towards a national cloud strategy for kenya connected ke · 1. adoption of cloud computing in kenya...
TRANSCRIPT
TowardsaNationalCloudStrategyforKenya
RANICTPworkshopMay2017
Tonny K.Omwansa,PhD@tomwansa
FocusonPublicSector
• TwoCloudAdoptionSurveys
• DraftCloudStrategy
• Wayforward
Overview
2013CloudStudy
CloudStrategyTopics
•Determinantsofcloudcomputing:• Factorsthataffectcloudrelatedperformanceanditsoutcomes/impacts•Characteristics:Reliability.Agility.Usability.Sustainabilityetc•Policyandlegalframeworks.Market.Standardsetc.
•StrategiesoractionsofCloudComputingactors:• Instrumentalindeliveringtheoutcomes/impactsofthecloud•Costing.Promotion.Trainingetc.
•Outcomes/ImpactsofCloudComputing•Improvedoperationalefficiency•Enhancedmarketreach•etc
2013CloudSurvey– Design
Determinants
OutcomesStrategies
CloudStrategyTopics
• Timelines:June2013- April2014
• Quantitative(60institutions)andQualitative(12indepthinterviews)
•Baselinereportavailableathttp://www.c4dlab.ac.ke/wp-content/uploads/2014/04/CC-study-report-April-2014.pdf
2013CloudSurvey– Output
CloudStrategyTopics• Governance,Legalandregulatory
frameworks• Standards• Conflictresolution• Safe/FairContractTerms/Conditions• Licensing• LocationofData• Crossborderandterritorialissues• Skills&Awareness• Encouragingadoption• Vendorlocking• MarketCharacteristics(competitive
landscape/maturity)• Networkinfrastructure,applicationand
datareadiness• Governmentreadinessandrole• ServiceLevelAgreements
• Portabilityofapplications• Integrationwithlegacyenvironment• PublicCloudProcurementGuidance• Culturechange• Alignmenttogovernmentstrategies• Whatservicesshouldgotothe
public/community cloud(DecisionFrameworkforCloudMigration)
• Securityrequirements(Statutorycompliancetolaws,regulations,agencyrequirements;Datacharacteristics;Privacyandconfidentiality;Integrity-authorized,complete,andaccurate;Datacontrolsandaccesspolicies)
• Protectingsecurityyetmaximizevalue• Selectingacloudsolution• Ensuringcompetitiveness
2013CloudSurvey– Emergingtopics
1. AdoptionofcloudcomputinginKenyaisfairlyrecent.Mostorganizationsadoptedaformofcloudserviceeither2010/11.
2. Moreorganizationsutilizedpureprivatecloud(39%)comparedtoutilizingapubliccloud(22%).
3. Thekeybarrier:– Additionalcostofinvestment– Technicalskills(security,architectureanddesign,storageandvirtualization)– Perceivedreliabilityofservice,securityandprivacyofdata– Geographicallocation
4. Lackofknowledgeofpolicy/legalframeworksforcloud(80%)– Thoseaware:“itsnotflexible,comprehensiveandeffective”
5. Majorityoftherespondents(75%)notawareofanystandards
2013CloudSurvey- KeyFindings
6. Cloudservicesmarketwasready(90%).– Leadingconsumers:financialsector,telecommunications
7. Benefitsofcloudwereconsistentwithliterature:– costsavingsinhardware,softwareandpersonnel,– improvedsystemperformanceandmanagement,– flexibilityinaccesstoprocessingandstoragecapacity– higherelasticitydegree– etc
2013CloudSurvey- KeyFindings
1. Anationalcloudreadinesssurveytoinformcloudstrategy2. Developinganationalcloudstrategy3. Governmenttochampionutilizationofcloudservices4. Enhancementofrelevantlegal/regulatoryframeworks
– protectionofcloudserviceusers– cybersecuritychallenges– guaranteeingsecureonlinepayments– privacyanddatasecurity– etc
5. Developmentofthehumanresourcecapacity– technicalskills,legalandbusinessprocesses
6. Enhanceawarenessofcloudtechnologies– demystifyandcirculateaccurateinformation
2013CloudSurvey- Recommendations
2014/15CloudStudy
1. Anin-depthstudy,focusedonpublicsector
2. Targetconsumer:ICTAuthority
3. AnchoredonICTMasterplan
4. Objective:developingaCloudstrategy
5. BasedonaSWOTanalysis
6. Datacollected:June2014toFebruary2015
7. 45in-depthinterviews(suppliers,MDACs,public,opinionshapers)
2014/5CloudSurvey- Background
2014/5CloudSurvey- Framework
Findings- Situationalanalysis
Strengths• Leadership - Nationalleadershipunderstandsandchampionstechnology
• Launchedprojects– Severale-gov servicesamenableforthecloud
• Legal/regulatoryenvironment– Progressive(variouspolicydocuments)
• LocalInfrastructurecapabilities- Highqualitynetworks,SomegoodDCs
• Institutionalestablishments– Regulatoryandsupervisoryexist
• Policydocuments- Anumberofpolicieshavebeendevelopede.g.ICTpolicy,Nationalcybersecurity plan,ICTMasterplan etc
• Institutionalreadiness- MostinstitutionsinterviewedhaveLANs,connectivity&otherinfrastructuraldevelopmentsneededforcloud.
