TowardsaNationalCloudStrategyforKenya

RANICTPworkshopMay2017

Tonny K.Omwansa,PhD@tomwansa

FocusonPublicSector

• TwoCloudAdoptionSurveys

• DraftCloudStrategy

• Wayforward

Overview

2013CloudStudy

CloudStrategyTopics

•Determinantsofcloudcomputing:• Factorsthataffectcloudrelatedperformanceanditsoutcomes/impacts•Characteristics:Reliability.Agility.Usability.Sustainabilityetc•Policyandlegalframeworks.Market.Standardsetc.

•StrategiesoractionsofCloudComputingactors:• Instrumentalindeliveringtheoutcomes/impactsofthecloud•Costing.Promotion.Trainingetc.

•Outcomes/ImpactsofCloudComputing•Improvedoperationalefficiency•Enhancedmarketreach•etc

2013CloudSurvey– Design

Determinants

OutcomesStrategies

CloudStrategyTopics

• Timelines:June2013- April2014

• Quantitative(60institutions)andQualitative(12indepthinterviews)

•Baselinereportavailableathttp://www.c4dlab.ac.ke/wp-content/uploads/2014/04/CC-study-report-April-2014.pdf

2013CloudSurvey– Output

CloudStrategyTopics• Governance,Legalandregulatory

frameworks• Standards• Conflictresolution• Safe/FairContractTerms/Conditions• Licensing• LocationofData• Crossborderandterritorialissues• Skills&Awareness• Encouragingadoption• Vendorlocking• MarketCharacteristics(competitive

landscape/maturity)• Networkinfrastructure,applicationand

datareadiness• Governmentreadinessandrole• ServiceLevelAgreements

• Portabilityofapplications• Integrationwithlegacyenvironment• PublicCloudProcurementGuidance• Culturechange• Alignmenttogovernmentstrategies• Whatservicesshouldgotothe

public/community cloud(DecisionFrameworkforCloudMigration)

• Securityrequirements(Statutorycompliancetolaws,regulations,agencyrequirements;Datacharacteristics;Privacyandconfidentiality;Integrity-authorized,complete,andaccurate;Datacontrolsandaccesspolicies)

• Protectingsecurityyetmaximizevalue• Selectingacloudsolution• Ensuringcompetitiveness

2013CloudSurvey– Emergingtopics

1. AdoptionofcloudcomputinginKenyaisfairlyrecent.Mostorganizationsadoptedaformofcloudserviceeither2010/11.

2. Moreorganizationsutilizedpureprivatecloud(39%)comparedtoutilizingapubliccloud(22%).

3. Thekeybarrier:– Additionalcostofinvestment– Technicalskills(security,architectureanddesign,storageandvirtualization)– Perceivedreliabilityofservice,securityandprivacyofdata– Geographicallocation

4. Lackofknowledgeofpolicy/legalframeworksforcloud(80%)– Thoseaware:“itsnotflexible,comprehensiveandeffective”

5. Majorityoftherespondents(75%)notawareofanystandards

2013CloudSurvey- KeyFindings

6. Cloudservicesmarketwasready(90%).– Leadingconsumers:financialsector,telecommunications

7. Benefitsofcloudwereconsistentwithliterature:– costsavingsinhardware,softwareandpersonnel,– improvedsystemperformanceandmanagement,– flexibilityinaccesstoprocessingandstoragecapacity– higherelasticitydegree– etc

2013CloudSurvey- KeyFindings

1. Anationalcloudreadinesssurveytoinformcloudstrategy2. Developinganationalcloudstrategy3. Governmenttochampionutilizationofcloudservices4. Enhancementofrelevantlegal/regulatoryframeworks

– protectionofcloudserviceusers– cybersecuritychallenges– guaranteeingsecureonlinepayments– privacyanddatasecurity– etc

