2 What is cloud computing?
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
The buying of services from external providers is not something new. The risk involved in using cloud services is essentially the same as that for traditional outsourcing of ICT operating services, where risk and vulnerability are associated with the choice of provider, location, communication channels and architecture.2
The Government has chosen to use the NIST (National Institute of Standards and Technology) definition of cloud computing.3
NIST defines the following characteristics of cloud computing:
- On demand self-service
A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
- Broad network access
Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
- Resource pooling
The provider’s computing resources are pooled to serve multiple consumers, dynamically assigning physical and virtual resources according to consumer demand.
- Rapid elasticity
Capabilities can be elastically provisioned and released according to demand. They appear to be unlimited and can be appropriated in any quantity at any time.
- Measured service
Resource usage is monitored, controlled and reported, providing transparency for both the customer and the service provider.
Three service models
Four deployment models
Broad network access
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Different service models are available in the cloud, depending on enterprise needs. Software or applications that are running on the provider's cloud infrastructure are known as Software as a Service (SaaS). Using software hosted in the cloud means that customers are spared having to buy, install, update and maintain software locally. Instead, users can run applications through their web browser or another thin client. Examples of SaaS are desktop applications such as word processing and spreadsheets, accounting and CRM systems.
Platform as a Service (PaaS) offers everything needed to support creating and deploying digital services, such as programming languages, libraries and tools supported by the provider. A platform can be a database or an entire development or test environment.
Infrastructure as a Service (IaaS) provides all the data resources customers normally need in their own data centre or server room: storage, networks and other fundamental computing resources. Although buying SaaS and PaaS is gradually becoming widespread, buying storage and processing capacity is still more commonplace.
Example: UNINETT – a cloud broker for the higher education sector
UNINETT is owned by the Norwegian Ministry of Education and Research, and provides internet access and online services to the higher education sector in Norway. In 2016 the ministry has commissioned UNINETT to establish a community cloud for Norwegian universities and university colleges. UNINETT will therefore serve as a cloud service broker for the entire higher education sector and provide secure cloud services, including adapted commercial cloud services.
UNINETT has already established a community cloud (UH-sky) in collaboration with the Universities of Trondheim, Oslo, Bergen and Tromsø. The work on developing the cloud brokerage service will continue this collaboration.
UNINETT is also working on cloud-based infrastructure platforms to make typical data-centre services accessible from the cloud. Moreover, some universities are cooperating on establishing a common infrastructure platform in their data centres so that they can provide infrastructure services to other actors within the sector in the future.
Cloud services can be provided through different deployment models:
Public cloud infrastructure provisioned for open use by the general public. The public cloud provides standard solutions that are largely the same for all customers. The biggest and best-known providers are Google, Amazon and Microsoft.
Public cloud can also be integrated with the architecture of software service providers – including Norwegian providers – who provide software as a service. An enterprise can therefore end up using services from the public cloud even if this was not explicitly a part of the service purchased.
A private cloud is provisioned for exclusive use by a single organisation or group of enterprises (often referred to as a community cloud). The environment from which the cloud service is provided is dedicated to a specific customer or customer group. An organisation can also operate its own cloud, but unless it is sufficiently large, it will not achieve the same economies of scale as with a public cloud. On the other hand, it will not be exposed to the same risks.
If an enterprise uses a combination of public cloud and locally operated ICT systems, a private cloud or a community cloud, this is known as a hybrid cloud.
Most enterprises have information which, for various reasons, they are reluctant to store in a public cloud. This may be business-critical information or information that cannot be stored abroad under current regulations, or data that would take too long to process elsewhere. At the same time, the public cloud can be a good alternative when the need arises for extra capacity or storing back-ups, or for hosting systems that are non-business-critical or that contain information that must be stored locally. An architecture with a hybrid cloud enables enterprises to take advantage of the benefits of a public cloud while at the same time retaining control over business-critical components. Hybrid cloud is the deployment model currently experiencing the fastest growth.4
This strategy focuses mostly on discussing the issues associated with using public cloud. Clarifying what is legally permitted and recommended when it comes to the public cloud is transferable to other models, such as community cloud or hybrid cloud where public cloud is an integral part of the architecture.
