Cloud guide for the public sector

Foreword

Properly implemented cloud technology can improve speed of delivery, increase security and create opportunities for organisations to innovate. Government organisations and functions need to work together more effectively across functions to take full advantage of these benefits.

As the heads of the commercial and digital functions, our responsibility is to help our respective functions to work well together and with other government stakeholders. We want to make sure we can get the best value from the public purse while still building the best digital services for citizens.

We have held workshops of senior commercial and technical experts from across government. We have discussed how they use cloud, the challenges they face and the help they need as they develop their cloud strategies in future. The ask from organisations is clear; they want us to work together, and with them, to help them to make informed decisions about their cloud strategy. They also want us to give them independent advice on how they should create and implement their roadmaps.

This has led to a number of cross-government and cross-functional working groups being set up to focus on the most important issues facing organisations today. These include lock-in, commercial, technical, security, operations, people and related issues.

From those working groups and our user research, we have published a range of guidance encouraging government organisations to adopt a more cross-functional approach to their cloud strategies. With this collection, we aim to bring all of that guidance together into one place, including security, commercial, digital, technology, skills and culture considerations from across government and the wider public sector.

We recognise that one size does not fit all when it comes to the use of public cloud, as many of the organisations we have spoken to have taken valid, and sometimes opposing, strategic decisions. This is often because either cloud technology is so versatile that the same outcome can be achieved in different ways, or because organisations have made decisions based on their unique maturity or capability.

By using this guidance, we hope you will understand why working cross-functionally is so important as part of a modern technology strategy and we hope that you will use the guidance as you deliver cloud services in your organisation.

Yours faithfully,

Alison Pritchard, Director General, UK Government Digital Service

Gareth Rhys Williams, UK Government Chief Commercial Officer

Purpose of this guidance

This guidance is for organisations and technical leads responsible for:

• deciding and setting cloud strategy

• implementing migrations to cloud

• managing cloud usage

This guidance covers how to:

• enable cross-functional collaboration throughout the cloud lifecycle

• realise best practice cloud service usage

• maximise commercial, technical, security, and people capabilities

The Cloud First Policy

When procuring new or existing services, public sector organisations should consider and fully evaluate potential cloud solutions first before considering any other option. In the UK this has been policy since 2013 The policy was reassessed in 2019 and remains a flagship technology policy in the UK.

Read more about the Cloud First policy.

Cross-functional collaboration

Government organisations that combine functional capability can get more from the cloud, while maintaining value for money and a high standard of delivery. For example, a joint technical and commercial approach to cost optimisation reduced the UK Home Office portfolio’s cloud spend by 40%.

Any cloud strategy will need expertise from a number of functions to deliver it effectively. There are four functions essential for a successful cloud strategy:

• digital and technology - responsible for building and managing cloud estates and providing advice to produce the best technical solutions

• commercial - responsible for the planning and negotiation of contracts with cloud service providers and managing the continuing relationship

• security - responsible for reliable continuity of quality services by making sure processes and controls are in place to protect systems, networks and data from deliberate exploitation

• human resources - responsible for recruiting, re-skilling, developing, deploying and retaining people

Longer term, your organisation might want to consider creating a central multi-disciplinary and cross-functional team to help improve cloud delivery. This team would facilitate, support and advise on best cloud practices for your organisation and act as a central point of contact for cloud service providers.

Choosing a hosting strategy

You’ll need to consider which cloud services are the most appropriate for your organisation. Base your decisions on your organisation’s requirements, its level of cloud capability and the implications of your choice. It is important that you know how to choose between a single, hybrid or multi-cloud solution and when you need to consider cloud concentration risk.

Read more about creating and implementing a cloud hosting strategy.

Assessing the commercial case

Cloud services procurement and implementation typically follow the programme business case approval process, alongside and within each organisation’s own spend controls and governance.

To avoid lock in you should make sure you:

• agree contracts of appropriate length

• retain ownership of intellectual property of your products and services

• retain access to any data held by third parties

The UK government has Crown Commercial Services’ contract management standards to help with this.

Read more about how to assess the commercial case.

Balancing technical lock-in

While there is more flexibility available in the cloud, there is a risk you can become dependent on the products and services from particular providers. This is called lock-in, where switching from one technology or provider to another is difficult, time consuming and disproportionately expensive.

Read more about how your organisation can balance the benefits and risks of cloud lock-in.

Managing costs

When using the cloud, your bills will change according to your usage. To realise the full financial benefits of using the cloud, you need to:

• be flexible in how you budget for cloud services

• put in place systems and processes to monitor your spending

• design your applications to take advantage of the cloud cost model

Read more about how you can manage your spending in the cloud.

Offshoring and data residency

In the UK departments can make case by case choices for offshoring data. The guidance we provide for this is as follows:

Offshoring is where any part of the service you are receiving, relating to data you are storing, is conducted outside of the UK. This includes where data and services are physically located, who manages the services, and who has access to the data. It also includes when your data resides in the UK but might be accessed by provider personnel based in other countries.

There is no UK government policy which directly prevents departments or services from storing cloud-based data in any specific country, however you need to consider the implications of where you host your data. It is the responsibility of each government department to take risk-based decisions about their use of cloud providers for the storage of government data.

When making this decision, you should consider the:

• ICO guidance on adequacy

• ICO guidance on data protection and the international transfer of data

• European Commission guidance on the adequacy of the protection of personal data in non-EU countries

• NCSC cloud principles

• new guidance on data adequacy following EU Exit

More guidance on offshoring and data residency will be available soon.

Security

Cloud services can have native security advantages over local or on premises technology. While organisations can have less visibility of the underlying infrastructure and operations, cloud providers can use economies of scale to provide a level of security that would be economically or operationally infeasible for many organisations.

You must understand your organisation’s security needs to determine your level of confidence that a cloud service is secure enough to handle your data.

The UK’s National Cyber Security Centre (NCSC) has written a blog about how they chose their cloud provider, including what questions to ask when considering cloud security.

Read more of the UK’s NCSC’s guidance on:

• cloud security

• how to configure, deploy and use cloud services securely

• zero trust principles

Legacy

Technology moves quickly, so despite the fact that many business requirements remain the same, the original technology might now be obsolete. Legacy technology can refer to your organisation’s IT infrastructure and systems, hardware and applications, and related business processes.

Although there is not one single solution, you may find the GDS guidance relating to user researched technical guidance on managing legacy technology helpful. You could use this guidance to help make decisions on how and when to move away from legacy technology.

Read more about how to manage legacy networks and how to manage legacy technology.

People and skills

When creating a cloud strategy, you should consider that adopting the cloud can mean significant changes in culture for commercial, financial and technical staff. Engaging with the workforce is critical, as this case study by the UK’s Office for National Statistics showed when they started their journey to the cloud.

Read more about the technical skills you might need in the DDAT framework.

Case studies and blog posts

A collection of examples of how the public sector is using the cloud in the UK.

Case studies

• How the Home Office’s Immigration Technology department reduced its cloud costs by 40%

• How Network Rail implemented its hybrid cloud strategy

• How the Welsh Government migrated their technology to the cloud

• How the Office for National Statistics changed workplace culture to get the best out of cloud

Blogs

• Introducing the GOV.UK cloud guide

• Introducing our cloud lock-in guidance and case study

• NCSC explores potential security opportunities that can come with using the GDS cloud lock-in guidance

• Join us for a workshop introducing our guidance on managing costs in the cloud

• NCSC IT: There’s confidence and then there’s SaaS