions to ask when considering cloud security.
Read more in the NCSC’s guidance on:
Technology moves quickly, so despite the fact that many business requirements remain the same, the original technology might now be obsolete. Legacy technology can refer to your organisation’s IT infrastructure and systems, hardware and applications, and related business processes.
Although there is not one single solution, GDS has provided user researched technical guidance on managing legacy technology. You should use this guidance to help make decisions on how and when to move away from legacy technology.
People and skills
When creating a cloud strategy, you should consider that adopting the cloud can mean significant changes in culture for commercial, financial and technical staff. Engaging with the workforce is critical, as the Office for National Statistics showed when they started their journey to the cloud.
Read more about the technical skills you might need in the DDAT framework.
Case studies and blog posts
A collection of examples of how the public sector is using the cloud.
- How the Home Office’s Immigration Technology department reduced its cloud costs by 40%
- How Network Rail implemented its hybrid cloud strategy
- How the Welsh Government migrated their technology to the cloud
- How the Office for National Statistics changed workplace culture to get the best out of cloud
- Introducing the GOV.UK cloud guide
- Introducing our cloud lock-in guidance and case study
- NCSC explores potential security opportunities that can come with using the GDS cloud lock-in guidance
- Join us for a workshop introducing our guidance on managing costs in the cloud
- NCSC IT: There’s confidence and then there’s SaaS
If you’d like to give feedback about the guidance, please email at email@example.com.