Benefits and challenges of cloud computing
Cost savings is one of the most common benefits associated with cloud computing. It has also been the motivation in many countries where governments have already established an ICT strategy in which cloud computing play a key role. For example, the UK has implemented a cloud-first policy,5 and expects the transition to affordable, standardised ICT solutions to reduce ICT costs in the public sector.
In a study commissioned by the Norwegian Association of Local and Regional Authorities,6 the responding municipalities considered the main drivers for adopting cloud computing to be: financial, a wish to focus on service development, scalability and flexibility, and more accessible to municipal services for citizens.
Many automatically think of reduced costs when cloud computing is mentioned. There are several reasons for this: the fact that a cloud service requires no local infrastructure affects the cost of investing in and operating ICT. Cloud computing can also lead to reduced costs for updates, administration of software licences, etc.
The pricing model for cloud services, which entails measuring and paying for use, also makes the costs for each service transparent. Customers avoid having to pay for more computing power, more storage space or more programme licences than needed at any given time. Such a pricing model is particularly favourable for enterprises that have processes requiring large capacity but only for short periods of time; for example, monthly or annual tasks such as issuing invoices or performing payroll runs.
Not all enterprises that adapt cloud services find them cheaper than other alternatives. This particularly applies for enterprises with special requirements that cannot be provided as a standard solution or where a cloud service will be part of a complex architecture with extensive integration with existing systems.
Example: Moss Municipality
Moss Municipality has a population of 32,000 and 2,500 employees. It administrates around 100 IT systems and uses 8.2 full-time equivalents on ICT.
The municipality had to acquire several additional e-mail licences to provide all its employees with e-mail accounts. It discovered that using Office 365 in the cloud cost far less than using equivalent software installed locally. The municipality has opted for a hybrid solution whereby parts of the system portfolio (including archives) are operated locally while, for example, desktop applications are operated in a public cloud service (Microsoft Azure). Although it also considered traditional outsourcing, the municipality concluded that this would prove far more expensive than a cloud solution and more expensive than continuing to operate IT locally.
Source: Moss Municipality
Cloud services offer practically unlimited capacity for data processing and storage. The resources in the cloud are allocated to the customer organisations only when needed. This means that enterprises need not worry about running out of capacity if, for example, a public service it provides is used more than anticipated. This is also an advantage for enterprises with services that are vulnerable to overload during peak periods, often without being able to foresee their occurrence.
The elements that make cloud services cost-effective and scalable can also create challenges for enterprises administrating personal data, confidential information or information in areas where regulatory restrictions apply as to which countries data can be transferred. In order to offer affordable services, providers make use of any free capacity they have in their systems. Consequently, enterprises can never know which data centres – or countries – their information is stored in at any given time. It may also be the case that a cloud software service provider uses multiple subcontractors without this being clearly stated in the service specification.
In December 2010 Banedanmark (the Danish rail network provider) migrated its website to a cloud service (Microsoft Azure). That winter, Denmark's transport services experienced major problems. While other transport companies found that their information services failed due to the dramatic increase in enquiries from the public, this did not happen to Banedanmark. At most, it had 5.5 million users in one day compared with the normal 50,000. The company paid DKK 179 for the increased capacity it needed during this period.
Source: Centre for Digital Administration (2013): Public sector use of cloud based solutions – the Danish experience. Survey commissioned by Microsoft.
Cloud computing can enhance technical ICT security when the service provider has better expertise and resources than the customer.7 This applies not least to the physical security of premises where hardware is located. Large data centres generally have comprehensive security measures in place, and heavy restrictions on who may enter the premises. Service providers replace hardware and upgrade software regularly. There are certification schemes for data centres indicating which security level a data centre meets.
