Cloud Computing for the UK Public Sector. A Business Overview

Cloud Computing for

the UK Public Sector

Why Cloud Computing?

“The Government’s ICT Strategy signals that, in the future,

the Public Sector will consume its ICT as-a-service.

The recent Public Services Network (PSN) and Government

Cloud (G-Cloud) framework tenders signpost intent to make

a speedy transition to as-a-service consumption models.

Cisco has a wealth of capability: for building cloud services,

and for delivering the essential infrastructure components

of private and public cloud environments.

We have created this business overview to provide

a better understanding of cloud computing (‘Cloud’),

to explain its importance to Public Sector business

decision makers and to offer an approach to adoption.

A companion technical overview will soon be available

to explain cloud computing technology and to cover

associated technical considerations.

We look forward to the opportunity to discuss

the contents of these papers with you.”

Rod Halstead

Managing Director

Cisco UK Public Sector

Contents 3

Introduction 4

Cloud Computing – The Basics

6

What is Cloud Computing?

6

Why is the Public Sector Adopting Cloud Computing?

7

What about Cloud Computing Standards?

8

Cloud Essential Characteristics

8

Cloud Service Models

9

Cloud Deployment Models

10

Security Considerations for Cloud

11

Public Sector Cloud Deployment Models

12

The ICT Service Delivery Platform for Cloud

14

The ICT Service Delivery Platform

15

The Business Benefits of Cloud

17

Direct Cost Saving

17

Operational Efficiency

17

How to Approach Cloud Computing

18

Cloud Procurement

20

Summary and Recommendations

21

How Cisco Can Help

22

Cisco Cloud Products and Solutions

22

Cisco Services for Cloud

22

Further Information on Cloud

23

Cloud Primers

23

Government Papers on ICT Strategy and Cloud Computing

23

Cisco Business Papers

23

Cisco Technical Papers

23

Case Studies

23

Contents

The Government published its ICT Strategy in March 2011 to explain how

ICT can help address the UK budget deficit: by delivering direct cost savings

on current ICT expenditure, and by increasing the use of ICT to deliver new

levels of operational efficiency to Public Sector organisations.

The strategy proposes that direct cost savings will be achieved through fundamental change to the way that the Public Sector specifies, procures and operates ICT infrastructure, applications and services.

This fundamental change is embodied in two key Government programmes – the Public Services Network (PSN) and G-Cloud (Government Cloud). These programmes are very closely aligned and represent the way by which the Public Sector will, in the future, procure all ICT ‘as-a-service’. PSN and G-Cloud are both highly strategic and central to the Government’s objectives of cost saving and efficiency. PSN will deliver a single ‘network of networks’ (a private ‘cloud’ network) for the Public Sector - the common infrastructure discussed in the ICT Strategy. G-Cloud will enable a range of cloud services to be delivered at scale into the Public Sector. In combination, PSN and G-Cloud will create a cloud environment for the Public Sector.

Adoption of a cloud approach will allow ICT resources and services to be abstracted from underlying infrastructure and provided on-demand and at scale in multi-stakeholder (or ‘shared services’) environments. This offers a unique opportunity for organisations to evaluate how best to deliver ICT infrastructure, applications and services to meet business requirements. It also brings the potential to eradicate established inefficiencies, costs and service management complexity. Cisco, as an ICT technology provider, is helping to shape and drive the transition to Cloud in both private and public sectors. Cisco has focused on three key areas for technical innovation: how data centre compute and storage resources can be consumed in a granular and cost-effective manner, how organisations can build a ‘service delivery platform’ that will support cloud deployments at scale, and how these deployments can be made secure.

Cisco in the UK has established a Public Sector Cloud Team to work actively with customers and service providers to ensure Cloud is fully understood and that business benefits can be realised in a timely fashion. This is very important because, although Cloud represents a technical transition, it can only deliver full benefit if aligned to profound business change to the ownership of ICT assets and ICT delivery within an organisation. Cisco has created this paper for business decision makers:

• To provide a better understanding of Cloud

• To explain why it should be incorporated into business strategies, and

• To provide guidance on how to approach Cloud adoption

We would welcome the opportunity to discuss this paper and the companion paper with you and to work in partnership to realise the benefits of this new opportunity.

Introduction

6

In the cloud model, a managed service provider delivers ICT infrastructure or a computing application as a pre-packaged service to agreed service levels. The managed service provider, not the end-user organisation, is responsible for all aspects of delivering that service. Cloud will have a significant organisational impact because of the fundamental shift of ICT responsibility away from local resources (ICT department or outsourcer) to the managed service provider.

