government ict standardsicta.go.ke/pdf/cloud computing standard.pdfcloud computing tandard...

The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke

GOVERNMENT ICT STANDARDS

Cloud Computing Standard

First Edition 2016

©ICTA 2016 All rights reserved

The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke

3

Cloud Computing Standard ICTA-2.001:2016


CONTENTSICTA STANDARDS DESCRIPTION 4DOCUMENT CONTROL 6FOREWORD 7INTRODUCTION 8SCOPE 9APPLICATION 9NORMATIVE REFERENCES 9

DEFINITIONS 10Cloud computing 10Interoperability 10Privacy 10Software as a Service (SaaS) 10Platform as a Service (PaaS) 10Infrastructure as a Service (IaaS) 10Private Cloud 10Community Cloud 10Public Cloud 10Hybrid Cloud 10

ABBREVIATIONS 11SUB DOMAINS 12REQUIREMENTS 12

ANNEXES 13Annex A.1 Cloud Service Selection (PaaS, SaaS, IaaS) 13Annex 2:Cloud deployment model selection (public, private, hybrid, community cloud) 14Annex 3:Service level Agreement 15

APPENDICES 18APPENDIX I: Risk assessment checklist 18Appendix II Checklist for cloud service selection 20APPENDIX III Checklist for selecting cloud deployment model 21APPENDIX III Checklist for SLA 22Appendix IV: Related Documents 26

4



ICTA STANDARDS DESCRIPTION

S/No Thematic Area

Standards Brief Description

1 Infrastructure ICTA-2.001:2016Network Standard

Provides compliant requirements for design, installations and management of all categories of IT Networks to be deployed in government.

ICTA-2.001:2016Data Center Standard

Provides compliant requirements for design, installations and management of government data centers

ICTA-2.001:2016Cloud Computing Standard

Provides compliant requirements for design, installations and management of cloud computing infrastructures for government

ICTA-2.001:2016End-User Equipment Standards

Provides the minimum specifications for all computing devices being deployed in government

2 Systems & Applications

ICTA-6.001:2016Systems & Applications Standard

Provides compliant requirements for design, installations and management of all government Software and applications Systems.

3 IT Security ICTA-3.001:2016Information Security Standard

Provides compliant requirements for design, installations and management of Information Technology Security in government.

4 Electronic records management

ICTA-4.001: 2016Electronic records and Data Management Standard

Provides compliant requirements for management of government electronic records and data

5 IT Governance

ICTA. 5.001: 2016IT Governance Standard

Provides compliant requirements for IT Governance in government. This includes compliance requirements for government IT service providers and Professional Staff.

6 ICT Human Capacity

ICTA.7.001:2016ICT Human Capital and Work force Development Standard

Provides compliant requirements for development of Human Capital capacity for deployment and support for government ICT infrastructure and services.

5



REVISION OF ICT STANDARDS

In order to keep abreast of progress in industry, ICTA Standards shall be regularly reviewed. Suggestions for improvements to published standards, addressed to the Chief Executive Officer,

ICT Authority, are welcome.

©ICT Authority 2016

Copyright. Users are reminded that by virtue of Section 25 of the Copyright Act, Cap. 12 of 2001 of the Laws of Kenya, copyright subsists in all ICTA Standards and except as provided under Section 26 of this Act, no standard produced by ICTA may be reproduced, stored in a retrieval system in any form or transmitted by any means without prior permission in writing from the Chief Executive Officer.

DOCUMENT CONTROL

6



Document Name: Cloud Computing Standard

Prepared by: ICTA Cloud Computing Standard Technical Committee

Edition: First Edition

Approved by: Board of Directors

Date Approved: 11th August 2016

Effective Date: 1stOctober 2016

Next Review Date: After 3 years

7



FOREWORD

The ICT Authority has express mandate to, among others, set and enforce ICT standards and guidelines across all aspects of information and communication technology including systems, infrastructure, processes, human resources and technology for the public service. The overall purpose of this specific mandate is to ensure coherence and unified approach to acquisition, deployment, management and operation of ICTs across the public service, including state agencies, in order to promote service integration, adaptability and cost savings through economies of scales in ICT investments.

