Lately there is a buzz about NZ government going into the public cloud space. NZ government is an example of an effort trying to emulate Estonia, one of the worlds leading fronts in employing the e-government strategy. Lets break down the terms.
Public cloud is denoted to be an infrastructure which is available to the public and not personal to a company alone. This does not mean public cloud is like a night market where anyone or everyone can administratively access it. It is about control and what you can “see” and “cant see”This is opposite to a private cloud or in-house equipment. Simple right? yes it is simple. I wont go into the nitty gritty of types of services. That is for another day.
So…. why is the government adamant in implementing a public cloud service. Well, it is the concept of privacy, management of data and location of the physical premise. The public cloud service too has to follow the NZISM model for security compliance. Forget about some of the US-based standards, where Amazon has done a great job in attaining certification. It is the unique nature of the set of security compliances that the public cloud service has to comply to.
To answer the problem, i did attend a meeting by CSA (Cloud Security Alliance) in Wellington. It was hosted by University of Waikato. They discussed about a project called Stratus. Stratus is a cloud security framework to provide tools for security measures and maintain the integrity of data on the cloud. For more on Stratus;
CSA has come up with unique compliance measures from the STAR (Security, Trust and Assurance Registry) to the CCM (Cloud Controls Matrix). These are in fact great measures to look at measures taken by providers to keep data safe. STAR is mainly an accreditation for cloud service providers. CCM on the other hand is an extensive matrix for auditing a cloud based system to maintain security standards.
One of the key concepts of public cloud is availability. For example, Amazon Web Services have co-locations in the same regional zone. This means that if one data centre goes down in one a-zone, there are 2 more centres in the same region to work with. This is great for the common person, but for government data; it might be a turn off. Replication of data is a sensitive thing. Why? The lack of control. This however depends on the level of secrecy of the document stored. If data stored on the public cloud is deemed to be publicly available, then putting it on a public cloud might be the cheapest and safest way to do it.
Physical security is a cloud providers responsibility, so the government has no authority in managing the physical security for the data they keep. There is a certain level of trust needed from the government to the cloud service provider making sure their data centres are safe and the staff in there are vetted. The only control they have is the service they have purchase and manage. I guess the major question here is; do i reduce operational expenditure by cutting staff needed to manage the data centre and move the money elsewhere for better use? Governments have a responsibility to the socio-economic status to provide more jobs. So there is a shared responsibility between Amazon and Government of NZ.
End of part 1.
*The document is a continuous input*