Cloud will also have a very significant commercial impact because ICT is normally provided as metered services and invoiced by use. This represents a fundamental shift in ICT expenditure away from capital (‘capex’) budgets to operational (‘opex’) budgets.

Cloud Computing -

The Basics

Cloud computing (or ‘Cloud’) is an established

industry paradigm for providing business computing

using a managed service delivery model.

7 The Government Cloud (G-Cloud)

programme was established at that time to advance the vision for Cloud and accelerate the anticipated business benefits. It comprised three separate strands: data centre consolidation, cloud computing, and ‘applications store’ - each with the ability to contribute significantly to cost savings. The G-Cloud programme has been maintained by a small group of Central and Local Government stakeholders. That group of stakeholders has delivered a Cloud Computing Strategy, issued a Cloud Framework Tender and advanced a number of cloud projects. The experience gathered on these projects is being shared through the Cloud Foundation Delivery Partner programme.

Cloud has remained one of the key ‘Common ICT Infrastructure’ programmes in the March 2011 revision of the Government ICT Strategy. The implementation plan

for that strategy provides an excellent explanation of why Government should adopt Cloud:

“Government will exploit commodity ICT services through the use of cloud computing technologies to:

• To reduce government ICT running costs and power consumption through radically increasing re-use of assets and services including software and hardware, thus ‘greening’ our ICT provision and saving both the direct additional costs of duplicate buying, as well as the indirect costs of running multiple redundant procurements;

• To optimise use of our data centre infrastructure - which traditionally has been hugely inefficient. Maximising utilisation will allow rationalisation and consolidation of the data centre estate and lead to significant cost savings;

• To increase public sector agility through moving towards consuming ICT as a utility – where services can be supplied on a pay as you go basis, scaled up or down according to need. This will also allow the quicker implementation of government policies; and

• To create a fairer and more competitive marketplace by a standards based cloud environment that enables a range of service providers constantly improving the quality and value of the solutions they offer, from small SME organisations providing niche products to large scale hosting and computer server capacity”

Cloud became a cornerstone of Government ICT Strategy in summer 2009.

It offered one way to deliver significant cost saving to the £16 billion ICT

budget as required by HM Treasury’s Operational Efficiency Programme.

Why is the Public Sector Adopting Cloud Computing?

What about Cloud Computing Standards?

Cloud Essential Characteristics

Measured Service Essential Characteristics Service Models Deployment Models On-Demand

Self Service Network AccessBroad ResourcePooling

Software as a

Service (SaaS) Service (PaaS)Platform as a Infrastructure asa Service (IaaS) Rapid Elasticity Community Hybrid Private Public

Figure 1 – The NIST Definition of Cloud Computing

Standards represent agreed best practice. When applied to ICT they provide the basis for interoperability and for information exchange. They are of critical importance to Public Sector ICT programmes where there is the need to join-up stakeholder groups to deliver services.

The Public Services Network (PSN) programme had already invested heavily in the development of ICT standards – both for infrastructure and real-time applications – and it was recognised that the same need existed for Cloud.

G-Cloud followed the already established US ‘Federal Cloud Program’ and adopted the US National Institute of Standards and Technology (NIST) Definition of Cloud Computing (the NIST standards)1_{. That}

adoption for UK Government was recently confirmed by the Government Procurement Service (GPS) ‘G-Cloud Procurement Vehicle’ tender that used the NIST standards for its technical framework.

The NIST definition of Cloud is extremely important to both business and technical decision makers. It provides a high-level

analysis of Cloud, with a focus on three key areas as shown in the figure below:

• Essential Characteristics

• Service Models

• Deployment Models

‘Essential Characteristics’ are of great importance to business decision makers as they encapsulate the key business differences between cloud and traditional ICT delivery models. ‘Cloud Service Models’ and ‘Cloud Deployment Models’ can also have genuine business impact: the former because they define possible interface points between end-user organisations and service providers, the latter because they explain different physical mechanisms by which Cloud can be consumed.