In pursuit of achievement of this mandate, the Authority established a Standards Committee to identify the critical standards domain areas as well as oversee the standards development process. A total of Nine Standards falling under six different domain areas were identified by the committee to be relevant for government ICT Standards. The development of all the identified standards was done through a process which took into consideration international requirements, government requirements, stakeholder participation as well as industry/sector best practices. In order to conform to the format of other existing national standards, the committee adopted the Kenya Bureau of Standards (KEBS) format and procedure for standards development. In addition, through Memoranda of Understanding, KEBS has made invaluable contribution to the development of ICT Authority standards.

The ICTA Cloud Computing Standard, which falls under the overall Government Enterprise Architecture (GEA), has therefore been prepared in accordance with KEBS standards development guidelines.

The Authority has the oversight role and responsibility for management and enforcement of this standard. The review and approval of the standard is done by the ICTA Board upon recommendation of Standard Review Board. The Authority shall be carrying out quarterly audits in all the Ministries, Counties, and Agencies (MCA) to determine their compliance to this Standard.

The Authority will issue a certificate of compliance to agency upon completion of the audit assessment. For non-compliant agencies, a report detailing the extent of the deviation and the prevailing circumstances shall be tabled before the Standards Review Board who will advise on action to take.

All government agencies are required to ensure full compliance to this standard for effective and efficient service delivery to the citizen.

Kipronoh Ronoh P.Director, Programmes and Standards

8



INTRODUCTION

Cloud computing is a concept that refers to services, applications, and data storage delivered online through powerful file servers interconnected through the internet infrastructure. It allows consumers and businesses to use applications without installation and access their data and information at any computer with internet access. This technology allows for much more efficient computing by centralizing data storage, processing and bandwidth. NIST specify five characteristics of cloud computing:

a. On-demand self-service involves customers using a web site or similar control panel interface to provision computing resources such as additional computers, network bandwidth or user email accounts, without requiring human interaction between customers and the vendor.

b. Broad network access enables customers to access computing resources over networks such as the Internet from a broad range of computing devices such as laptops and smart-phones.

c. Resource pooling involves vendors using shared computing resources to provide cloud services to multiple customers. Virtualization and multi-tenancy mechanisms are typically used to both segregate and protect each customer and their data from other customers, and to make it appear to customers that they are the only user of a shared computer or software application.

d. Rapid elasticity enables the fast and automatic increase and decrease to the amount of available computer processing, storage and network bandwidth as required by customer demand.

e. Pay-per-use measured service involves customers only paying for the computing resources that they actually use, and being able to monitor their usage. This is analogous to household use of utilities such as electricity.

Cloud computing is a new concept in the market and its adoption has been slow but steady due to slow pace in standardisation, security concerns, continous evolution and compliance concerns. Despite this setbacks, cloud computing offers a number of benefits such as:

vCloud computing solutions are scalable: agencies can purchase as much or as little resource as they need at any particular time. They pay for what they use.

vAgencies do not have to make large capital outlays on computing hardware, or pay for the upkeep of that hardware.

vCloud computing provides economies of scale through all-of-government volume discounts. This is particularly beneficial for smaller ICT users.

vAgencies can easily access the latest versions of common software, which deliver improved and robust functionality, and eliminating significant costs associated with version upgrades.

vIf agencies are able to access the same programmes, and up-to-date versions of those programmes, this will improve resiliency and reduce productivity losses caused when applications are incompatible across agencies

This ICTA standard outlines the various considerations for Ministries, counties and agencies in the selection of cloud computing services and models such as IaaS, SaaS, Paas and public cloud, private cloud, community cloud and hybrid cloud.

9



SCOPE This standard shall provide guidelines on deployment and selection of cloud based computing products and services. This standard guides the MCAs as consumers of cloud services from vendors.

