Strategic, Privacy and Security

Considerations for Adoption of Cloud and

Emerging Technologies in the Caribbean

May 27, 2014

Prepared for Ministers and Senior Officials from the Caribbean and distinguished

participants and attendees of the Caribbean Telecommunications Union (CTU), the

Commonwealth Secretariat, the Organization of American States (OAS), and the

International Telecommunication Union (ITU) on the occasion of the Caribbean

Stakeholders’ Meeting: The Importance of ICTs and their Impact on Regional

Development, May 26-28, 2014 in Port of Spain, Trinidad.

For more information, please contact:

Frances Correia, Country Manager, Trinidad and Tobago, Microsoft Corporation,

fcorreia@microsoft.com

Josemaria Valdepenas, National Technology Officer for Latin America and the

Caribbean, Microsoft Corporation, Josemaria.valdepenas@microsoft.com

Roberto Arbelaez, Chief Security Advisor for the Americas and the Caribbean, Microsoft

Corporation, Roberto.arbelaez@microsoft.com

Marie-Michelle Strah, National Cloud Enterprise Architect and WW Enterprise

Information Management Lead, Microsoft Corporation, mstrah@microsoft.com

Zohra Tejani, Senior Attorney, Legal Affairs Director, Worldwide Public Sector, Microsoft

Corporation, zohrat@microsoft.com

Miguel Sciancalepore, Attorney, Digital Crimes Unit Regional Lead, Microsoft

Corporation, miguelsc@microsoft.com

This paper is for informational purposes only. Because Microsoft must respond to

changing market conditions, the information contained in this document is subject to

change; it should not be interpreted to be a commitment on the part of Microsoft, and

Microsoft cannot guarantee the accuracy of any information presented after the date of

publication. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY,

AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable laws is

the responsibility of the user. Subject to the foregoing, the content of this document is

licensed to you as follows:

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs

3.0 United States License.

Strategic, Privacy and Security Considerations for Adoption of Cloud and

Emerging Technologies in the Caribbean

Table of Contents

Section 1:

Emerging Technologies and Cloud for eGovernment: Strategic Considerations 4

National Cloud and eGovernment ………………………………………………………………… 4

Considerations for Cloud Computing …………………………………………………………… 5

Section 2:

Key Considerations when Partnering with Private Sector Cloud Service Providers: A Brief

Overview …………………………………………………………………………………………………......... 8

Security at the Core ………………………………………………………………………………………. 8

Data Privacy and Security ……………………………………………………………………………….. 8

A Note about Security and Privacy Certifications ……………………………………………. 9

Regulatory Compliance and Policies……………………………………………………………….. 9

Section 3:

Private Sector Role in Fighting Cybercrime……………………………………………………… 11

Tools and Technologies Developed by Microsoft to help Governments fight

Cybercrime……………………………………………………………………………………………………… 12

Section 1: Emerging Technologies and Cloud for eGovernment : Strategic Considerations

1. Introduction

Governments around the world can benefit greatly from advances in cloud computing

and emerging technologies to deliver government and citizen services, drive innovation

and knowledge transfer from private sector, increase transparency and accountability,

accelerate economic development and transformation and ensure data privacy and

security. In addition, Federal, state, and local governments and non-government

organizations (NGO) are adopting Open Data initiatives powered by the cloud to extract

insight and support better decision-making, ultimately transforming how agencies work,

engage citizens, and provide eGovernment services.

2. National Cloud and eGovernment

National Cloud is aggregate cloud computing for multiple public sector entities within a

country and helps governments save money, deliver more effective services, and

compete more effectively in the global economy. Governments at all levels–local,

regional, and national–recognize the new opportunities that cloud computing offers for

creating an agile and flexible IT infrastructure that supports their services. For today’s

government leaders and CIOs, the cloud presents an opportunity to rethink the role IT

plays in accomplishing strategy.

Enable Governments to Save Money: National Clouds help reduce delivery costs

while also increasing hardware utilization and staff efficiency. By consolidating

existing resources and pooling together hardware, facilities, operations, and

electricity, governments can use computing resources on a schedule and likely at a

lower overall cost.

Improve Government Service Delivery: National Clouds enable end-to-end

solutions with common user experiences while also offering the ability to grow

dynamically to fit changing governmental needs. Offer applications and services that

support government innovation and enable cost-effective cloud-designed

applications that can dynamically scale to meet demand.