8 1 _{NIST Definition of Cloud Computing - http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf}

The NIST standards define the essential characteristics of Cloud so that the differences from traditional ICT delivery models can be understood. The key characteristics for the business decision maker are that ICT delivered using the cloud model:

• Can be easily shared (‘shared services’) across multiple stakeholder organisations, providing business convergence and cost benefits

• Can be consumed at scale over large networks of arbitrary topology

• Has reserves of capacity and performance that can scale to meet changing business demand

• Is typically metered and invoiced by use

• Is consumed as services

C. L. O. U. D. can be used as a simple mnemonic to recall the essential characteristics (see text box).

The NIST definition

of Cloud is extremely

important to both

business and technical

decision makers

C ommon (multi-tenant and shared)

L ocation-independent

O n-demand (flexible and scalable)

U tility (metered and invoiced by use)

D elivered as-a-service

Cloud Essential

Characteristics –

A Simple Mnemonic

Cloud Service Models

The NIST standards offer three cloud service models, each with a different interface point between managed service provider and end-user organisation. The models provide options that vary in the extent to which control of ICT delivery is transferred away from the end-user organisation to the managed service provider.

Three main service models are defined, as follows:

• Infrastructure as a Service (IaaS)

provides processing, storage, networks and other computing infrastructure resources. The end-user organisation does not manage or control the infrastructure but has control over operating systems, applications and programming frameworks

• Platform as a Service (PaaS) provides computing platform resources on which end-user organisations can deploy applications, developed using

specified programming languages and tools. The end-user organisation does not manage or control the underlying compute platform but has control over deployed applications

• Software as a Service (SaaS) provides end-user organisations with access to applications running on cloud infrastructure. The end-user organisation does not manage or control the

underlying cloud infrastructure or the capabilities of cloud applications. The end-user organisation may, however, manage or control user-specific application settings

Cloud service models may, of course, exist in combination and alongside non-cloud models. For example, an organisation may wish to meet its overall data centre and hosting requirements using the IaaS model from one provider, while meeting its voice, video and real-time collaboration requirements using the SaaS model from another.

Cloud service models are extremely important as they define the boundary, in terms of roles and resources, between a cloud service provider and an end-user organisation. When an organisation decides to adopt Cloud it hands over some level of control of ICT delivery to a third party. It must make structural, process and governance changes to reflect this and so realise the full business benefits. For example, an organisation may deliver all its ICT through an internal department or outsourcer contract. However, if it wishes to consume using the cloud model it would need to re-evaluate its current contracts, local delivery resources and governance structures.

9

Cloud Deployment Models

Four main deployment models are defined by NIST, as follows:

• Public Cloud – a domain (typically the Internet) open to the general public or wide group of stakeholders, owned and managed by a cloud service provider

• Private Cloud – a domain operated solely for a single organisation, owned by the cloud service provider, managed by the cloud service provider or the end-user organisation

• Community Cloud – a domain shared by several stakeholder organisations who operate within a specific community, owned by the cloud service provider, managed by the cloud service provider or by one or more of the stakeholder organisations, as a variant of private cloud

• Hybrid Cloud - a domain that combines two or more deployment models that remain unique entities, but are bound together by technology that enables data and application portability

The G-Cloud programme set out further principles around these four deployment models and their suitability for UK Government, as follows:

“In addition to these three2 _G-Cloud

deployments, the US National Institute of Standards and Technology (NIST) defines another cloud deployment model: Community cloud. In UK government terms, private and community cloud deployment models refer to the same thing as the G-Cloud programme founding principles dictate that the Public Sector should be treated as one organisation for cloud services. In other words, this means that there will be only one private cloud (possibly per IL) that is able to be accessed by all public sector consumers. The components of this are expected to be delivered by multiple suppliers/organisations, but they must be interconnected and available to all, thus creating a single private cloud.

As laid out in the G-Cloud principles that were defined during phase 2, government should utilise the public cloud deployment model as a default position, utilising private cloud only where essential criteria cannot be met by public cloud delivery model offerings. For example: Information Assurance criteria might currently drive the use of government accredited data centre services and infrastructure for sole use of the public sector where services are processing/storing information at Impact Level 3 and above. However, how our essential criteria are met is expected to

Cloud deployment models describe the infrastructure domains (usually

the network domains) over which cloud ICT services can be delivered.

10 2 _{Note: Public, Private and Hybrid}

evolve as the cloud market innovates and matures, possibly reducing our need for private cloud delivery.”

Cloud deployment models are of critical importance to the Public Sector and link together the PSN and G-Cloud programmes in a very direct way. Each deployment model is associated with particular security characteristics that dictate which applications and services may run over them – this is covered in the next main section of this paper. In addition, each model is associated with a different level of scalability. Public clouds are typically much larger than private clouds and this affects how cloud services can be delivered and their cost. For example, public cloud services can likely be delivered at low cost to an organisation because of the opportunity for ‘follow-the-sun’ management operations.