APPLICATIONThis standard shall be applicable to the following:vCentral Government of KenyavCounty GovernmentsvConstitutional CommisionsvState Corporations

NORMATIVE REFERENCESThe following standards contain provisions which, through reference in this text, constitute provisions of this standard. All standards are subject to revision and, since any reference to a standard is deemed to be a reference to the latest edition of that standard, parties to agreements based on this standard are encouraged to take steps to ensure the use of the most recent editions of the standards indicated below. Information on currently valid national and international standards can be obtained from Kenya Bureau of Standards.

v IEEE P2301 & 2302 DRAFTS

v ITU FG technical report on cloud

v NIST special publication 500-291 on cloud

v Virtualization Framework (OVF),

v Virtual Hard Disk (VHD).

v Cloud Data Management Interface (CDMI)

v SOAP and REST

v Amazon Web Services Identity Access Management (AWS IAM), OAuth, OpenID, WS-Security.

v OASIS

10



DEFINITIONS For the purposes of this ICTA Standard the following definitions, abbreviations and symbols apply:

Cloud computingCloud computing is a concept that refers to services, applications, and data storage delivered online through powerful file servers interconnected through the internet infrastructure.

InteroperabilityInteroperability typically refers to the ability to easily move workloads and data from one cloud provider to another or between private and public clouds

Privacy Information privacy is the assured, proper, and consistent collection, processing, communication, use and disposition of disposition of personal information (PI) and personally-identifiable information (PII) throughout its life cycle. (Source: adapted from OASIS)

Software as a Service (SaaS) The capability provided to the consumer is to use the providers applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Popular SaaS offerings include e-mail and collaboration and customer relations management (Source: NIST CC Definition)

Platform as a Service (PaaS) The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. (Source: NIST CC Definition)

Infrastructure as a Service (IaaS) The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). (Source: NIST CC Definition)

Private Cloud The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. (Source: NIST CC Definition)

Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. (Source: NIST CC Definition)

Public Cloud The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. (Source: NIST CC Definition).

Hybrid Cloud The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds). (Source: NIST CC Definition

11



ABBREVIATIONSIaaS-Infrastructure as a servicePaaS- Platform as a serviceSaaS- Software as a serviceNIST-National institute of science and technologySLA-Service level agreementPI – Personal informationPII- personal identifiable informationMCA- Ministry, county, agencyTCO- Total cost of ownershipGoK- Government of kenyaLAN-Local Area Network

12



SUB DOMAINSThe following are the sub domains covered:

§Cloud service selection

§Cloud deployment model selection

§Service level agreements

REQUIREMENTSThis section provides cloud standards needed to guide MCAs in selecting a cloud service and the model of deployment. All MCAs shall develop operational manuals to institutionalize this standard

Sub domain Description Requirements

Cloud Service selection(PaaS, SaaS, IaaS)

MCAs shall select a cloud service based on an obective business case

Annex A.1

Cloud deployment model selection (public, private, hybrid, community cloud)

MCAs shall select a cloud deployment model based on an obective business case

Annex A.2

Service level Agreements MCAs shall have an SLA covering cost, Liability, Information security, Inter operability and portability, availability, performance, Sustainability, Privacy, Vendor lockin, integration

Annex A.3

13



ANNEXESAnnex A.1 Cloud Service Selection (PaaS, SaaS, IaaS)

Subject Requirements1.SaaS Business

case a. MCAs shall not pursue a SaaS solution for an

application if it requires specialized technical knowledge to operate and support, or requires customization that a SaaS vendor cannot offer,

b. MCAs shall determine what reporting services the provider offers, and whether they are compatible with the business reporting requirements. Because SaaS involves giving up direct control of some of MCA data, accurate and useful reporting is especially important.

c. MCAs shall consider the type and amount of data that will be transmitted to and from the application on a regular basis. Internet bandwidth pales in comparison to the gigabit Ethernet links commonly found in enterprise LANs, and data transmissions that take a few minutes to transfer between servers in the server room might take hours to transmit to and from a SaaS application located across the country. Because of this, MCAs shall consider a solution that takes network latency into consideration. An appliance-based solution, for example, might cache or batch.

