Cloud Project for Public Sector – Middle East

Cloud Policies, Governance Model and Operating Model

April 2017
Agenda

Purpose

Overview

Benchmarking

Deliverable Walkthrough

QA Session

2
Confidential information for the sole benefit and use of MoI.
Purpose

 Provide overview of project to the steering committee

 Quick walkthrough of the key deliverables

3
Confidential information for the sole benefit and use of MoI.
1. Overview

PwC
 Global Cloud Trends

More than $1 trillion* in IT spending will be directly or indirectly affected by the shift to cloud
during the next five years
Shift From Traditional IT Spending to Cloud
 Cloud-first strategies are the
foundation for staying relevant in
a fast-paced world

 Cloud service providers have

more effective security systems
and robust platforms than most
individual businesses

 Amazon Web Services, Azure,

Google Cloud Platform
* Source: Gartner, July 2016 5
Confidential information for the sole benefit and use of MoI.
Cloud Trends in the Region

The ICT market in the Kingdom is estimated KSA ICT Industry

at $33.8 billion in 2017 and IT services is
expected to continue growing by 9.9% year- System Integrators
Cyber
Infrastructure
on-year*

Saudi Arabia will lead IT spending in META IT Service Providers

Hardware Telecos / Data Centers
in 2017, investing $7.5billion in cloud, big
data, social and mobility
Government Bodies

NIC sponsored the joint venture between

ELM and STC to form SCCC

KACST incubator signs deal with AWS to Software

provide cloud services to startup companies.

(April 2017)

Amazon investment in Souq.com (March

2017)
*Source: IDC, 2017
Confidential information for the sole benefit and use of MoI.
Importance of cloud regulation in Saudi Arabia
Lack of National cloud directive, National strategy, policies and regulations to accelerate wide
spread cloud adoption

Lack of clear policies and guidelines to address potential risks in the area of data classification,
confidentiality, sovereignty

Most government entities have their own data centers with limited adoption of cloud services
causing inefficiencies

Several IT vendors are moving towards offering their services through cloud rather than
traditional on premise model

Telcos are investing in ICT infrastructure and some forms of cloud computing (mainly web
hosting, co-location and email)

Necessity for more advanced ICT infrastructure to cope up with the digital agenda of the
Kingdom including reliable connectivity and better service quality
Confidential information for the sole benefit and use of MoI.
7
Vision 2030 Alignment
Vision 2030
“My first objective is for our country to be a
pioneering and successful global model of
excellence, on all fronts”
King Salman Bin Abdulaziz AlSaud

Pillars National Development Priorities

Generate New Sources of Government

A Vibrant Revenues The Royal Court has mandated the
Society creation of a committee
comprised of multiple
A Thriving
Enhance Government Performance
organizations, including MOI, to
Economy govern the establishment of a
Improve Efficiency of Government Kingdom cloud provider that
An
Ambitious Spending offers reliable, secure and
Nation resilient cloud services to the
Ensure Security and Sustainability of government cloud consumers.
Development Resources
8
Confidential information for the sole benefit and use of MoI.
Project at a Glance

Kickoff Develop Cloud Develop Cloud Develop Cloud

the Governance Policies & Operating
Project Model Regulations Model

Kingdom Cloud Governance Kingdom Cloud Policies and Kingdom Cloud Operating
Model Regulations Model
 CSP Cloud Policies, Regulations  Kingdom Cloud Operating Model
 Kingdom Cloud Management  Kingdom Cloud Types
 CSP Certification Policies & Regulations
Committee  Kingdom Cloud Service Catalogue
 CSP Violations & Penalties
 Kingdom Cloud Governance Model
 Cloud Migration Decision Framework
 Cloud Tenant Policies, Regulations
 General Guidelines for Citizens and Residents 9
Benchmarking

European
United States Union
South Korea

India

Singapore

Australia

10
Confidential information for the sole benefit and use of NIC.
 2. Deliverables Walkthrough

October 2015
PwC
 2.1
Kingdom Cloud  The Kingdom Cloud Management Committee

Governance Model  The Kingdom Cloud Governance Model

PwC Digital Services 12

Confidential information for the sole benefit and use of PwC’s client.
Kingdom Cloud Management Committee