When software is provided in the form of a cloud service, this often means that the customer is provided with a standard solution. It also means that all customers receive security updates and other software updates simultaneously. For many customers this can enhance security because they previously lacked sound procedures for such updating.
Back-ups are normally part of a service portfolio when buying cloud services. Redundancy and automatic transfer to a new location should something go wrong in the primary location are other services often offered as standard.
A type of service that is growing in popularity is Security as a Service (SECaaS). Through SECaaS enterprises can subscribe to various types of security services such as anti-virus programmes and continual anti-virus updates, authentication, malware detection, and administration of security events.
Although cloud computing can in many cases enhance security, it is important that enterprises assess whether some of their information needs extra security measures for financial, competitive or other reasons. Many enterprises may also find it relevant to assess the security policy consequences of using cloud services based outside the European Economic Area (EEA). Some national authorities allow greater access to foreign data than to data pertaining to their own citizens and enterprises. Even enterprises that are not subject to the Security Act may find it relevant to consider such matters.
It is worth mentioning that information which is not deemed sensitive in itself may be deemed sensitive if stored in a common data centre or a cloud service where information belonging to other societal functions is also stored. The potential harm through loss of the collective information could have ramifications for national security. This can make risk assessments more complicated, since an enterprise risks having to assess not only its own data but also the consequence of storing too much public information in the same location.
Many enterprises feel safer having their own servers and data close to home, and fear losing control if their data is stored and processed in a distant – and perhaps unknown – location. This issue can be addressed through various control mechanisms, as discussed in detail in chapter four.
Providers of services in the public cloud can allocate their hardware resources to a large number of customers. This makes for more efficient energy consumption than if all the customers had their own data centres with their own hardware, cooling systems, etc.
The current trend is for providers of cloud and data centre services to consolidate their data centres into large and increasingly energy-efficient entities. These data centres are often located in areas with stable access to cheap energy.
In many cases, cloud computing makes it easier to enable services (such as a municipality’s case processing system) to be used from different locations and from different client types (PC, tablet, mobile phone).
Both public and private enterprises are increasingly allowing their employees to use their own PCs, tablets, etc. This policy is often referred to as Bring Your Own Device or BYOD. BYOD poses new challenges in terms of security and availability. Cloud services can make it more convenient for users to store their work on their enterprise’s storage area in the cloud instead of locally on their personal equipment, outside the control of the enterprise. Most enterprises have employees who already use unauthorised consumer cloud services in order to give them flexibility in their working day. This poses a risk to the enterprises, not least because end-user licence agreements in the consumer market often give service providers wide authority for what they may do with their customers’ data.
As enterprises gradually buy more services in the cloud, this will affect the need for local expertise. This may lead to reduced expertise in some areas because employees no longer work in those areas on a daily basis. On the other hand, it could spare key personnel from having to perform routine tasks and allow enterprises to devote more energy internally to strategic planning and service development.
Cloud services can reduce the scope of investments needed to start up new enterprises. Because no major investments are needed in hardware and infrastructure or software licences, there will be less need for startup capital.
This is particularly relevant when starting up an enterprise providing services to customers over the internet: it can be difficult to estimate how many customers will come and how fast. Nonetheless, not having sufficient capacity to provide a service can be risky if the service quickly proves to be a success. A cloud-based infrastructure that can be scaled up or down according to the expected number of customers and that is based on a pay-as-you-go model will reduce the risk of loss on infrastructure investments. Such a model also allows enterprises to take the time to adapt and further develop a service if it fails to prove successful immediately.
For the same reason, cloud services can make it easier for existing enterprises to set up platforms for development and innovation, such as test environments or pilot projects. This can lower the threshold for testing new solutions, both internally and for customers.
For the public sector, such platforms can make it easier to test and adopt new public services. This is particularly important for the municipalities, as they often have few resources to allocate to tasks like these. In this way cloud computing can contribute both to rationalisation and service development in the public sector.
Comoyo was Telenor's venture into streaming services. The service was established as early as 2011.
