Estimates show that the global cloud computing market grew by 28 percent last year. Cloud is becoming an established technology for conducting and enabling business. Likewise, around the world, public sector cloud adoption is on the rise. The IDC predicts that public sector spending on cloud services will grow to $128 billion by 2018, more than doubling the amount spent in 2014. Governments are no longer determining if they’ll move to the cloud; they are focusing on when and how to integrate cloud services efficiently, effectively, and securely.
While cloud computing is undoubtedly a transformative technology, questions continue to arise about how to best embrace the power and agility of cloud services. Governments are working to determine what role they should play, how to best capitalize on cloud’s potential, and how to ensure that security and resilience requirements are met. Microsoft is committed to supporting governments on this journey and has developed Transforming Government: A cloud assurance program guide, which we are publishing today.
The guide has been designed to help governments as they develop and implement cloud assurance programs. Governments are no strangers to technology, and many have long-established information assurance and IT security programs. In fact, many established programs and practices can be re-used and adapted for a cloud environment. Governments also need to consider different aspects of the cloud experience, including efficiency, cost, and user experience, keeping in mind the all-important balance between security, performance, and innovation. Once there is alignment and a clear understanding of the intended outcomes, governments can begin to establish processes in support of them.
In three distinct phases, our cloud assurance program guide demonstrates the benefits that can be derived from adapting a holistic approach to IT risk management to this new technology revolution. In developing cloud assurance programs, governments may need to realign or create new authorities or processes to build trust between cloud service providers and government cloud users. From there, they should consider working in partnerships with cloud providers, the architects of cloud services, to evolve their risk management approaches in ways that are consistent with cloud operations.
A purposefully structured cloud assurance program—one with clearly outlined objectives tied to risk-based outcomes—can lay a foundation for government innovation. Cloud assurance programs are the portal to accessing a plethora of cloud services and apps with confidence in best-in-class security. However, unlike boxed-products programs (such as Common Criteria) in which certification can take years, the rate of cloud innovation means that cloud assurance programs must be calibrated to match the pace of technology upgrades while still meeting the established security bar.
A mature approach is marked by customer-defined security outcomes (what security objectives governments want to achieve) and CSP-determined security techniques (how to meet those outcomes). It reflects a progressive dialogue that requires collaboration across the cloud assurance stakeholder community. As governments work to continuously improve their cloud assurance programs to this desired end-state, this guide offers interim steps that governments can implement today.
Establishing a cloud assurance program is an investment – but one that pays significant dividends.