The Kingdom Cloud Management Committee (CMC) plays an executive leadership role to:

• provide the direction, strategy, policies

and standards
• create the necessary ecosystem to
maximize business value

• Participating member roles include

• architecture group
• empanelment and accreditation
group
• advisory group
• Expert committee (technical, financial,
legal, etc.,)

13
Confidential information for the sole benefit and use of MoI.
 Kingdom Cloud Governance Model

Used by the Cloud Management Committee to provide guidance and controls to cloud service providers,
whether government or commercial providers to ensure effective operations and management of cloud
services in KSA

14
Confidential information for the sole benefit and use of MoI.
  The Kingdom Cloud Service Provider Policies,
Regulations and Best Practices

2.2  Data Privacy and Sovereignty

 The Kingdom Cloud Provider Certification

Kingdom Cloud Policies

Polices & Regulations  Violations, Regulations and Penalties

 Decision Framework and Guidelines for

Migrating/Moving to Cloud

 Cloud Tenant Policies, Regulations and Best

Practices

 General Guidelines to Citizens and Residents

PwC Digital Services 15
Confidential information for the sole benefit and use of PwC’s client.
 CSP Policies, Regulations and Best Practices
Aspects that cloud service providers must comply with covering eight areas:

 Datacenter Operations
• Authentication and Access Control
• Physical Security
• Infrastructure Performance & Capacity
 Incident Response and Service Delivery
• Service Levels and Helpdesk
• Business Impact Analysis
 Virtualization and Cloud Platform
• Cloud Hosting
• Availability and Integrity
• Multi Tenancy and Governance
 Interoperability & Portability
• Standard Operating Environment for IaaS, PaaS & SaaS
• Data Sovereignty

16
Confidential information for the sole benefit and use of MoI.
CSP Policies, Regulations and Best Practices (Cont’d)

 Security, BCP & DR

• Cyber, Insider Threats & Mitigations
• Patch & Vulnerability Management
• Business Continuity & Disaster Recovery
 Application Hosting & Security
• Sensitivity & Criticality of Information
• Security, Privacy & Audit Compliance of CSP
• Data Classification, Confidentiality
 Encryption & Key Management
• Data Transit and Uses Protection
• Data at Rest Protection
 Identity & Access Management
• Authentication & Access Control
• Multifactor Authentication
• Smart IAM

17
Confidential information for the sole benefit and use of MoI.
Data Privacy and Sovereignty

Top Secret
Data should be classified as Top Secret when the unauthorized
disclosure, alteration or destruction of that data could cause a
severe or catastrophic level of risk to the Government, MOI or
its customers

Secret
Data should be classified as Secret when the unauthorized
disclosure, alteration or destruction of that data (which are mostly
sensitive) could cause a serious level of risk to the
Government, MOI or its customers Data
Sovereignty Data Privacy Data Disposal
Confidential
Data should be classified as Confidential when the unauthorized
disclosure, alteration or destruction of that data (which are mostly
private) could cause a limited level of risk to the Government,
MOI or its customers

Public
Data should be classified as Public when the unauthorized
disclosure, alteration or destruction of that data (which are mostly
non-sensitive) would cause little or no risk to the Government,
MOI or its customers 18
Confidential information for the sole benefit and use of MoI.
 Policies and Regulations for CSP Violations and Penalties
Potential violations in the eight areas of set policies and the respective potential penalty clauses to
ensure the required level of quality, security and compliance

Each violation is described by:

• Violation details

• Violation Severity

• Proposed Penalty Clause

19
Confidential information for the sole benefit and use of MoI.
 Cloud Provider Certification Polices and Regulations
Certifying cloud service providers to help the Kingdom in choosing the appropriate and trusted cloud
service providers as strategic partners

 CSP Assurance Framework – 8 key areas

and sub areas to audit CSP capabilities
• Business acumen
• Security, regulations and compliance
• Technical assessment

 Policies & Process flows around:

• Certifying Board or Committee
• CSP Assurance Framework
• Safeguarding Information
• Exit Strategy
• Maintenance of accreditation and
Certificate Renewal
• Dispute Settlement
• Breach Management
20
Confidential information for the sole benefit and use of MoI.
Decision Framework and Guidelines for Cloud Migration

Guidelines and triggers for potential customers for migrating /moving to cloud including checklists
considering business and technical requirements.