As recently as in May 2013 Telenor announced: "With the newly established Comoyo, Telenor will capture 130 million consumers in all channels and on all platforms." Telenor closed down Comoyo in November 2013 after major international players like Netflix and HBO established themselves with streaming services in the Nordic countries and captured most of the market.
Telenor used Amazon's infrastructure to provide the service, which meant that it only paid for the capacity it needed to serve the customers it had at any given time. Consequently, when the service was discontinued, Telenor was not left with large investments in infrastructure the company no longer needed.
Sources: Teknisk Ukeblad/Comoyo/Telenor
Important considerations before procuring cloud services
The Government wants to make it easier for public and private enterprises to consider cloud computing as an alternative when procuring new ICT systems. A key premise for doing this is clarifying the regulations, as discussed in chapter 3. However, other factors not directly related to regulatory matters must also be taken into account when considering cloud computing.
The strategic decisions an enterprise makes regarding which services to buy from external providers and which services to manage itself for strategic reasons constitute the enterprise’s sourcing strategy.
Such strategies involve not only ICT; an enterprise may also decide to outsource functions such as finance and accounting, logistics, or other tasks the enterprises does not regard as core activities. This is often referred to as outsourcing. One reason for outsourcing services might be to achieve economies of scale, making it more cost-effective for the enterprise than having to produce the services itself.
Procurement of cloud services is a form of sourcing, as is an enterprise’s decision to produce or operate its ICT solutions internally. Whichever sourcing strategy an enterprise chooses, an analysis is needed to decide whether the chosen solution meets current requirements for the type of information the system will process and whether the risk associated with the chosen strategy is acceptable. Assessing risk or making sure a data processing agreement is signed are not tasks that are specific to procuring cloud services; they need to be done regardless of the chosen strategy.
The Agency for Public Management and eGovernment (Difi) has defined a set of principles8 to serve as common guidelines for all use of ICT in the public sector. Public agencies are required to follow the principles, whereas the municipal sector is recommended to do likewise.
Although an agency might not find cloud services that currently meet requirements for the system it wants to develop or buy, by following Difi’s architectural principles it can make sure that it does not preclude cloud computing as its chosen platform later on.
The key principles for ensuring that a chosen strategy does not preclude the use of cloud computing are:
- Interoperability: Involves using technical standards that facilitate well-defined interfaces, transmission protocols and formats.
- Flexibility: ICT solutions shall be designed in such a way that they do not pose barriers against changes in business processes, content, organisation, ownership or infrastructure.
- Scalability: ICT solutions must be scalable to accommodate changes in use. Changes can be related to, for example, the number of users, volume, response times, etc. It must be possible to scale the solution up or down after it is put into operation.
The other principles – such as security and service orientation – are of course as important and relevant for any ICT project for which cloud computing is being considered as for other types of projects.
If an enterprise is to develop new, local systems, it is important to choose an architecture that can benefit from the typical advantages of cloud computing and that is suitable for migrating to the cloud if desired at a later date.
The security assessments that must be made when considering cloud computing are not that different from those that need to be made when outsourcing to an external service provider. In practice this means that the enterprise must carefully consider the formal guarantees the service provider gives, such as where data will be stored or processed.
The risk associated with using cloud services will vary according to where sensitive data is to be stored or processed and how the chosen cloud service provider has implemented its cloud services. To what extent the provider should be assessed will depend on the value of the information involved and how serious the consequences might be if something went wrong.
Information security has to do with how to maintain the confidentiality, integrity and availability of information.9
Integrity is the assurance that data is comprehensive, accurate and valid. Integrity also assures that no unauthorised changes are made to the data.
Confidentiality is assurance that information is not disclosed to unauthorised parties and that only authorised persons – that is, people with the right to – gain access to it.
Availability is assurance that a service meets specific requirements for stability so that the information is available when needed.