Cloud may, of course, exist in combination within other delivery models within an organisation. For example, an organisation may wish to continue to deliver the majority of its ICT conventionally but decide, for reasons of cost, to deliver ‘citizen contact’ applications as cloud services over the Internet. There is no standard template that defines the right combination of cloud and non-cloud services for an organisation. The right combination must be arrived at through development and refinement of a vision for Cloud linked directly to business needs.

Security

Considerations

for Cloud

Each cloud deployment model has its own security characteristics and potential risks. These will dictate the applications and services that may be used over them, for example:

• Public clouds offer no assurance and are only suitable for applications operating at Impact Level 0. They are not suitable, therefore, for applications that demand any level of confidentiality, integrity and availability. Even for applications that do not demand confidentiality and integrity a business must look at availability to ensure the cloud service can meet the required service levels

• Private clouds can offer assurance and so can operate at any Impact Level. The PSN will deliver a private cloud for the Public Sector and be assured to operate at Impact Level 2. PSN standards have also been developed that allow applications operating at Impact Levels 3 and 4 to use security overlays

• Legal compliance – does the cloud service comply with applicable laws and regulations?

• Service location – does the cloud service meet legal constraints on the geographic location of data and can this be addressed in service contracts?

• Data ownership – does the cloud service offer clear data ownership and data inspection guarantees?

• Insider abuse of privilege – does the cloud service properly control access to provider staff to prevent data leakage?

• Data monitoring – does the cloud service meet all business and legal requirements for monitoring data relating to different clients?

11

Each cloud deployment

model has its own

security characteristics

and potential risks.

These will dictate

the applications and

services that may be

used over them

Adoption of private and community clouds requires an end-user organisation to be confident that its data will remain confidential and isolated on shared compute, networking, and storage resources. Maintaining data security and separacy in a multi-stakeholder environment requires technology and processes for identity management, data protection and integrity, and data governance. Organisations must be aware that cloud computing is at scale and usually involves much larger infrastructure domains than in the past. Cloud environments, therefore, offer larger attack surfaces and so are more vulnerable to security and cyber-security threats. Organisations must put robust procedures in place and deploy the latest security technology to manage these risks. In addition, and finally, there are other security and assurance risks that need to be recognised and managed for cloud deployment models to be successfully adopted:

Note on Impact Levels

Impact Levels (or Business Impact Levels) are defined by CESG. They are on a scale from 0 (no impact) to 6 (extreme impact) and define the impact to a business that would result from any compromise of the confidentiality, integrity or availability of information used

by an application, or residing on an ICT system or infrastructure.

There is a direct relationship between Protective Marking and Impact Levels. See the CESG business impact tables at: http://www.cesg.gov.uk/policy_

technologies/policy/media/business_ impact_tables.pdf

Security is one of the prime considerations when making an assessment of

Cloud deployment models are particularly important for

Public Sector organisations at this time because of new

options available through the PSN programme.

Public Sector

Cloud Deployment

Models

End-user organisations should assess available public and private deployment models against cost and security considerations. The following key

considerations should be taken into account: 1. PSN promises, for the very first time,

to deliver a single private cloud for the whole of the Public Sector

2. PSN will also deliver private clouds to individual organisations and community clouds to groups of stakeholders 3. Cloud deployment models can only

support particular levels of security; for example, public clouds can typically only operate at Impact Level 0

4. Cloud deployment models differ in their scale; this potentially affects both cost and ability to deliver shared services Cisco believes that each of the four deployment models in the NIST standards can readily be deployed by Public Sector organisations.

Public Cloud refers to Cloud over the Internet through wired or wireless connections. Cloud computing services delivered via this deployment model would

typically operate at Impact Level 0. However, it is technically possible to operate up to Impact Level 3, using established guidance provided by CESG, although this approach is not recommended for use at scale.

Private Cloud will, in the future, refer to Cloud over the PSN. Cisco believes that three variants will emerge:

• Single organisation private clouds implemented as ‘virtual private networks (VPNs)’ over the PSN

• Multi-organisation community clouds implemented in a similar way

• The PSN, as a single overall private cloud, embracing the whole of the Public Sector

Cloud computing services delivered via this deployment model may, typically, operate up to Impact Level 4.