d. MCAs shall ensure the cloud service is accessible to persons with disability?

e. Potential Saas include:vEmailvoffice productivity suitevcollaboration including IP telephonyvcustomer relationship management

2. PaaS Business case

a. MCAs shall consider platform as a service- if they are carrying out collaborative software

development project that involve multiple agencies- If they are deploying applications that are to be

shared by multiple users simultaneouslyb. When evaluating and choosing a PaaS provider,

MCAs shall consider if the programming languages and server side technologies offered by the provider match their needs.

c. MCAs shall ensure that providers meet the connectivity, storage and redundancy needs to ensure services availability.

14



3. IaaS Business case

a. MCAs shall consider acquiring infrastructure as a service if they want a cloud based data center without requiring to install new equipment.

b. MCAs shall ensure that IaaS providers meet the commonly used standards for access. These include: Xtensible Markup Language (XML), Representative State Transfer (REST), Simple Object Access Protocol (SOAP), and File Transfer Protocol (FTP)

c. MCAs shall consider the burden to ICT staff for monitoring and managing applications in a cloud providers data centre in addition to those in the premises. This includes software patches, maintenace and upgrades.

d. MCAs shall ensure that providers meet the connectivity, storage and redundancy needs to ensure services availability.

e. MCAs shall take full advantage of pay-per-use pricing of the data center for IaaS.

f. MCAs are discouraged from investment in private IaaS.

Annex 2:Cloud deployment model selection (public, private, hybrid, community cloud)

Subject Requirements1.Public Cloud Business

CaseMCAs shall carry out a risk assessment based on Appendix 1 to determine the balance between cost and security of this model.This model has a variety of inherent security risks that need to be considered. It also has maximum potential cost efficiencies due to economies of scale.

2. Private Cloud Business Case

MCAs shall carry out a risk assessment based on Appendix 1 to determine the balance between cost and security of this model.This model has reduced potential cost efficiencies. However it has reduced potential security concerns. It also enables easier contract negotiations between the provider and consumers.

3. Community Cloud Business Case

MCAs shall consider this model if they have other MCAs with similar security requirements and in need of processing and storing data of similar requirements.This model attempts to obtain most of the security benefits of a private cloud, and most of the economic benefits of a public cloud.

15



4.Hybrid Cloud Business case

MCAs shall establish a business case for this model. It Involves a combination of cloud models. An example is using commodity resources from a public cloud such as web servers to display non-sensitive data, which interacts with sensitive data stored or processed in a private cloud.

Annex 3:Service level Agreement

Subject RequirementGeneral requirements

a. The adoption of cloud services will require agencies to build new skills and capabilities into their workforce. In particular, agencies will require a high level of proficiency in procurement, contract negotiation and management, and supplier performance management to ensure value for money is realised.

b. MCAs shall look to first adopt cloud services for those areas where the market has already achieved an acceptable level of maturity. Mature areas typically have begun to extend their focus from delivery pure functionality to additional attributes like security, availability, performance and interoperability.

Liability c. MCAs shall ensure SLAs cover issues such as ending the arrangement, dispute resolution, early warning of bankruptcy (or similar), compensation for data loss/misuse, change of control and assignment/novation, change of terms at the discretion of the provider.

Information security

a. MCAs shall ensure that data is stored in agreed locations, and is retrievable inside agreed timeframes

b. MCAs shall retain control over any data or information that is placed in a cloud service and ensure it is adequately protected from loss

c. MCAs shall carry out a risk assessment to determine the information security viability of migrating to a cloud. The checklist in Appendix 1 shall serve as a guide.

d. MCAs shall ensure the provider is audited by a third party to determine their compliance with GoK information security standards.

e. privacy of any data storedf. on a cloud computing service must be maintained in accordance with

statutory/regulatory obligationsg. The chosen solution should not require significant firewall rule changes.