Decision Framework
21
Confidential information for the sole benefit and use of MoI.
Kingdom Cloud Tenant Policies, Regulations and Best Practices
Aspects that cloud consumers / tenants must be aware of and comply with while consuming cloud related
services.
Data Sensitivity & Security
 Sensitivity and Criticality of data being hosted on cloud
 Security, Privacy & Audit Compliance Controls of Cloud Consumer
 Authentication & Access Control Management
 Data Persistence and Destruction

Incident Management
 Service Levels and Helpdesk capabilities of CSP
 Business Impact Analysis

Cloud Hosting
 Capacity, Performance & Capabilities of CSP
 Network Availability
 Physical Security

Backup, Business Continuity & Disaster Recovery

 Data Backup & Archive
 Business Continuity & Disaster Recovery

22
Confidential information for the sole benefit and use of MoI.
General Guidelines for Citizens and Residents

23
Confidential information for the sole benefit and use of MoI.
 2.3
 Operating Model of the Cloud Service Provider
Kingdom Cloud  Cloud Customer Classification
Operating Model  The Kingdom Cloud Types

 Cloud Service Catalogue

PwC Digital Services 24

Confidential information for the sole benefit and use of PwC’s client.
 Kingdom Cloud Operating Model
A governing framework for managing the entire lifecycle of planning, architecture design, acquisition,
deployment, operation, management and retirement of the cloud infrastructure and services.
 Cloud Operating Model
• Policy & Guidelines Management
• Architecture Centre
• Implementation & Upgrade
• Cloud Broker, Orchestrator and Auditors

 Cloud Operating Model Core Pillars:

• Cloud Service Delivery
• Financial Management & Procurement
• IT Security Management Framework
• Risk Management

 Cloud Broker
• Policies & Regulations for Cloud Service Broker

 RACI for Kingdom Cloud Operating Model 25

 Kingdom Cloud Types

Public Cloud is a shared multi-tenant environment owned and operated by a Cloud Public Cloud
Service Provider. Relatively economical and agile.

Private Cloud provides more control and security to customers Private Cloud

Virtual Private Cloud is a configurable pool of resources allocated within a public cloud
Virtual Private Cloud
providing a logically separated Cloud. Offers secure connectivity.

Hybrid clouds are more complex, since they involve a composition of two or more
clouds.
Hybrid Cloud

Community cloud has infrastructure and computational resources exclusive to a

community having common considerations and requirements in place, such as Community Cloud
Financial or Education.

Colocation services allow customers to leverage CSP for hosting their custom IT platform Datacentre Colocation Model

26
Confidential information for the sole benefit and use of MoI.
Kingdom Cloud Service Catalogue

Providing end user services across Government Cloud and Commercial Cloud. Services are grouped
in three categories:

• Co-Location Data Centers Services

• Cloud Services (Public, Private, Hybrid and Community Cloud)

• Managed Services

The Service Catalogue has 32 Services

27
Confidential information for the sole benefit and use of MoI.
Kingdom Cloud Service Catalogue
Data Center Virtual
Public Private Community Hybrid
Colocation Private
Cloud Cloud Cloud Cloud
Service Cloud
Co-location Services √

 Server Colocation √

 Rackspace Colocation √

IaaS √ √ √ √ √

 IaaS Standard √ √ √ √

 DRaaS √ √ √ √
 Private Cloud IaaS: VMware √ √
platform
 Private Cloud IaaS: √ √
OpenStack platform
 Private Cloud IaaS: Microsoft √ √
platform
PaaS √ √ √ √ √

 Web servers as a service √ √ √ √ √

 App Servers as a Service √ √ √ √ √

 Database as a Service √ √ √ √ √

 NOSQL as a Service √ √ √ √ √

 SOA services √ √ √ √ √

 Developer Productivity Tools √ √ √ √ √

 Test and Development √ √ √ √ √
Management Service 28
Confidential information for the sole benefit and use of MoI.
Kingdom Cloud Customer Classification

Provides a framework to decide on the type of cloud services that can be leveraged for each customer
category workload.