Findings- Situationalanalysis
Weaknesses• Governanceandchangemanagement- Weakhumancapital,traditional
mindset,resistancetochange• Serviceacquisition&funding– SLAs,fundingmechanismandprocurementlaws
aren’tallalignedtoacquisitionandmanagementofcloud• Availabilityandreliability- NetworkDependenceatCriticalHours- Provisionof
reliableaccess,round-the-clocksupport,securitylevels,highinternetspeedsareparamountissuesthatneedtobeaddressed.
• Informationassuranceanddatasecurity- AssuranceofprivacyandconfidentialityofdataandinformationinthecloudarekeyissuesthattheGovernmentmustconsiderduringcloudoffering,astheyareverysensitive.
• Legalandregulatoryissues- Thereareperceivedgapsinthelegalandpolicyframeworkssurroundingcloudcomputing,aswellasinadequateenforcementandpoliticalinterferences
Findings- Situationalanalysis
Opportunities• Governance - Reducedcosts,improvedaccessandservicedelivery.
• Accessibility&reliability- Easeofuseofaccess,improvedproductivity
• Higherflexibility&scalability- Dynamicandrapidscaleofcapacity.
• Laws&policies- Providersadherencetonational&internationallaws/policies
• Variety- ImprovedbargainingpowerofGov(abilitytoprocurefromwidevarietyofproviders,localprovidersandinternational)
• Pricing- Favorablepricingmodelsdependingonclientneeds.
• Technicalandhumancapital– Providershaveinvestedincompetentstafftosupportclientswithaccesstoupdatedtechnology.
Findings- Situationalanalysis
Threats• Governance - PossibleITstaffreduction,internalresistancetochangeand
workingpractice,longbureaucraticprocurementprocess,trust,funding.• Lackofcontrol- Controlistransferredtothecloudprovider.• Securityandprivacyconcerns- Dataprivacy,dataprotection,lossofcontrol
overdata,targettoexternalattacks,potentialmaliciousinsideractivity.• Interoperability - Integrationwithinhousesystems.• Legalandregulatoryenvironment- Lackofspecificstandardregulationon
dataprotection,userprivacyissues,SLAsetc• Technology/Infrastructure,skillsandawareness- Unpredictableperformance,
lackofsensitizationandawarenessofcloudservicesbeingoffered,lackoftechnologicalandhumancapability,reliabilityofpowersupply,lackofhighspeedinternetconnectionincertainpartsofthecountry.
• Vendorlock-in– Potentialchallengetoeasymigrationamongproviders.
DraftCloudStrategy
Vision
• ThevisionoftheICTMasterPlanis:– KenyaasaregionalICThubandagloballycompetitivedigitaleconomy
– ThisvisioncanbetakenastheGovernment’svisionwithrespecttoICT.