Community Clouds already exist in a functional sense – for example, as Healthcare Community of Interest Networks (COINs). In the future, however, community clouds may be realised as community clouds over the PSN as the vehicle for supporting multiple stakeholder organisations. Cloud computing

services delivered via this deployment model would also be able to operate up to Impact Level 4. Such services, supporting community or stakeholder groups, are often referred to as ‘shared services’.

Hybrid Clouds, as explained previously, comprise a combination of public and private clouds. However, within the Public Sector, the term may also refer to implementations comprising different categories of private cloud or combinations of private and community cloud. This type of hybrid cloud already exists – for example, the University of Loughborough runs cloud applications from a local data centre over a campus (private) cloud but also has the ability to run the same applications over the JANET network – a community cloud. This approach is often termed to as co-operative cloud by industry.

12

PSN promises,

for the very first

time, to deliver a

single private cloud

for the whole of the

Public Sector

When the platform is to be used for cloud deployments, particular attention must be paid to availability, scalability and information security and to the mobility features necessary to support large communities of location-independent end-users.

Every Public Sector organisation should develop its own

ICT Strategy to define the common ICT infrastructure required

to support its business computing. Cisco refers to this common

ICT infrastructure as the ‘ICT service delivery platform’.

14

The ICT Service

Delivery Platform

for Cloud

The essential components of this platform, and their characteristics, are documented in the next sub-section of this paper.

Data Centres

(’Service Delivery Points’) _{Virtual End-points}Mobile, Information Assurance and

(Cyber) Security

Private or Community

Network

Figure 2 – The ICT Service Delivery Platform

The ICT Service Delivery Platform

The service delivery platform comprises four essential ICT pillars:

• Data Centre – consolidated and virtualised service delivery points housing all applications and services

• Private or Community Network – high performance, high availability infrastructure to deliver applications and services to end-users

• Mobile, Virtual (VDI) Desktops – offering secure, lower cost, mobile access to applications and services

• Information Assurance and (Cyber) Security – the protective wrap of security infrastructure that maintains information confidentiality, integrity and availability and can mitigate cyber threats

We recommend an architectural approach to the development of the service delivery platform. Such an approach allows an overall ICT ‘architectural blueprint’ to be developed and agreed by stakeholders, then built incrementally as performance and functional requirements develop and budgets permit.

This approach also enables the cost-effective re-use of existing systems as the building blocks for new services in what is referred to as ‘service-oriented design’. Through our Cisco CloudVerse solution we are able to offer all the key elements of the service delivery platform, with characteristics that make them ideal for cloud deployments. The main elements of CloudVerse are:

• Unified Data Centre – a simplified architecture that provides efficient network operations, greater ICT agility for business innovation and an open system for supporting multiple cloud and virtualisation strategies

• Cloud Intelligent Network – that integrates seamlessly with the unified data centre to provide a powerful end-to-end delivery platform for cloud services

• Mobile, Virtual End-points – that support location-independent workers at scale permitting them to use end-points and connection methods of choice

• Information and Service Assurance

- the Cisco SecureX Architecture that enables consistent security policies and enforcement, up-to-date threat intelligence and greater infrastructure scalability so helping to manage the risk of moving to Cloud

More information on CloudVerse, and the capabilities of Cisco cloud products and solutions, can be found using the references at the end of this paper or in the companion paper – ‘Cloud Computing in the UK Public Sector – A Technical Overview’.

15

We recommend

an architectural

approach to the

development

of the service

delivery platform

Cloud can promote

operational efficiency

and so deliver indirect

cost savings

The Business

Benefits of Cloud

17

By enabling business process change and streamlining public services

delivery, Cloud can help organisations meet their two key business

requirements; realising direct cost savings, and creating operational efficiency.

Direct Cost Saving

Operational Efficiency

ICT represents a significant cost for most organisations. Kable3 _{estimates that cost to}

be, on average, 3% of overall budgets but the figure can be as great as 20% in some compute-intensive organisations.