Help Governments Transform to Be More Effective and Globally Competitive:

National Clouds empower governments to get precisely the services and capabilities

they need by moving to the cloud when and how they want. Data and applications

can be available on-premises, through the private and/or public cloud, enabling

agencies to configure to the combination most compatible with their needs.

Example: Driving Open Data Initiative Because it makes services available over the

network, the cloud frees governments from standardizing on specific devices or servers.

That way, constituents can access services from any device, whether they’re on mobile

phones, tablets, laptops, or desktops. In its first move into the cloud, the UK’s Transport for

Greater Manchester hosted an open data platform to foster mobile app development—and

enable greater mobile device usage by its employees, citizens, and visitors.

3. Considerations for Cloud Computing

What’s challenging for a government agency is to sort through the universe of cloud

offerings and determine the right cloud solution and the right service provider for their

particular political and business requirements, ecosystem, and organizational culture.

Public clouds, managed in data centers by a provider, can be agile and budget-

friendly, providing scalability and cost benefits. Public clouds are often the most cost

effective and scaleable options. They offer a security-enhanced environment, but

may not be fully compliant with privacy regulations and may impose rigid limitations

on configurability. In a public cloud, the cloud provider keeps the environment

continuously up-to-date.

Private clouds, or those managed by a service provider (on-premises or hosted

by a third party), can provide better security features for the most sensitive and

private data.

While these are more customizable and offer the government more control, the

costs of the private cloud may be higher because the agency must also purchase

and manage the infrastructure.

When building a private cloud, the government or service provider needs to build

continuous process improvements into the design so the system can evolve from

the moment it goes into production.

A mix of private, service provider and public clouds in a hybrid cloud, can

provide an optimal mix of cost and control, but requires strategy, planning and an

enterprise architectural approach up front to drive value realization and alignment

with IT with political and economic goals of the country (i.e. not “infrastructure for

infrastructure’s sake”).

eGovernment and Planning for the Cloud

When deciding whether to deploy Iaas, PaaS or SaaS solutions in public, private, service

provider or hybrid clouds, there are several steps to take into consideration.

1. Establish the Business Case

a. Develop a national cloud strategy aligned to political and economic goals of

country

b. Assess cloud readiness of the country (ICT, power, legal and procurement

frameworks)

c. Examine TCO (total cost of ownership) of options presented below

2. Develop a National Information Strategy

a. Adopt Information architecture and Enterprise Information Management

approaches

b. Develop programs to determine data classification, sovereignty and locality

c. Implement rigorous identity and access management programs

3. Conduct an Application Portfolio Rationalization

a. Adopt Enterprise Portfolio Management approach to ALM and development

b. Adopt security standards in design for trustworthy computing

c. Use IA and EIM models to break through application and data silos and

introduce efficiencies

d. Leverage API economy and Open Data Initiatives to drive application

development

4. Map National Cloud Opportunities

a. Explore the market for national data centers and shared services

b. Explore the market for aggregation and cloud brokerage

c. Create demand and go to market strategies for customers to adopt national

cloud

d. Improve eGovernment services through national cloud use

5. Assess Human Resources Challenges

a. Use public procurement as a tool to support local IT sector and workforce

development

b. Develop strong public-private partnerships with strategic private sector

entities for strategy, implementation and support

6. Designing for Performance and Security: Hybrid Cloud Architectures

a. Steps 1-5 above are critical business and information architecture

components of national cloud

b. The research and analysis in steps 1-5 will clarify cloud transformation and

migration strategies as well as drive business requirements for hybrid cloud

architectures

c. Develop roadmap and governance framework

References:

United Nations. Department of Economic and Social Affairs. Guidelines on Government

Data for Citizen Engagement.

http://workspace.unpan.org/sites/Internet/Documents/Guidenlines%20on%20OGDCE%2

0May17%202013.pdf

United Nations Conference on Trade and Development. Information Economy Report

2013: The Cloud Economy and Developing Countries.

http://unctad.org/en/PublicationsLibrary/ier2013_en.pdf

Prepared by: Marie-Michelle Strah, PhD, National Cloud Enterprise Architect and WW

Enterprise Information Management Lead, Microsoft Corporation,

mstrah@microsoft.com

Section 2: Key Considerations when Partnering with Private Sector Cloud Service

Providers: A Brief Overview

Enterprise cloud services, from productivity software-as-a-service to workloads or apps

in cloud operating systems, can help governments serve their citizens more effectively

and cost-efficiently. However, the e-Government destination necessarily involves a

journey with check-points on security, data privacy and transparency, and regulatory

compliance. What are the key considerations for governments when partnering with

cloud service providers on this journey?