• CloudStrategyVision– Deliveringvalueofe-governmentservicestostakeholdersby
exploitingcloudcomputingservices
– ValuetoGovernmentagencythatoutsources• e.g.reducedtotalcostsofownershipandbetterservicedeliveryetc
– ValuetobusinessesandcitizensthattheGovernmentagenciesserve• e.g.increasedflexibility,convenience,easeofuseofgovernmentservices,better
qualityofservicesetc
StrategicObjective
• ThestrategicobjectiveoftheSharedServicesthemeoftheICTAuthorityStrategicPlan2013-2017is:
Tofacilitateefficientandeffectivedeliveryofgovernmentonlineservicesusingasuitablecombinationofprivateandpubliccloudcomputingofferings
• Oneofthemeansofachievingthisobjectiveis‘todevelopandimplementapublicservicecloudcomputingstrategy’.
– Theobjectiveofthiscloudstrategyis “toexpoundtheaboveSharedServicesstrategicobjectiveandguideitsimplementation.”
DesiredState
• Manymoresharedcommodityservicesandsolutions
ArangeofsharedICTservicesandsolutionsavailableonthecloudsothegovernment,itsagenciesandrelatedbodiescanusewhattheyneed,whentheyneedit,andnotcreateduplicateservicesthatcannotbeshared.
• Scalabilityandflexibility
Theability,ifrequired,fordepartmentsandagenciestochangeinfrastructuretofittotheirneeds.
DesiredState
• Competitivemarketplace
Arangeofserviceprovidersconstantlyimprovingthequalityandvalueofthesolutionstheyofferwhichthegovernmentcantakeadvantageof.
• Readyandeasytouse
Completesolutionsthatarealreadyassuredforsecurity,performanceandservicemanagement
DesiredState
• Costeffectiveness
CloudcomputingwillbringdowntheunitpercostofconsumedITservicebecauseitreducescostofelectricityconsumption,lowerInfrastructurallaborcostofdistribution,andprovidesreliabilityintheeventofdisasterandBusinesscontinuity- highavailabilityandreliability
• HighscalabilityofITinvestment
Thecloudprovideson-demandaccesstosharedresourcesthatreducedupfrontcostofITinvestmentsthroughturningthefixedcapitalexpenditureinITintooperativecostsdependingbaseduponsizeofdemand
DesiredState
• Mobility
Increasedcapacitytoworkfromanywhereandfromanydevice.
• Improvedgovernance
Greatertraceabilityofgovernmenttransactionsandservices
GuidingPrincipals
• IncreasethespeedwithwhichICTservicesaredeployed
• Useofglobalstandardsandbestpracticestoprovidehighqualityandconsistency
• Reducingwastebyavoidingduplication,breakingdownsilosandpromotingsharingofidleresources
• Increaseprojectsuccessratesbysharingofinformationandinter-agencycollaboration
• Useofopenstandardsfordataandarchitecturetofacilitategreaterinteroperability,opennessandre-useofICTsolutions
GuidingPrincipals
• Costconsciousness byreducingpricegovernmentpaysforassetsbyincreasingsharing&re-useofICTservices/solutions
• Promoteflexibility, convenienceandeaseofuseofgovernmentservicesbycitizens
• Agilitytohelpimprovewaygovernmentdeliversbusinesschange
• Enhancingaccountabilityandtrustbyclearlydefininginternalandproviderresponsibilitieswhilebuildingtrustintobusinessprocesses
StrategySpecifics- SaaS
• ICTAuthoritytodesign,implementandmanageICTinfrastructuretodeliversoftwareapplicationservicestoMinistries,Departments,AgenciesandtheCountiesregardlessoftheirlocation.
• Backendactivitieswillbemanagedfromcentrallocationsinaone-to-manymodel.
• SaaS tohaveelementsofPublicandPrivate
StrategySpecifics– SaaS (public)
• Applications,dataorprocesseswhicharepublic-facing,non-sensitive,non-confidential,non-missioncriticalorneedingsignificantfuturescalabilitytobeconsideredforpubliccloud.
• Respectiveimplementingagenciesshouldalsoconsidercomplianceandbudgetaryrequirements.