There is a strong consensus that Public Sector organisations can best realise direct ICT cost savings through adherence to the following principles:

Cloud can promote operational efficiency and so deliver indirect cost savings. It can do this because of its inherent agility and scalability, and through driving business process change and streamlined public service delivery as follows:

• Greater business agility – by allowing statutory and business requirements to be met more quickly, by allowing near limitless business scalability, and by enabling businesses to meet annual cycles and to grow over time

• Support for business process change - by bringing powerful new real-time cloud

1. Implement standards – only procure ICT that is compliant with best-practice standards and implemented by skilled service providers

2. Remove the need for integration – through buying ICT as accredited, ‘off-the-shelf’ services

3. Buy ICT in a different way – as metered services (operational costs) rather than as hardware and software assets (capital costs)

services to support new ways of working, and new citizen care applications associated with ‘channel shift’

• Enhanced information management and sharing potential – through shared services that join-up stakeholders who can share information and applications to improve the delivery of services

Cisco has produced a companion paper – ‘Operational efficiency in the public sector – 10 recommendations for cutting costs in 2011 – 2012’ – that highlights the role of ICT in delivering operational efficiency to the Public Sector. See the reference at the

The G-Cloud programme, which is based on the NIST standards and which specifies accredited cloud services, aligns very directly with these principles. However, Government must also create and develop a flexible, dynamic marketplace that will drive down costs through competition and technical innovation. This is being done through the current PSN and G-Cloud tenders that, in time, can create marketplaces for infrastructure, real-time and cloud services.

end of this paper. The recommendations contained within that paper can all lead to greater savings if delivered using a cloud model.

Cloud must be considered as a fundamental change to business

operations and commercial models, rather than as a technology change.

Cloud requires a thorough review and assessment of business fundamentals. This includes answering a number of core questions covering the appetite for organisational and process change, the importance of owning ICT assets and the acceptance of risk associated with change.

How to

Approach

Cloud Computing

18

Each organisation needs to plan its own path to Cloud. That process requires answers to a series of key questions on business fundamentals including:

• What constraints are keeping us from meeting our business needs through our current approach to ICT infrastructure and applications?

• How much control do we want to retain over ICT assets (infrastructure and applications) and ICT delivery?

• How often do our business requirements change?

• Do we regularly need to meet new regulations and compliance requirements?

• Do we welcome the expected impact on cost models and budgets?

• What aspects of our budgeting and procurement processes will need to change?

• What new operational models would we need to implement?

• How would Cloud fit into our overall strategy and future goals?

• What is our tolerance to the risk associated with change?

• What are the benefits and limitations of Cloud for our processes?

• Which applications can and should be moved to Cloud?

• How will our ICT teams be affected?

• What aspects of our overall culture will need to change?

Planning for Cloud:

Questioning Business Fundamentals

To help with this process, we have created a set of key questions which can be found in the ‘Planning for Cloud: Questioning Business Fundamentals’ text box below. Cisco recommends a four-phase approach to Cloud based on a thorough understanding of the essential

characteristics, service models and deployment models contained in the NIST definition, as follows:

1. Preparation: to fully understand Cloud, how it can benefit an organisation and how it will affect resources, processes, operational structure and costs

2. Planning and Design: to plan which elements of ICT infrastructure and applications are suitable for Cloud delivery. To select which services should be delivered on private cloud and which are suitable for migration to a public cloud. To plan and design for the evolution of cloud infrastructure and the phased introduction of each cloud service

3. Implementation: to realise cloud architecture and services on time and within budget

4. Optimisation: To continue the evolution to Cloud and enable ongoing cost reduction

The preparation, planning and design phases are absolutely critical to successful deployment of Cloud. We have developed a ten point checklist, the ‘Public Sector Cloud Maturity Model – A Ten Point Checklist for Success ’ to help end-user organisations take the right steps in their transition to Cloud (see right).

Cisco recommends that each phase should be facilitated through a series of stakeholder workshops. The workshops can be used to develop a common understanding of Cloud and provide the vehicle both for answering key questions and for developing plans. We suggest that workshops might be held to focus on the following areas:

• Cloud basics

• Organisational and process change

• Ownership of ICT assets and ICT delivery

• Change to financial models

19

Public Sector Cloud Maturity Model –

A Ten Point Checklist for Success

1. Understand the Government ICT Strategy and its constituent G-Cloud and PSN programmes

2. Understand the essential characteristics, service models and deployment models for Cloud defined in the NIST standards 3. Decide if the essential characteristics for Cloud align with business

appetite for organisational change, financial change and for risk 4. Agree how important the ownership of ICT assets (infrastructure,

compute) and ICT delivery is to your business

5. Analyse the ICT required for the business to select those infrastructure and compute services that could best move to Cloud

6. Define service models for the selected cloud services in line with the policy on ICT ownership

7. Carry out a security audit to identify if adequate assurance provision is in place for the move to Cloud

8. Agree cloud deployment models for the selected cloud services in line with security, availability and financial considerations

9. Define the vision for Cloud within the business (based on points 2 – 8) and incorporate it into the ICT strategy

10. Agree the route for most efficient procurement of the selected cloud services

• Expected benefits and benefits realisation

• Suitability of infrastructure and applications for cloud deployment

• Service delivery platform and end-to-end architectures

• Information assurance and security

Cisco Services has global consulting practices with the skills to take the advice contained in this section and deliver a vision for Cloud and create business, services and technical strategies.

