The government introduced a ‘Cloud First’ policy in 2013 for all technology decisions.
Default to Cloud
When procuring new or existing services, public sector organisations should default to Public Cloud first, using other solutions only where this is not possible. This approach is mandatory for central government, and strongly recommended to the wider public sector.
Organisations who do not deploy in Public Cloud should ensure they can evidence the decision, business case and value for money behind their choice. HM Treasury’s ‘Managing Public Money’ (annex 4.6) (PDF, 1,545 kb) defines ‘value for money’ as ‘securing the best mix of quality and effectiveness for the least outlay over the period of use of the goods or services bought’.
As part of the Spend Control process, CDDO helps organisations assure the mix of quality and effectiveness of hosting services across their whole life cost (this includes capital, maintenance, management, operating and exit costs). CDDO bases its assurance on a number of factors - read more in how to assess a hosting business case.
Organisations should strive to automate the provisioning and management of as much of their infrastructure as possible, reducing manual processes and deploying technologies which can continually patch and improve. Organisations need to work with their Cloud vendors to manage the pipeline of updates and consequences of automation on their infrastructure.
Using Software as a Service (SaaS) should always be considered, particularly for enterprise IT and back office functions. It is important to understand how SaaS is being provided, enabling a business understanding of security controls, supply chain risks or single points of failure such as networking or access control.
Public cloud first; services, not servers.
By Cloud First, we mean the Public Cloud. However Public Cloud is not always achievable, therefore community, hybrid or private deployment models are acceptable in specific circumstances. Organisations are always encouraged to use a pattern for a solution in government where one already exists.
Solutions handling SECRET or TOP SECRET information are unlikely to be suitable for Public Cloud and you should seek specialist advice.
Organisations should use Cloud managed services, avoiding simply using the Cloud for infrastructure hosting. Solutions should use higher level Cloud services available from the vendor, taking full advantage of the 5 Cloud Essential Characteristics provided by NIST and security benefits from adopting a good Cloud service. As legacy workloads are migrated to Cloud, organisations should aim to modernise solutions by using Cloud services, rather than simply rehosting.
Organisations should architect their Cloud platform carefully to avoid single points of failure, both within and between their Cloud environments and on-premises.
Where bespoke development is necessary, organisations must still make use of Public Cloud hosting and automation. New offerings including containerisation and serverless should be used as they allow rapid development, reduce dependency on legacy skills and can maximise the Cloud Essential Characteristics for your solution.
Organisations should always challenge themselves on the selection of a specific vendor. We are keen to exercise the market, and Government wants to be users of a range of vendors. This allows risk to be spread and helps manage market dominance. Where incumbent vendors are used, organisations should be aware of, and actively manage vendor lock-in.
Vendor selection should always leverage government frameworks and other procurement tools. You should always seek advice from your commercial function and Crown Commercial Service to ensure you gain the best value proposition from the procurements you make.
Additional guidance is available in the Cloud Guide for the Public Sector.
Government Cloud Principles
Public sector organisations should follow these Cloud Principles. These principles aim to strike a balance between delivering technology quickly, the cost and resource required to do so, and reducing risk.
- Services not servers: using higher-level Cloud services to quickly deliver business value through performant, resilient, secure and recoverable services.
- Public Cloud or SaaS first, but if not, using Private Cloud PaaS and IaaS offerings, always building as infrastructure-as-code.
- When you need to use Private Cloud rather than Public Cloud this must provision the 5 Essential Cloud Characteristics (on-demand, broad network access, resource pooling, rapid elasticity and measured service). You should also consider whether you will get the security benefits from adopting a good Cloud service.
- Where you have no choice but to host on-premises, use Crown Hosting, which represents the best option for government, allowing rapid contracting, reducing risk and effort.
- Enable teams to use Cloud services provided overseas or globally; perform due diligence using ICO guidance and NCSC guidance.
- Support code to be reused in the Cloud by aligning Cloud configuration, Landing Zones and hosting architectures across the public sector.
- Build to secure by design, in line with NCSC principles, always protecting your systems and services to agreed standards.
- Use best commercial practices by leveraging vendor relationships made by Crown Commercial through frameworks and MoUs, taking advantage of one-government collective buying power.
- Each time you build a new service or feature consider all the vendors: use the most appropriate vendor and Cloud services for the task, encouraging competition between vendors and investment in improving their products.