Previously, security concerns were mainly associated with confidentiality, the main concern being that unauthorised persons could, for example, gain access to business secrets or sensitive information on individuals. We now see that concerns about integrity are increasing. Unauthorised modification of data can occur as the result of either technical factors or malicious attacks. If an enterprise does not trust the integrity of its system, there may be serious consequences if the information is used for making important decisions or if, for example, the information is stored in a system that is critical for the enterprise or its customers.
As society becomes increasingly dependent on having access to ICT and networks in order to function, availability will also become increasingly important when considering information security issues. If a key service is not available over time, this can have serious consequences for an enterprise. Many enterprises have critical systems that do not tolerate any downtime whatsoever.
Moreover, the commission appointed to assess digital vulnerabilities in society (see text box) raised a fourth security objective: traceability.10 Traceability has to do with finding out what happened in retrospect; for example, by using change logs or other event logs.
Public enterprises must – and private enterprises should – perform risk and vulnerability analyses when planning major changes such as new digital services, reorganising system operation, changing service provider, etc. This requirement applies to all enterprises that process personal data. The enterprise must assess what consequences different events may have for its users, for the enterprise itself, and for the sector as a whole. The enterprise must then assess the likelihood of these events occurring. The risk level is determined by a combined assessment of the consequences of the events and the likelihood of them actually occurring.
Similarly, each enterprise must assess what the consequences would be if a security breach occurred along the three information security dimensions – availability, confidentiality and integrity: What will happen if a system or service is unavailable for a given time period? What are the possible consequences if an unauthorised party gains access to the information? What are the possible consequences if unauthorised parties manage to modify the information so that it can no longer be trusted? What is the likelihood of the individual consequences occurring? Which consequence constitutes the greatest risk? What requirements should be set to an internal or external provider for managing such risk?
The purpose of a risk analysis is to help an enterprise that is considering cloud computing to make an informed assessment of whether the risk level associated with using cloud services is acceptable. Such assessments must also be performed for other forms of sourcing where an enterprise must hand over control of its data to an external partner.
Commission on Digital Vulnerability
In June 2014 the Government appointed a commission to examine digital vulnerabilities in society (Lysne Commission). The commission presented its report to the Norwegian Minster of Justice and Public Security on 30 November 2015.
Some of the issues relating to cloud computing discussed in the report are:
- Large, established cloud computing providers can often offer better security than what many small organisations can manage themselves. This will of course depend on the provider. The user is responsible for assessing whether the information it intends to store in the cloud is vulnerable if transferred outside Norwegian jurisdiction, and must weigh the consequences and risk against the benefits.
- The government authorities must not make it difficult to adopt practical and cost-effective technology as long as there are solutions that are sufficiently secure. It is important that Norwegian legislation not impede increased competitiveness.
- Section 9 of the Public Archives Act, which states that archives may not be transferred out of the country, was introduced over 20 years ago, and therefore does not take into account modern-day technology developments and needs.
Information can be divided into three categories:
- Information that should only be stored in Norway
- Information that can be stored abroad but that can be returned to Norway if necessary, subject to specific conditions
- Information that can be stored abroad without being subject to specific conditions
Category 1: Information that should only be stored inside Norwegian territory and jurisdiction applies particularly to classified information. The commission concludes that each sector must assess which information falls under the respective categories. The commission also emphasizes that the sectors will in many cases find it difficult to coordinate with each other, so there is a need for standards and guidance across the sectors.
The commission highlighted the need to harmonise supervisory practices across the sectors. This work should include taking a closer look at the use of third-party audits.
Source: NOU 2015: 13 Digital sårbarhet – sikkert samfunn [Digital Vulnerability and a Secure Society].
It is important to check that the data processing agreement used meets the requirements stipulated in the Personal Data Act. Once the new General Data Protection Regulation (see chapter 3) enters into force, making the same regulations applicable to all processing of personal data on citizens in the EU/EEA, service providers will likely issue more standardised agreements.