An organisation’s strategy should be to procure cloud services, based on best practice standards, from accredited service providers without the overhead of the full OJEU (Official Journal of the European Union) process.

At the present time the majority of Public Sector ICT procurement is via tenders advertised in the OJEU. Such tenders form the final element in a set of processes that comprise: gathering of business requirements, writing of technical specification, writing the OJEU tender documents, tender response evaluation and contract award. These processes are complex, resource-intensive and very expensive for an organisation to implement. They can often take long periods of time so delaying projects. OJEU tenders are not the recommended approach, nevertheless they do offer the first route for procuring cloud services.

The Government Procurement Service (GPS), formerly OGC Buying Solutions, has a strategy for Public Sector organisations to procure from ‘frameworks’ (lists) of providers who have been assessed as having the necessary capability. GPS, on behalf of the G-Cloud programme, has just run a tender to populate a framework of cloud providers. The procurement – for a ‘G-Cloud Procurement Vehicle’ – was defined as follows in the OJEU tender:

“It is intended this procurement will establish a multi-Supplier vehicle for the purchase of Cloud-based IT Services (“G-Cloud Services”) by public bodies in Central Government and across the wider public sector. This vehicle will be called the G-Cloud Procurement Vehicle.

This framework runs in parallel with the PSN Services framework, and the overlap across the frameworks is recognised.

The PSN (Public Services Network) provides strategic convergence for GSi, PNN, N3 and other public sector networks. It would be possible to buy Cloud Computing Services from the PSN framework, and equally, PSN services from this framework. Note, however, that any services that connect to the PSN will be subject to PSN governance and required to undergo PSN Compliance Certification.”

The ‘G-Cloud Procurement Vehicle’ will list providers with accredited capability to deliver IaaS, PaaS and SaaS services as well as specialist capabilities such as cloud transition and migration services. It is the

second route – and the preferred route – by which organisations can procure of cloud services.

The PSN programme is also tendering to set up two frameworks of providers – one for connectivity and one for services - with the capability to offer accredited services. There is an acknowledged overlap (see extract from the OJEU tender left) between PSN services – which are mainly real-time applications - and G-Cloud SaaS applications. For this reason the PSN Services Framework will be a third route for procurement of selected cloud services. Public Sector organisations must assess which of these procurement routes best meets their business need. At the present time there is no suggestion that any of these routes are to be mandated, although it is quite possible that this may change at some point in the future.

Procurement change is absolutely essential if

Cloud is to realise full benefit for the Public Sector.

Cloud

Procurement

21 In the cloud model, a managed service

provider delivers ICT infrastructure or a computing application as a pre-packaged service to agreed service levels. The managed service provider, not the end-user organisation, is responsible for all aspects of delivering that service.

Cloud must be considered as a fundamental change to business operations and commercial models, not as a technology change. Any decision to adopt Cloud must be fully endorsed by business and technical decision makers.

Cloud will have significant organisational impact because it represents a fundamental shift of ICT responsibility from the end-user organisation to the managed service provider. It is also very likely to have commercial impact because of the inherent shift in ICT expenditure from capital (‘capex’) to operational (‘opex’) budgets.

Organisations should develop a strategic vision for Cloud and incorporate that vision into their ICT Strategy. That vision must be based on an assessment of the suitability of Cloud for meeting individual business requirements and on the appetite of the organisation to embrace organisational and business process change.

We recommend a four-phase approach to Cloud: preparation, planning and design, implementation, and optimisation. The first two phases are absolutely critical to the success of Cloud and require a thorough review and assessment of business fundamentals. To help with this process we have prepared:

• A list of questions on business fundamentals to help this review and assessment (see ‘Planning for Cloud: Questioning Business Fundamentals’, page 18

• A checklist setting out the steps that an organisation should take for a successful transition to Cloud (see the ‘Public Sector Cloud Maturity Model – A Ten Point Checklist for Success ’ page 19

Summary and

Recommendations

The four-phase approach to Cloud can best be facilitated through a series of stakeholder workshops. Cisco Services has global consulting practices which can provide guidance on the development of these workshops as part of their overall capability to deliver a vision for Cloud and create business, services and technical strategies.