Security at the Core: Global cloud service providers have a massive footprint of

millions of servers which translates into cost efficiencies in buying hardware, deploying

hardware and even negotiating electric rates. These cloud providers can justify

enormous investments in security because the costs are spread over many servers and

data centers in a way that most customers could not justify if they were establishing

their own data center for a few thousand users.

Physical Security. Cloud service providers should offer leading perimeter security at

data centers, environment controls, multi-factor authentication, extensive

monitoring, 24x7 onsite security staff, and days of backup power.

Restricted data access and use. Access to government user data should be

restricted by the cloud service provider. Government user data should be accessed

only when necessary to support the government’s use of the cloud services. Strong

authentication, including the use of multi-factor authentication, helps limit access to

authorized personnel only. Access should be revoked as soon as it is no longer

needed.

Data encryption. The provider should provide data encryption at rest and in transit

between the government user and the provider, with a roadmap for encryption

enhancements.

Incident response. Provider should have a global, 24x7 incident response service

that works to mitigate the effects of attacks and malicious activity. The incident

response team follows established procedures for incident management,

communication, and recovery, and uses discoverable and predictable interfaces

internally and to Government users.

Data Privacy and Transparency

Privacy prioritized. Governments should expect cloud services to be designed for

privacy. For example, are the enterprise cloud services segregated from consumer

cloud services? The provider’s business model (e.g., online advertising) can also

reveal the provider’s priorities. Government users should demand clear contractual

commitments and limitations about how the cloud service provider will use its

customers’ data. For example, the cloud service provider should not use customer

data or derive information from it for any advertising or similar commercial

purposes.

Data ownership, portability, and deletion. Governments should insist on

contractual commitments that confirm the government’s ownership of its data.

Governments should be able to access its data at any time without the assistance of

the cloud service provider. Contract commitments should also include clear

timeframes for when the customer can extract its data and when the provider will

delete the customer data upon the expiration or termination of the cloud services

contract.

Transparency. Private cloud services providers must be transparent and indicate to

governments where their data will be stored and whether they will use

subcontractors to process that data. To the extent possible, cloud services providers

should attempt to redirect law enforcement requests for data to the customer.

Reports on such law enforcement requests should be made available

A note about security and privacy certifications: Key third party and government

certifications to look for are listed below. Cloud services providers should be willing to

share third-party verification results.

• ISO 27001 is a broad international information security standard.

• ISO 27018 will soon be an international data privacy standard.

• Service Organization Control (SOC) reporting framework for SOC 1 Type 2 relates

to the design and operating effectiveness of a service provider’s controls.

• UK G-Cloud Security Accreditation: UK Federal Government cloud security

program

• FEDRAMP/FISMA: US Federal Government cloud security requirements

• Validation by European Union data protection authorities (DPAs) and the

European Commission that contractual commitments meet European Union

(EU) privacy law’s rigorous standards.

Regulatory Compliance and Policies

Existing regulations. Regulations covering special segments of data, such as

healthcare data or financial services information, can pose special compliance challenges

when moving regulated data to the public cloud. However, a trusted private sector

partner can help an agency remain compliant. Examples: See the case studies of the

Goodbody, the largest stock broker in Ireland, and the Government of the US Virgin

Islands.

Policy considerations for new regulations. Proposed laws and regulations (or

updates to existing ones) that impact cloud services should strike the right balance.

Two key areas of focus:

Data must be allowed to flow freely. Consistency and predictability of

regulations across countries can help protect data in the cloud while

facilitating private sector operations as data travels across numerous national

borders.

Security from unauthorized access. Prioritizing a safe cloud can help

encourage adoption of cost-effective cloud services.

Cloud services provided by the private sector can be a cost-effective, efficient way to

achieve e-Government goals. However, the right considerations must be made along

the way. Whether developing a procurement tender for cloud services or whether

developing regulations that will govern data in the cloud, it is important to understand

how the private sector can serve as trusted partners for governments in the key areas of

security, data privacy and transparency, and regulatory compliance.