• Examples:– opendata,publicinformationrepositories,analysisofnon-sensitiveor
non-confidentialdataandfront-endelementsofonlineservicesorappsthatdonotstoresensitivedata.
StrategySpecifics– SaaS (private)
• Applications,dataorprocesseswithcharacteristicslike:sensitive,confidentialandmissioncriticalshouldbeconsideredforprivatecloud.
• Theimplementingagencyshouldalsoconsidercompliancerequirements.
• Examples:– financialsystems,procurementplatforms,HRsystems,identitydetails,
medicalrecordsandfinancialdetails.
StrategySpecifics- IaaS
• Governmenttoestablishinfrastructurethatcanbesharedandprovidedtootherstakeholdersasaservice.
– Thisinfrastructuretobeaccessibletootherorganizationswithingov onneedbasis
• TheGovernmentCoreConnectivityNetwork(GCCN),theNationalOpticFibre BackboneInfrastructure(NOFBI)andCountyConnectivityInfrastructure(CCI)representsthebasicinfrastructureonwhiche-governmentservicesrun.
– ThisinfrastructurecannotbeoutsourcedgiventheprivacyandconfidentialityofsomeoftheGovernmentdatasets.
– Thegovernmentwillthereforehavetoensurethatthisinfrastructureisreliableandrecruithighlyskilledpersonstosupportit.
StrategySpecifics– IaaS strategies
General• Consolidationofthevariousconnectivityprojectsintoone
integratednetworkthatprovidesseamlessconnectivity
• Reviewthedesignofthenetworkelementsandimprovetheirscalability,reliability,securityandcost
• Outsourcecertainelementsofthenetworkinfrastructureinordertomanagescalability,effectivenessandcost.e.g.,constructionofinfrastructure,maintenanceandredundancy
• ConsolidatetheprocurementandmaintenanceofICTinfrastructure acrossthenationalgovernmentMinistries,DepartmentsandAgencies.
StrategySpecifics– IaaS strategies
General• ReviewtheoperationofNOFBI byOrangegivenitsunacceptably
lowqualityofservice,intertwiningwithOrangeinfrastructure,openaccesstoductsandterminationpoints.
• ConsiderprovidinginfrastructureasaservicetotheCountyGovernmentsandprovidelastmileconnectivitywithappropriatetechnologies,e.g.whitespaces,Wimax,
• DevelopandretainacoreICTinfrastructureteamthathastherequisiteskillstodesign,implementandmaintainthecoreGovernmentinfrastructure.
StrategySpecifics– IaaS strategies
Computingandstorage• BuildanetworkofdistributedGovernmentDataCentersbased
onglobalstandardsandbestpracticetoensurehighavailability.
• MigrateallexistingcriticalapplicationsthatarecurrentlyingovofficestoGovernmentownedandmanageddatacenters
• ConsolidateallGovernmentbudgetsforDCs intheshorttomediumterminordertoconsolidateandreducecosts.– beginwithasurveytoidentifywhoinGovernmenthasDCplansinthe
shorttomediumtermandbuildcaseforconsolidationandtransfertoadistributedGDCsapproach.
StrategySpecifics– IaaS strategies
Computingandstorage• Introduceacommercializationmodel(e.g.sharingspaceand
services)inGDCstoguaranteesustainability
• Markettocriticalanchortenantswhocanusethegovernmentcloudinfrastructureasaservicee.g.KRA,CBK,KPLC
• ForallGDCs,outsourceallnon-coreelements,especiallypowerandbackupsystems,coolingandHVACtolocalqualifiedcompanies.
• BuildcapacityinGovernmentfordatacentrepersonnel– IntroduceaDCcareerpaththatensuresthatDCprofessionalscangrowto
thetopinatechnicalcareer
StrategySpecifics– IaaS strategies
Disasterrecoveryandbusinesscontinuity• Formissioncriticalapplicationshighavailabilitymustbe
guaranteed.Itisthereforenecessarytoruntheapplicationsinactive-activemodeintwodatacentres
• Fornon-missioncriticalapplications,anactive-passiveapproachacrosstwodatacentres butwithclearrestoretargetsisrecommended
• Fordisasterrecovery,primaryandsecondarysitesshouldbeseparatedbyaminimumdistanceasperglobalbestpractice
StrategySpecifics- PaaS
• PaaS enablesgovernmenttoprovidetoolsondemandthatenablesubscriberstodevelopnewapplicationsorservices.Thecloudbasedapplicationdevelopmenttoolsalsoenabletesting,deployment,collaboration,hostingandmaintenanceofdevelopedsolutions.