Cloud is an established industry paradigm for providing business

computing using a managed service delivery model.

Cisco also has products and solutions so that managed service providers or end-user organisations can build and deliver cloud infrastructure and services.

These products and solutions can be found in our Borderless Network, Data Centre Virtualisation and Collaboration Architectures which can deliver end-to-end, architecture-based cloud environments.

Cisco has contributed actively to the development of cloud technology and

provides trusted advice to customers and providers on the best path to Cloud.

How Cisco

Can Help

22

Cisco CloudVerse offers all the technical capabilities required to build the Service Delivery Platform for Cloud, mentioned earlier in this paper, and to operate cloud applications and services over it. These technical capabilities are available for exploitation by managed service providers or by end-user organisations building private clouds.

Cisco CloudVerse also offers a unique combination of capability for building cloud environments including cloud business

Cisco Services has global consulting practices which can provide the link between you and Cisco’s expertise in cloud technology and in exploiting it for business advantage.

Our practices can provide the guidance and skills to transform the advice contained in this paper into business, services and technical strategies that align with the Government ICT Strategy.

Our Cisco Services teams could help you develop your Cloud computing strategies in a number of ways, including by:

Cisco Cloud Products and Solutions

Cisco Services for Cloud

applications and services, the unified data centre and intelligent networking. This brings computing, networking, and storage resources within the data centre together with the connectivity at scale to link to large communities of end-users.

The Cisco SecureX Architecture helps customers reduce risk by enabling consistent security policies and enforcement, up-to-date threat intelligence and support for greater scalability. Cisco cloud security helps

• Assisting in the development of your ICT strategy to ensure Cloud and ‘as-a-service’ are embraced to the full

• Carrying out infrastructure assessments to pinpoint opportunities for consolidation and virtualisation to create private and community clouds

• Advising on life-cycle management of ICT to maximise the benefits of existing ICT investments while ensuring full advantage is taken of modern ‘virtualisation’ architectures

• Developing transition plans to ensure new cloud technologies can meet business requirements in a seamless manner

We would welcome the opportunity to discuss the contents of this paper and to explain how we can share our knowledge and experience directly with you. Please contact your Cisco Account Manager to discuss your requirements in more detail.

Cisco CloudVerse

offers all the

technical capabilities

required to build the

Service Delivery

Platform for Cloud

to manage risk so that customers can achieve the economies of scale and the efficiencies of Cloud.

Further Information

on Cloud

23

Cloud Primers

The NIST Definition of Cloud Computing

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

Cloud Computing – A Primer – Parts 1 & 2

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_12-3/123_cloud1.html http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_12-4/124_cloud2.html

Government Papers on ICT Strategy and Cloud Computing

Government ICT Strategy and Strategic Implementation Plan

http://www.cabinetoffice.gov.uk/resource-library/uk-government-ict-strategy-resources

Government Cloud Computing Strategy

http://www.cabinetoffice.gov.uk/sites/default/files/resources/government-cloud-strategy_0.pdf

US Federal Cloud Computing Strategy

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_12-4/124_cloud2.html

Cisco Business Papers

Operation efficiency in the public sector – 10 recommendations for cutting costs in 2011 – 2012

http://www.cisco.com/cisco/web/UK/public_sector/oep_brochures.html?interactionId=18739357 &surveyCode=6726&keyCode=208469_1

Cisco Technical Papers

Cloud

http://www.cisco.com/web/solutions/trends/cloud/index.html

Cisco Cloud Computing

http://www.cisco.com/go/cloud

Cisco CloudVerse

http://www.cisco.com/en/US/solutions/collateral/ns341/ns991/solution_overview_c22-693654.html

Cisco Service Provider Cloud and Data Centre Solutions

http://www.cisco.com/en/US/netsol/ns991/networking_solutions_market_segment_solution. html#~overview

Cisco Data Centre and Virtualisation Solutions

http://www.cisco.com/en/US/netsol/ns340/ns394/ns224/index.html

Case Studies

Cisco’s New Cloud Data Centre

© Cisco 2012. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco’s trademarks can be found at www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1007R)

Americas Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA95134-1706 USA

www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883

Asia Pacific Headquarters

Cisco Systems, Inc. 168 Robinson Road #28-01 Capital Tower Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799 Europe Headquarters

Cisco Systems, International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www.cisco.com Tel: +31 0 800 020 0791 Fax: +31 0 20 357 1100