For example, port 80 and port 443 should be sufficient for the solution to function (these ports are usually open already).

h. MCAs shall ensure data is permanently deleted from a provider’s storage media when migrating

i. MCAs shall be aware of Kenya legislative and regulatory requirements when storing personal data (e.g. the Kenya Information Privacy laws and the Public laws).

j. MCAs shall ensure the location of the data is consistent with local legislation

k. All stored and transmitted data must be encryptedl. Disaster Recovery expectations must be defined (e.g. worse case recovery

commitment

16



Inter operability and portability

a. The following requirements should be carefully considered when identifying a suitable solution:• active directory integration• single sign on

b. MCAs shall ensure that the cloud provider supports open standards that guarantee:- - Workload migration where a workload that executes in one cloud

provider can be uploaded in another cloud provider- Data migration: Data that resides in one cloud provider can be moved

to another cloud provider- User authentication: User who has established an identity with a

cloud provider can use the same identity with another cloud provider. - Workload management: Custom tools developed for cloud workload

management can be used to manage multiple cloud resources from different vendors.

c. MCAs shall ensure that the cloud deployment model supports common standards on:

i. application interfaces;ii. portability interfaces;

iii. management interfaces;iv. file formats; and operation conventions

Availability MCAs shall ensure there is an SLA with the cloud provider for 99.99% during work days, 99.9% for nights/weekend

Performance Service level agreements shall ensure maximum service response times

Cost MCAs shall consider the total cost of ownership (TCO) of a cloud service, compared to that of an equivalent on-premise service.

Sustainability For MCAs providing cloud services, the cost of deploying and maintaining cloud computing infrastructure is very huge and therefore there is need to be able to recover it back. MCAs shall select a chargeback model that adequately fits the consumers’ and Government needs i.e

i. Pay - as -you- growii. Usage based pricing

iii. Elasticity modelPrivacy MCAs shall ensure the cloud providers adheres to regulatory law in relation to

privacy and public record-keeping requirements. MCAs shall consider any legal obligations they have towards customers or other parties, and whether cloud will allow them to continue to meet them.

17



Vendor lockin a. MCAs shall ensure that the cloud solution supports• quick entry• quick exit• low cost solutions.b. MCAs shall have an exit strategy in case they intend to change providersc. MCAs shall not pursue a solution if:• A solution providers want months of preparation to assess agency needs

or conduct training• the solution involves an extended lock-in period for the agency• the solution involves substantial financial investment• The cost of the solution should be such that if the solution fails to satisfy

agency requirements, it is considered low risk to terminate the service or try another service.

d. In addition, the costs should be simple and straight forward. A convoluted pricing model is uncommon for cloud services and should be carefully considered during evaluation.

Integration MCAs shall ensure that migrating to cloud will meet any functional and data-integration requirements the organization has in place.

18



APPENDICESAPPENDIX I: Risk assessment checklist

• Data or functionality to be moved to the cloud is not business critical

• The provider audited by a third party to determine their compliance with GoK information security standards?

• Reviewed the vendor’s business continuity and disaster recovery plan

• Maintain an up-to-date backup copy of data

• Data or business functionality will be replicated with a second vendor

• The network connection between me and the vendor’s network is adequate

• The Service Level Agreement (SLA) guarantees adequate system availability

• Scheduled outages are acceptable both in duration and time of day

• Scheduled outages affect the guaranteed percentage of system availability

• Receive adequate compensation for a breach of the SLA or contract

• Redundancy mechanisms and offsite backups prevent data corruption or loss

• If a file or other data is accidentally deleted, the vendor can quickly restore it

