Services must be hosted either on premises or through cloud computing. If your service is on premises, you must ensure that you are ‘cloud ready’. This will minimise disruption during any future changes in your hosting arrangements.
You should consider managed cloud hosting and cloud service solutions before on premises solutions. It is usually more cost effective for specialist suppliers to manage hosting and service components on your behalf. Properly implemented, cloud technology increases the value of IT spend, improves speed of delivery, increases security and creates opportunities for organisations to innovate and collaborate.
In assessing the suitability of public cloud computing for your service, you must consider the geographical location of the cloud computing provider’s infrastructure. Specifically, cloud-based services that handle personal data should be hosted in Cyprus or elsewhere in the European Union (EU), as they must comply with GDPR.
If there is a compelling reason for using cloud providers outside the EU for services that handle sensitive data, please discuss this with the Office of the Commissioner for Personal Data Protection. If your service does not handle personal data, you may also consider cloud hosting outside of the EU.
The majority of government software and services in Cyprus are hosted ‘on premises’. This means they run on computers and servers on the premises of the organisation using software, rather than at a remote facility such as a data centre, server farm or in the cloud. If your service manages data subject to special handling regulations – for example, data that is classified as top secret – on premises may be the only viable option. However this is not the case for the majority of services. Many government services, including those that handle citizens’ data, can benefit from being hosted in the cloud, particularly from the ability to scale on demand and the opportunity to only pay for what you use.
Where you are looking to replace legacy systems or build a new online service, you should consider whether migration to cloud computing would deliver better value for money.
When exploring hosting options for a service, you should consider the following:
- value for money
- scaling and flexibility
In regard to cloud hosting, you should leverage industry open standards and best practice in order to avoid technical lock-in and provide maximum flexibility for future cloud advancements.
Above all, your service and data must be secure. If you are considering cloud computing, you must ensure that you are able to configure, deploy and use cloud services securely.
Security principles for cloud computing
The following security principles should be applied when working with cloud computing:
- Data in transit protection
User data transiting networks should be adequately protected against tampering and eavesdropping.
- Asset protection and resilience
User data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.
- Separation between users
A malicious or compromised user of the service should not be able to affect the service or data of another.
- Governance framework
The service provider should have a security governance framework that controls management of the service and the information inside it. Any technical controls deployed outside of this framework will be fundamentally undermined.
- Operational security
The service needs to be operated and managed securely in order to impede, detect or prevent attacks. Good operational security should not require complex, bureaucratic, time consuming or expensive processes.
- Personnel security
You need to be highly confident that any service provider personnel who have access to your data and systems are trustworthy. Thorough screening, supported by adequate training, reduces the likelihood of accidental or malicious compromise by service provider personnel.
- Secure development
Services should be designed and developed to identify and mitigate threats to their security. Those that aren’t may be vulnerable to security issues that could compromise your data, cause loss of service or enable other malicious activity.
- Supply chain security
The service provider should ensure that its supply chain satisfactorily supports all of the security principles that the service claims to implement.
- Secure user management
Your provider should make the tools available for you to securely manage using their service. Management interfaces and procedures are a vital part of the security barrier, preventing unauthorised access and alteration of your resources, applications and data.
- Identity and authentication
All access to service interfaces should be constrained to authenticated and authorised individuals.
- External interface protection
All external or less-trusted interfaces of the service should be identified and appropriately defended.
- Secure service administration
Systems used for administration of a cloud service will have highly privileged access to that service. Their compromise would have significant impact, including the means to bypass security controls and steal or manipulate large volumes of data.
- Audit information for users
You should be provided with the audit records needed to monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales.
- Secure use of the service
The security of cloud services and the data held within them can be undermined if you use the service poorly. Consequently, you will have certain responsibilities when using the service in order for your data to be adequately protected.
Security certification for cloud computing providers in the EU
In assessing and working with cloud computing providers in the EU, you should ensure they comply with the security objectives and requirements set out by the European Cybersecurity Certification Scheme for Cloud Services.
Value for money
You must ensure that your hosting approach delivers value for money.
On premises storage will mean that you are responsible for the deployment, management, administration and ongoing costs of servers, energy consumption and space.
Cloud computing typically means that a service will only pay for what it uses, and will not directly pay for deployment, upkeep and associated personnel costs.
While an on premises approach has historically been considered more secure, current industry consensus is that individual organisations or departments cannot achieve the same economies of scale with regards to data security as cloud data centres.
Scaling and flexibility
You should ensure that any approach you take is sustainable.
In practice, this means accounting for your service’s ability to scale and change over time. The ability to scale and flexibility of cloud computing – particularly through Infrastructure as a Service (IaaS) offerings – are some of the most commonly cited benefits.
Understand the consequences for availability of your application when choosing between cloud and on premises and when choosing a cloud provider.
When you host your own infrastructure you are responsible for the end-to-end availability of that infrastructure from DNS routing through to CPU allocation. When you host an application on a managed cloud service these considerations are covered by SLAs (service level agreements) agreed with the provider.
In either case, set and understand SLAs for your service and make a plan to achieve them.
You must ensure that your services are able to perform reliably.
If your service is on premises, this means taking responsibility for the hardware, licences, integrations, power and any issues that arise.
With cloud computing, the onus is on the provider to guarantee and maintain performance.
In considering cloud computing, you must manage the risk of technical lock-in. This is where you become overly dependent on the products and services from particular providers; switching from one technology or provider to another becomes difficult, time consuming and disproportionately expensive.
Technical lock-in is generally caused by:
- other providers not offering equivalent services
- technical architecture that relies on doing things a certain way
- too much tight integration with provider-specific services or products
- a lack of technical architecture skills within your organisation
It’s impossible to avoid technical lock-in completely. Even the simplest service requires some technical integration with your existing architecture. But decisions you make early on that may make development easier can lead to a greater degree of lock-in than you’re comfortable with. To manage this risk, you should consider the following:
- robust procurement and competition for any cloud computing
- diversification of your cloud computing portfolio
- flexible technical architecture and solution design
- strong internal technical architecture capabilities