• ExamplesofplatformsthatcanbedeployedasaserviceincludeContentManagementSystems(CMS),SpatialDataInfrastructure(SDI),DataWarehousesandOpenDataplatforms.
//MoreworktobedoneonPaaS
StrategyImplementation– Keyissues
1. PolicyRecommendations
2. StrategicProjects
3. Funding
4. Standards
5. GovernanceStructure
6. ChangeManagement
7. CriticalSuccessFactors
8. RisksandMitigationStrategies
9. MonitoringandEvaluation
StrategyImplementation– Keyissues
PolicyRecommendations• ConsolidationofnetworkinfrastructureandDCbudgetsinMDAs• Consolidationofmissioncriticalapplicationshostedinhigh
availabilityenvironmentandinDCsdesignedtoglobalstandards• Nodevelopmentanddeploymentofsilosystems- Thesystems
developedorprocuredbyMDAsshould:– begeneric– bestandards-based– shareinfrastructure,includingstorage,networklinksandinformation
withoutduplication– beintegratedwithothersystemsaccordingtoaguideline(operation
manual)tobedevelopedbyICTA
StrategyImplementation– Keyissues
StrategicProjectsCategory Project Timeframe
GDCs Upgrade GDC Ruaraka 6 months
Implement a containerized DC 12 months
Complete Naivasha DC 18 months
Build a Tier 4 DC 2-3 years
Build other DCs to achieve distributed network of DCs > 3 years
Network Infrst Complete NOC to manage infrastructure 6 months
Re-design GCCN and on-board key clients 6 months
Fast-track NOFBI phase 2 implementation 24 months
Fast-track CCP phase 2 and ensure all key county offices are connected 15 months
Applications Implement Government Enterprise Architecture to facilitate integration 6 months
Migrate applications designated for public cloud 12 months
Legal/Regulatory fwrk Review legal frameworks for procuring cloud services 12 months
Review regulatory framework (consumer privacy, confidentiality, etc.) 12 months
Review data protection legislation 12 months
StrategyImplementation– Keyissues
FundingSources• Government
TheNationalGovernmentwillconsolidateallICTbudgetsinMDsinthelineMinistry(MoICT).
• AgenciesandCountyGovernmentsACstofundspecificaspectsofcloudcomputinginconsultationwiththeICTAuthorityandpayforsomeofthesharedservicesthattheyneedandareavailableinaGovernmentprivatecloud.
StrategyImplementation– Keyissues
FundingSources• PrivateSector
DevelopmentofsuitableincentivesandtaxbreakstoprivatesectorbothwithinandoutsidetheICTsectortofundsomeofthecloudcomputingprojects.– Incentivesmayinclude:DevelopmentofSpecialPurposeVehicles/Private
SectorConsortiumsandwaiversoncertainlevies,licensingfees,taxincentivesandtaxbreaks.
• DevelopmentPartnersKenyawill;leverageonherfundingprioritieswhenapproachingdevelopmentpartners(bi-lateral,multi-lateralorotherdevelopmentpartners)whohaveICTatthetopoftheirsupportpriorityliststofundsomeofthecloudcomputingprojects.
StrategyImplementation– Keyissues
StandardsGlobalstandardsexistsuchas– ISO/IECJTC1/SC38(standardizationofCloudComputingandDistributed
Platforms)– ISO27018:2014(codeofpracticerevolvingaroundtheprotectionof
PersonallyIdentifiableInformation(PII)inpublicclouds)– COBIT(governanceandmanagementbybridgingthegapbetweencontrol
requirements,technicalissuesandbusinessrisks)– ICTAhasbeenworkingonasetofguidingstandards
• TheKenyanGovernmentshouldthereforeensurethatitadoptsglobalpracticespriortotheadoptionanddevelopmentofcloudservices.