• Increase use of the vendor’s computing resources at short notice

• Easily move data to another vendor or in-house

• Easily move standardised application to another vendor or in-house

• My choice of cloud-sharing model aligns with my risk tolerance

• My data is not too sensitive to store or process in the cloud

• Meet the legislative obligations to protect and manage my data

• Know and accept the privacy laws of countries that have access to my data

• The vendor suitably sanitises storage media storing my data at its end of life

• The vendor securely monitors the computers that store or process my data

• Use my existing tools to monitor my use of the vendor’s services

• Retain legal ownership of my data

• The vendor has a secure gateway environment

• The vendor’s gateway is certified by an authoritative third party

• The vendor provides a suitable email content filtering capability

• The vendor’s security posture is supported by policies and processes

19



• The vendor’s security posture is supported by direct technical controls

• Audit the vendor’s security or access reputable third-party audit reports

• The vendor supports the identity and access management system that I use

• Users access and store sensitive data only via trusted operating environments

• The vendor uses endorsed physical security products and devices

• The vendor’s procurement process for software and hardware is trustworthy

• The vendor adequately separates me and my data from other customers

• Using the vendor’s cloud does not weaken my network security posture

• Have the option of using computers that are dedicated to my exclusive use

• When I delete my data, the storage media is sanitised before being reused

• The vendor does not know the password or key used to decrypt my data

• The vendor performs appropriate personnel vetting and employment checks

• Actions performed by the vendor’s employees are logged and reviewed

• Visitors to the vendor’s data centres are positively identified and escorted

• Vendor data centres have cable management practices to identify tampering

• Vendor security considerations apply equally to the vendor’s subcontractors

• The vendor is contactable and provides timely responses and support

• reviewed the vendor’s security incident response plan

• The vendor’s employees are trained to detect and handle security incidents

• The vendor will notify me of security incidents

• The vendor will assist me with security investigations and legal discovery

• Access audit logs and other evidence to perform a forensic investigation

• Receive adequate compensation for a security breach caused by the vendor

• Storage media storing sensitive data can be adequately sanitised

20



Appendix II Checklist for cloud service selection

Compliance Yes No CommentSaaSDoes the application require specialized technical knowledge or requires customization that a SaaS vendor cannot offer?Does the application require large bandwidth on a regular basis?Is the SaaS cheaper than on-premise application?Does the SaaS provider adhere to regulatory law in relation to privacy and public record- keeping requirements?Does the SaaS reports conform to MCA requirements?PaaSIs the project a collaborative software development project that involves multiple agencies?Do the programming languages and server side technologies offered by the provider match MCA needs?Is it less costly to run the applications in PaaS than in-premiseIaaSDoes the MCA have enough staff capacity to manage the IaaS?Does the provider meet the connectivity, storage and redundancy needs to ensure services availability?Is it cheaper to acquire IaaS or in-premise hosting?Does the provider meet the commonly used standards for access?Does the MCA have an exit strategy from the provider and to take their existing data out of the solution and move it to another one?Does the MCAs capable of taking full advantage of pay-per-use pricing of the data center for IaaS

21



APPENDIX III Checklist for selecting cloud deployment model

Compliance Yes No CommentPublic CloudHas the MCA carried out a risk assessment based on Appendix 1 to determine the balance between cost and security of this model.Pivate CloudHas the MCA carried out a risk assessment based on Appendix 1 to determine the balance between cost and security of this model?Community CloudDoes the MCA have other MCAs with similar security requirements and in need of processing and storing data of similar requirements?Hybrid CloudIs there a justifiable business case for this model?

22



APPENDIX III Checklist for SLA

Subject Requirement Yes No CommentsGeneral requirements

The adoption of cloud services will require agencies to build new skills and capabilities into their workforce. In particular, agencies will require a high level of proficiency in procurement, contract negotiation and management, and supplier performance management to ensure value for money is realised.

MCAs shall look to first adopt cloud services for those areas where the market has already achieved an acceptable level of maturity. Mature areas typically have begun to extend their focus from delivery pure functionality to additional attributes like security, availability, performance and interoperability.

Liability MCAs shall ensure SLAs cover issues such as ending the arrangement, dispute resolution, early warning of bankruptcy (or similar), compensation for data loss/misuse, change of control and assignment/novation, change of terms at the discretion of the provider.

23



Information security

MCAs shall ensure that data is stored in agreed locations, and is retrievable inside agreed timeframes

MCAs shall retain control over any data or information that is placed in a cloud service and ensure it is adequately protected from loss.