Customer Category Application Category Examples

Category A: Critical Applications and Sector Core General Directorate of

Applications Passports
Customers with highly sensitive data
Ministry of Foreign Affairs

Category B: MOI Enterprise Application Ministry of Labour and

Customer Facing eService and Shared Social development
Customers with data meant for internal Applications Ministry of Environment,
use (Confidential Public Data) Water and Agriculture

Category C: Customer Facing eService and Shared Universities

Applications
Customers having data which is publicly (Non -Confidential Public Data) Ministry of Housing
available

29
Confidential information for the sole benefit and use of MoI.
 Thank you

30
Confidential information for the sole benefit and use of MoI.
 Backup Slides

October 2015
PwC
Cloud Ecosystem

Cloud Regulator

Cloud Provider Cloud Broker

Cloud Consumer
Service Orchestration Cloud Service Service
Service Layer Management Intermediation
Cloud Auditor SaaS Business Service
PaaS Support Intermediation
Security Audit
IaaS Provisioning / Service
Privacy Impact Configuration Arbitrage
Resource Abstraction and
Audit
Control Layer Portability /
Performance
Audit Physical Resource Layer Interoperability
Hardware
Facility

Cloud Carrier
Source: NIST Cloud Computing Reference Architecture 32
Confidential information for the sole benefit and use of MoI.
 Cloud Hosting
Cloud hosting services provide hosting for applications on Benefits of Cloud Hosting
virtual servers which pull their computing resource from 2
Reliability
extensive underlying networks of physical web servers.
1. Pay as you go model. There is no upfront investment 1 The application is hosted on
a virtual partition which
required. Load Balance draws its resources from an
extensive network of
2. Multiple offering such as IaaS, PaaS, SaaS, DBaaS, TEaaS etc Load balancing is
physical servers. If one
software based and
based on the suitability of the applications. therefore can be server goes offline it will only
instantly scalable to dilutes the level of resources
Delivery respond to changing but it will have no effect on
Sl# Category
Model demands the availability

Critical Application
1 (eg: Border Control, Civilian system for National SaaS
ID, Alien system for IQAMA )
Customer facing services PaaS/ Scalability 3
2
(eg: Sector eServices, Mobile/Social eServices) SaaS 4 Physical Security
Underlying physical
Resources are
available on real time
MOI Enterprise Applications SaaS servers are still housed
3 within the data centers on demand.
(Eg: ERP,DMS, CMS) Application demands
and so benefit from the
the resources is
Shared Applications security measures that
SaaS accessed seamlessly
4 (eg: License management system, Fines/ Violations these facilities implement
systems, Facilities management Systems) to prevent people
accessing or disrupting
Sector Core Applications IaaS/ them on-site
5
(eg: Prisons Management Systems) SaaS
33
Confidential information for the sole benefit and use of MoI.
 Kingdom Cloud Tenant Policies, Regulations and Best Practices
Cloud consumers policy on data sensitivity and security has been illustrated in detail below
Data Sensitivity & Security

