You must decide how much control and flexibility you want in hosting your service and then choose a supplier who meets your needs.
This guidance is about hosting for systems and information classified as ‘official’, which covers the vast majority of what government does.
If you’re building a service that involves information classified as ‘secret’ or above, ask your departmental security officer for guidance.
Consider public cloud hosting first
You must consider and fully evaluate public cloud solutions before considering other options in line with the government’s Cloud First policy.
The Government Digital Service (GDS) will review your choice when assessing your spend controls application, if your service needs to get spend controls approval.
If you believe you can’t use cloud hosting
If you believe you can’t use cloud hosting, you should contact the Standards Assurance team at GDS as soon as possible. Email email@example.com.
You’ll have to explain why you can’t use cloud hosting and how your alternative will provide value for money. You should consider the operational costs for the expected lifetime of your service and the value of flexibility.
Planning your hosting strategy
You should think about hosting as early as possible when designing the architecture of your service. You may need to design your service in a different way based on the hosting options you choose.
Set up a team
Start by choosing some people from your team to:
- assess different hosting options
- make a shortlist of suppliers
- interview suppliers about their services
- make a final decision on which supplier to use
You must make sure the people you choose:
- have a technical understanding of hosting and your software
- know the hosting options that are available
- know the range of prices you can afford
Choosing a hosting option
Hosting can be a significant investment for your organisation. Use the choosing technology guide to help you choose a hosting option. You should choose an option that allows you to adapt your hosting if you want to.
You should consider these options:
- Software as a Service (SaaS)
- Platform as a Service (PaaS)
- Infrastructure as a Service (IaaS)
Software as a Service
As you develop your understanding of the components of your service, you should consider where SaaS can provide some of the functionality.
If you have SaaS components, you won’t need to consider hosting directly, but you should evaluate those components using the Cloud Security Principles.
Make sure that you have the connectivity to the component and make backups so that you keep control of your data.
Platform as a Service
PaaS allows you to rent storage space but also offers a layer on top, which might include:
- operating systems
- logging infrastructure or other features
Most PaaS suppliers will expect your architecture to meet their specific requirements. For example, they offer limited flexibility for software environments, languages or interfaces, so check the details before you sign an agreement.
You may be able to deploy your service on GOV.UK Platform as a Service (GOV.UK PaaS).
To be hosted by GOV.UK PaaS, your application must:
- meet the 12-factor application principles
Infrastructure as a Service
IaaS is a system where you can quickly add or remove capacity and the supplier only bills you for what you use.
You’ll need someone in your team with the technical infrastructure skills and time to manage it.
If you’re unsure whether your team could handle IaaS hosting, consider PaaS instead - it’ll allow your team to focus time and effort on the tasks best suited to their skills.
If you can’t use a cloud provider, for example because of contractual or complex technical restraints, consider using Crown Hosting.
You must migrate to public cloud as soon as possible if you use Crown hosting.
You must never build your own data centre.
If you believe you have a legitimate need to build your own data centre, you should contact GDS to seek advice from the Government Chief Technology Officer (GCTO).
Choosing a supplier
When looking for a supplier, you should try to find options that offer value for money and avoid long contracts with a single company.
Use the Digital Marketplace
You should use the Digital Marketplace to search for and evaluate suppliers and award them contracts.
Contact the Digital Marketplace team if you have any questions - email firstname.lastname@example.org.
If you can’t find a supplier on the Digital Marketplace
If you can’t find a suitable supplier for your service on the Digital Marketplace, you can use other routes. Contact Crown Commercial Service if you have any questions about procurement.
When you apply for spend controls approval, you’ll have to explain your choice of hosting supplier. You need to show you’ve looked on the Digital Marketplace before deciding to use another route.
Evaluating a supplier
As well as making sure a supplier offers the type of hosting you need for your service, you should also consider:
- what you’ll need the hosting service to do in the future
- the level of user support the supplier provides, like Service Level Agreements (SLAs)
- reliance and back-up measures, known as ‘redundancy’
- government information security requirements, including the Cloud Security Principles
- whether you need Public Services compliance
Choosing a way to pay
Different suppliers also allow you to pay in different ways.
As well as the overall cost of the hosting service itself, find out if the supplier offers flexible or on-demand billing.
This can save you money if you don’t need hosting resources 24 hours a day.
Moving to a new supplier
If you’re moving from one supplier to another, you should consider the full cost of the migration.
Be wary of choosing supplier-specific tools or features that could make switching suppliers difficult.
If you don’t think you or your team has the knowledge to choose a hosting supplier, talk to a third party that you trust, for example a technical architect in another government department.
You can find technical architects by joining the technical architecture community.
Updated to reflect the fact that GOV.UK PaaS is no longer in private beta
Guidance first published