StrategyImplementation– Keyissues
GovernanceStructure• GovernancestructureinNationalICTMasterPlanshallbeused• Strengtheningneededparticularlyon:
– Whomakesdecisiononaddingcloudservicesandhowwillitbefunded;– HowITresourcesareallocatedandscheduled;– Whowillberesponsibleformanagingthecloudserviceproviderandhow
cloudservicesbemanagedandcontrolled.
• Cloudgovernancestructuresforconsiderationandcustomization:– TheUSFederalCloudComputingInitiativeGovernanceStructure– GovernmentofCanadaITServicesGovernanceStructure– Scheper’s CloudGovernanceModel– Guo’s CloudGovernanceModel– MicrosoftCloudGovernanceModel
StrategyImplementation– Keyissues
ChangeManagement• Someareasneedingmanagement:• Changestoorganizationalprocesses:
– Staffshouldbeprepared.Changesintheprocessesaffectingmanyaspectslikedailyoperations,rolesandresponsibilities.
• Stakeholderengagement:– Astakeholderengagementplan.Activelykeepstakeholdersupdated.
• Training:– Includingbutnotlimitedtolegal,technical,businessanalysis,systems
architecture,changemanagement,vendormanagementandgovernance.
• Awareness:– Allbemadeawareofnewapproach,challengesandanticipatedbenefits.
StrategyImplementation– Keyissues
CriticalSuccessFactors– Sevenkey1. DevelopingacompetentsupportteaminGovforCC2. Operationalization oftheGovernanceStructureintheNational
ICTMasterPlan(CabinetSteeringCommitteeChairedbyHEthePresident)
3. Managingchangewithingov andgeneralpublic4. Legal/regulatoryframeworkstoencourage&supportCC
adoption
5. AvailableandreliableGovernmentICTinfrastructure
6. Funding,especiallyforscalingandrecurrentexpenditure
7. ActiveengagementandparticipationofCountyGovernments
StrategyImplementation– Keyissues
RisksandMitigationStrategies
Risks Mitigation Strategies
1 Resistance to change Implement a change management program with key elements mentioned above
2 Inappropriate procurement legislation
Amendment of the procurement legislation to allow for procurement and scaling of cloud services
3 Insufficient or inadequate legal and regulatory environment
Strengthen the legal and regulatory environment to support the new paradigm
4 Lack of funding to support new set ups and additional costs of utilizing public cloud
Consolidation of cloud focused budgets by different MDAs
StrategyImplementation– Keyissues
RisksandMitigationStrategies
Risks Mitigation Strategies
5 Poor quality services, including unavailability of services due to threats like cyber attacks, distributed denial of service attacks and system failures, loss of data security and protection because of the off-premise characteristics of third party providers, etc.
● Professional due diligence of service providers
● Establishment and enforcement of comprehensive contractual agreements with relevant consequences of liabilities
● Enforce strict SLAs and monitor them closely
● Clustering, replication and disaster recovery solutions to achieve the necessary reliability.
StrategyImplementation– Keyissues
RisksandMitigationStrategies
Risks Mitigation Strategies
6 Loss of privacy and data assurance due to aspects like breaches, access, ownership and storage location
● Establishment and enforcement of comprehensive contractual agreements with relevant consequences of liabilities
● Standards enforcement and audit controls measures
● Privacy and security laws enforcement ● For public cloud, ensure understanding
of applicable laws.● Appropriate exit strategies
7 Lack of pricing clarity in variety of costs
Transparent contractual agreements drafted and managed by qualified persons.
8 Unavailability of relevant skills Develop appropriate capacity building and career progression programs
StrategyImplementation– Keyissues
MonitoringandEvaluation• M&EofperformanceshallbetheresponsibilitytheShared
ServicesDirectoratICTAuthority.
• ThisDirectorwillmonitortheimplementationofthestrategyonaquarterlybasisandreporttotheICTAuthorityCEO,theICTABoardandotherrelevantunitsinGovernment.
Nextsteps…
Stakeholderengagements
Revisions
Adoption
@tomwansa