MCAs shall carry out a risk assessment to determine the information security viability of migrating to a cloud. The checklist in Appendix 1 shall serve as a guide.

MCAs shall ensure the provider is audited by a third party to determine their compliance with GoK information security standards.

Privacy of any data stored on a cloud computing service must be maintained in accordance with statutory/regulatory obligations

The chosen solution should not require significant firewall rule changes. For example, port 80 and port 443 should be sufficient for the solution to function (these ports are usually open already). MCAs shall ensure data is permanently deleted from a provider’s storage media when migrating

MCAs shall be aware of Kenya legislative and regulatory requirements when storing personal data (e.g. the Kenya Information Privacy laws and the Public laws).

MCAs shall ensure the location of the data is consistent with local legislation

All stored and transmitted data must be encrypted

Disaster Recovery expectations must be defined (e.g. worse case recovery commitment

24



Inter operability and portability

d. The following requirements should be carefully considered when identifying a suitable solution:• active directory integration• single sign on

MCAs shall ensure that the cloud provider supports open standards that guarantee:- - Workload migration where a workload

that executes in one cloud provider can be uploaded in another cloud provider

- Data migration: Data that resides in one cloud provider can be moved to another cloud provider

- User authentication: User who has established an identity with a cloud provider can use the same identity with another cloud provider.

- Workload management: Custom tools developed for cloud workload management can be used to manage multiple cloud resources from different vendors.

MCAs shall ensure that the cloud deployment model supports common standards on:

v. application interfaces;vi. portability interfaces;

vii. management interfaces;file formats; and operation conventions

Availability MCAs shall ensure there is an SLA with the cloud provider for 99.99% during work days, 99.9% for nights/weekend

Performance Service level agreements shall ensure maximum service response times

Cost MCAs shall consider the total cost of ownership (TCO) of a cloud service, compared to that of an equivalent on-premise service.

Sustainability For MCAs providing cloud services, the cost of deploying and maintaining cloud computing infrastructure is very huge and therefore there is need to be able to recover it back. MCAs shall select a chargeback model that adequately fits the consumers’ and Government needs i.e

iv. Pay - as -you- growv. Usage based pricing

vi. Elasticity model

25



Privacy MCAs shall ensure the cloud providers adheres to regulatory law in relation to privacy and public record-keeping requirements. MCAs shall consider any legal obligations they have towards customers or other parties, and whether cloud will allow them to continue to meet them.

Vendor lockin MCAs shall ensure that the cloud solution supports

• quick entry• quick exit• low cost solutions.

MCAs shall have an exit strategy in case they intend to change providers

MCAs shall not pursue a solution if:• A solution providers want months of

preparation to assess agency needs or conduct training

• the solution involves an extended lock-in period for the agency

• the solution involves substantial financial investment

• The cost of the solution should be such that if the solution fails to satisfy agency requirements, it is considered low risk to terminate the service or try another service.

In addition, the costs should be simple and straight forward. A convoluted pricing model is uncommon for cloud services and should be carefully considered during evaluation.

Integration MCAs shall ensure that migrating to cloud will meet any functional and data-integration requirements the organization has in place.

26



Appendix IV: Related DocumentsCode Number: TitleICTA. 1.001: 2016 Government Enterprise ArchitectureICTA. 2.001: 2016 Infrastructure Standard (Networks, Cloud, End user Computing Device,

Data Centre)ICTA. 3.001: 2016 Information Security StandardICTA. 4.001: 2016 Electronic Records and Data Management StandardICTA. 5.001: 2016 IT Governance StandardICTA. 6.001: 2016 Systems and Application StandardICTA.7.001:2016 ICT Human Capital and Work force Development Standard

27



ICT Authority

Telposta Towers, 12th Floor, Kenyatta Ave

P.O. Box 27150 - 00100 Nairobi, Kenya

t: + 254-020-2211960/62

Email: [email protected] or [email protected] or [email protected]

Visit: www.icta.go.ke

Become a fan: www.facebook.com/ICTAuthorityKE Follow us on twitter: @ICTAuthorityKE