 Sensitivity and Criticality of data being hosted on cloud

• Enforce appropriate security policies and mechanisms such as encryption,
intrusion detection appliance, identity protection and verification, Data
loss prevention tools
• Cloud consumers must classify the data and enforce the relevant security
controls to ensure data security
• Perform an assessment of their applications before migrating to cloud
 Security, Privacy & Audit Compliance Controls of Cloud Consumer
• Compliance to Acceptable usage policy
• OS Hardening, Port blocking, Patch management, vulnerability
assessment, Antivirus/Malware/Spyware, Hardware security module
• Compliance with regulatory obligations (FISMA, HIPAA, PCI-DSS, and
SOX)
• Periodic Auditing, Remove redundant and orphan accounts
 Authentication & Access Control Management
• Multifactor authentication, Single Sign On, Secure tokens, certificates,
Role based Access Control, Policy based authorization, Access Control List
 Data Persistence and Destruction
• Data lifecycle, Data sanitization policies,
• Follow NIST SP 800-88 media erasure guidelines 34
Confidential information for the sole benefit and use of MoI.
Data Exchange on Commercial Social Media
 Strong Privacy and Data Protection Laws to be in place
which includes handling personal data in social media
with policies such as a social media usage policy

 Strong Data Controller will keep a check on personal

information of customer being published

 Ensure individual consumer data must be used for the

designated purpose only

 National Data Protector to be present who can notify the

individual consumer during personal data security
breach

 Additional controls must apply to the use of information  As social media demands 24*7 interactions, some
relating to an individual’s racial or ethnic origin, responsiveness criteria may be defined and a dedicated
religious beliefs, political opinions, trade union team may be put in place to monitor and respond
membership, health or criminal record

 Strong Anti-Cybercrime Law to bring social networking

sites into the punishment regime which promote
atheism 35
Confidential information for the sole benefit and use of MoI.
Case Study - USA

US FedRAMP: Amazon Web Services:

Joint Authorization Board (JAB) AWS Service Offerings

• Primary decision-making body
• Comprised of the CIOs from DOD, DHS, and GSA Compute Database Analytics
• Private industry feedback
• Other Government agencies
Storage and Content Internet of
Delivery Things
Agencies CSPs 3PAO
• Select a cloud • Provide the actual • Perform initial
service cloud service to an and periodic Developer Game
Networking
Tools Development
• Leverage the Agency assessment of
FedRAMP • Must meet all CSP systems
Process FedRAMP • Provide opinion Mobile
Management Tools
• Require CSPs to requirements of compliance Services
meet FedRAMP before they • Play an on-going
requirements implement their role in ensuring Security & Application
Enterprise
services. CSPs meet Identity Applications Services
requirements.

36
Confidential information for the sole benefit and use of MoI.
Case Study – South Korea

1 Single Government cloud

Cost savings averaging 100mUSD

savings/year

• Security attacks blocked in seconds

• Disaster Recovery for the
Government

37
Confidential information for the sole benefit and use of MoI.
 Next Steps
Form a Cloud Management Committee and the Lead Agency. Agree upon
the Kingdom Cloud Governance Model. Agree upon the Kingdom Cloud
Form a CMC Policies, Regulations and Best Practices

Publish all the Kingdom Cloud Policies, Regulations and Best Practices for
Publish Deliverables
all the identified consumers to read and understand

Identify a Cloud Service Provider and formalize an agreement to

Identify a CSP implement the Kingdom Cloud. Agree upon the Kingdom Cloud Operating
Model with the CSP

Cloud Management Committee along with the identified Cloud Service

Implement Cloud Provider to implement and maintain the Kingdom Cloud. CMC to
constantly improve the Kingdom Cloud to offer better services
38
Confidential information for the sole benefit and use of MoI.
Contacts

PricewaterhouseCoopers India Private Limited

PricewaterhouseCoopers Private limited
1st Floor, Tower D, The Millenia,
1 & 2 Murphy Road, Ulsoor,
Bangalore, Karnataka, India 560008
M: +91 9845600029
[email protected]

Vijay Kannan
Director

PricewaterhouseCoopers India Private Limited

PricewaterhouseCoopers Private limited
1st Floor, Tower D, The Millenia,
1 & 2 Murphy Road, Ulsoor,
Bangalore, Karnataka, India 560008
M: +91 9740073663
[email protected]

Sanjay Ganesh
Manager

39
Confidential information for the sole benefit and use of MoI.