Reference: Facilitando the Cloud: Data Protection Regulation as a Driver of National

Competitiveness for Latin America, Horacio E. Gutierrez & Daniel Korn, Inter-American

Law Review, February 12, 2014. http://inter-american-law-

review.law.miami.edu/facilitando-cloud-data-protection-regulation-driver-national-

competitiveness-latin-america/

Prepared by: Zohra Tejani, Senior Attorney, Legal Affairs Director, Worldwide Public

Sector, Microsoft Corporaton, zohrat@microsoft.com

Section 3: The Growing Threat of Cybercrime: Overview

The private sector has an important role in helping the public sector fight the

threat of cybercrime. How does Microsoft collaborate?

The private sector has a key role in particular in the fight against Cybercrime. In

particular a technology company such as Microsoft has an interest in securing a safe

internet for its customers and consumers.

While there are multiple types of cybercrime, Microsoft focuses on three main areas

where Microsoft has an opportunity to make a direct impact to create a safe digital

world.

Malware Disruption

IP crimes including piracy

Protecting consumers focusing on vulnerable populations: Child Protection

Malware Disruption

Malware is capable of all kinds of evil activities that can do an untold amount of damage

without warning, like stealing confidential information as well as large sums of money.

Malware undermines the trust in the internet and technology. Microsoft helps protect

customers and consumers from malware and to raise the cost of doing business for the

criminals. Microsoft plays offense and collaborates with law enforcement to do botnet

takedowns.

Vulnerable Populations: Child Protection

One focus of Microsoft is addressing the issue of technology-facilitated child sexual

exploitation, particularly the exchange of child pornography. Microsoft works closely

with governments, expert NGOs, researchers, industry, law enforcement and others on

new and important ways to combat these threats to better protect children from further

harm.

IP Crimes including Piracy

Organizations that employ unlicensed software (non-genuine or illegal software) are

subjected to important legal and security risks. Such security risks range from the

possibility of getting infected by malicious software code (Virus, Trojans, Worms,

Spyware, etc.), to data loss, identity theft, corruption of your internal network and

permanent harm to your IT systems, compromising the organization information.

Microsoft Collaboration

Microsoft collaborates with governments though its Microsoft Digital Crimes Unit, which

is an international legal and technical team. Microsoft has cybercrime experts across the

areas of malicious software crimes, IP crimes, and technology-facilitated child

exploitation. The team is comprised of more than 100 attorneys, investigators, business

professionals, and forensic analysts.

Since February 2010, for example Microsoft has disrupted eight botnets tied to criminal

organizations committing consumer, financial and advertising fraud.

Tools and Technologies Developed by Microsoft to help Governments fight

Cybercrime

Cyberforensics: Cyberforensics is a new investigative capability built on state-of-

the-art technology which enables the detection of large-scale cybercrime, such as

online fraud and identity theft, perpetrated by criminals located thousands of miles

away.

CTIP (Cyber Threat Intelligence Program): As part of each of Microsoft’s botnet

takedown operations, it works with Internet Service Providers (ISPs) and Computer

Emergency Response Teams (CERTS) to rescue and clean computers from the

control of the botnets.

For instance, when Microsoft seizes the command and control infrastructure

of a botnet, it severs the connection between the cybercriminals running a

botnet and the computers they infected with that botnet’s malware.

These infected computers continue to try to check into the botnet command

for instructions until they are cleaned of the malware. Every day Microsoft’s

system receives hundreds of millions of attempted check ins from computers

infected with malware such as Conficker, Waledac, Rustock, Kelihos, Zeus,

Nitol, Bamital, Citadel and ZeroAccess.

PhotoDNA: In 2009, Microsoft, in cooperation with digital imaging expert Dr. Hany

Farid of Dartmouth College, created a technology called PhotoDNA to the National

Center for Missing and Exploited Children (NCMEC) to help address the distribution

of graphic child pornography online. PhotoDNA has begun to change the way child

exploitation is fought by empowering online service providers to find, report and

eliminate images that would previously have gone undetected, and by helping law

enforcement investigate reported cases more quickly and more efficiently.

SitePrint: A tool to map out online organized crime networks selling illicit products

online, incorporating a unique web site fingerprinting technology. This technology

has been used to dismantle international organized crime network (OCNs).

Prepared by: Miguel Sciancalepore, Attorney, Digital Crimes Unit Regional Lead,

Microsoft Corporation, miguelsc@microsoft.com