Note that it is always the enterprise itself (the data controller) that is ultimately responsible for ensuring that information be properly processed. This responsibility is not transferred to the provider, even when all agreements are signed. Under the new General Data Protection Regulation the provider (data processor) also has a responsibility, but that does not replace the responsibility of the data controller.
The Norwegian Data Protection Authority has prepared a checklist with issues enterprises must consider before they begin using cloud services for processing personal data.11 The checklist is based on legislation and best practice.
- The enterprise must perform thorough risk assessments, including risk and vulnerability analyses.
- The enterprise must enter into a satisfactory data processing agreement, in accordance with Norwegian legislation. When doing so, it is the data controller – meaning the individual enterprise – that is responsible for ensuring regulatory compliance. The agreement must clearly state where data is processed; this also applies to subcontractors.12The agreement must not say anything to the effect that the provider (data processor) may use personal data for its own purposes, such as to improve its services.
- Enterprises must review their use of cloud computing regularly. This means that the enterprise itself, or a third party, must perform a security audit and ensure that the data processing agreement is being followed. In the event of an inspection, the enterprise must present an audit report to the Norwegian Data Protection Authority.
- The data controller must ensure that the cross-border transfer of data is in compliance with the law.
- Communication must be secure. Sensitive personal data must be encrypted.
- The cloud service provider (data processor) must keep personal data from different customers (data controllers) separate from each other.
- The solution used must be sufficiently documented, and the enterprise must be able to present documentation for inspection.
Procurement of cloud computing differ in many aspects from traditional procurement processes in the public sector. Although the public procurement regulation does not in itself limit opportunities to procure or use cloud computing, there are many important aspects to take into consideration when procuring services like these:
The purpose of regulations for public procurement is to ensure best possible use of society’s resources. The cost of the procured goods or services throughout their life cycle is therefore important. This is often referred to as the total cost of ownership (TCO).
The TCO of running IT in-house can be calculated as the total of the costs for:13
- energy consumption (power to run the hardware, emergency power supply, power for cooling)
- employees (pay and social security costs)
- buildings (write-down, maintenance, rental, security measures, etc.)
- licences and maintenance agreements
It is particularly relevant to take these into account when considering the cost of a service comprising a combination of, for example, Software as a Service that includes all the operating costs, compared with the cost of buying the software as a product and running it in-house or outsourcing it to a third party.
To be sure of choosing the most advantageous offer, it is important to specify which functions are needed rather than presenting a detailed technical specification. This will reduce the risk of precluding some technology platforms right from the start.
Choice of contract
Customers can find it difficult to choose the right contract. Cloud services are often sold on standard terms and conditions that apply for all customers. Difi revised the Government Standard Terms and Conditions (SSA) in 2015, and the new agreements are better adapted to cloud services than the old ones, which drew a clear distinction between software and operation. The new SSAs allow the service provider’s standard terms and conditions to be included. They can therefore be used for buying access to standard systems in the cloud. The SSA is then supplemented with the service provider’s standard service agreement and, where appropriate, the data processing agreement based on the template produced by the Norwegian Data Protection Authority.
For more complex procurements, it can be difficult to align cloud services with the current standard agreements, which draw a distinction between procurement of software and hardware on the one hand14 and procurement of operating services on the other.15
How does an enterprise retrieve its own data from the service provider if the customer relationship ends, regardless of reason? How can it move data to a new service provider? And what happens to data created as a result of operation, such as usage statistics? As when buying other software, it is important that enterprises avoid vendor lock-in or losing ownership of their own data. It is therefore important to ensure that they can retrieve their data in a reusable format. It is worth noting that the EU’s new General Data Protection Regulation contains requirements for data portability. These apply to personal data but will in practice likely affect all types of data.
Most enterprises will need to store data over time, and it is therefore not unlikely that they will want to move data between service providers. It is particularly important for the public sector – which has an archiving obligation – to take into account their duty to preserve records for posterity. The archive creator has a duty to capture all digitally created archive material and to ensure that it is not lost if, for example, the enterprise changes service provider or if the service provider goes bankrupt.