5. Developmentofthehumanresourcecapacity– technicalskills,legalandbusinessprocesses

6. Enhanceawarenessofcloudtechnologies– demystifyandcirculateaccurateinformation

2013CloudSurvey- Recommendations

2014/15CloudStudy

1. Anin-depthstudy,focusedonpublicsector

2. Targetconsumer:ICTAuthority

3. AnchoredonICTMasterplan

4. Objective:developingaCloudstrategy

5. BasedonaSWOTanalysis

6. Datacollected:June2014toFebruary2015

7. 45in-depthinterviews(suppliers,MDACs,public,opinionshapers)

2014/5CloudSurvey- Background

2014/5CloudSurvey- Framework

Findings- Situationalanalysis

Strengths• Leadership - Nationalleadershipunderstandsandchampionstechnology

• Launchedprojects– Severale-gov servicesamenableforthecloud

• Legal/regulatoryenvironment– Progressive(variouspolicydocuments)

• LocalInfrastructurecapabilities- Highqualitynetworks,SomegoodDCs

• Institutionalestablishments– Regulatoryandsupervisoryexist

• Policydocuments- Anumberofpolicieshavebeendevelopede.g.ICTpolicy,Nationalcybersecurity plan,ICTMasterplan etc

• Institutionalreadiness- MostinstitutionsinterviewedhaveLANs,connectivity&otherinfrastructuraldevelopmentsneededforcloud.

Findings- Situationalanalysis

Weaknesses• Governanceandchangemanagement- Weakhumancapital,traditional

mindset,resistancetochange• Serviceacquisition&funding– SLAs,fundingmechanismandprocurementlaws

aren’tallalignedtoacquisitionandmanagementofcloud• Availabilityandreliability- NetworkDependenceatCriticalHours- Provisionof

reliableaccess,round-the-clocksupport,securitylevels,highinternetspeedsareparamountissuesthatneedtobeaddressed.

• Informationassuranceanddatasecurity- AssuranceofprivacyandconfidentialityofdataandinformationinthecloudarekeyissuesthattheGovernmentmustconsiderduringcloudoffering,astheyareverysensitive.

• Legalandregulatoryissues- Thereareperceivedgapsinthelegalandpolicyframeworkssurroundingcloudcomputing,aswellasinadequateenforcementandpoliticalinterferences

Findings- Situationalanalysis

Opportunities• Governance - Reducedcosts,improvedaccessandservicedelivery.

• Accessibility&reliability- Easeofuseofaccess,improvedproductivity

• Higherflexibility&scalability- Dynamicandrapidscaleofcapacity.

• Laws&policies- Providersadherencetonational&internationallaws/policies

• Variety- ImprovedbargainingpowerofGov(abilitytoprocurefromwidevarietyofproviders,localprovidersandinternational)

• Pricing- Favorablepricingmodelsdependingonclientneeds.

• Technicalandhumancapital– Providershaveinvestedincompetentstafftosupportclientswithaccesstoupdatedtechnology.

Findings- Situationalanalysis

Threats• Governance - PossibleITstaffreduction,internalresistancetochangeand

workingpractice,longbureaucraticprocurementprocess,trust,funding.• Lackofcontrol- Controlistransferredtothecloudprovider.• Securityandprivacyconcerns- Dataprivacy,dataprotection,lossofcontrol

overdata,targettoexternalattacks,potentialmaliciousinsideractivity.• Interoperability - Integrationwithinhousesystems.• Legalandregulatoryenvironment- Lackofspecificstandardregulationon

dataprotection,userprivacyissues,SLAsetc• Technology/Infrastructure,skillsandawareness- Unpredictableperformance,

lackofsensitizationandawarenessofcloudservicesbeingoffered,lackoftechnologicalandhumancapability,reliabilityofpowersupply,lackofhighspeedinternetconnectionincertainpartsofthecountry.

• Vendorlock-in– Potentialchallengetoeasymigrationamongproviders.

DraftCloudStrategy

Vision

• ThevisionoftheICTMasterPlanis:– KenyaasaregionalICThubandagloballycompetitivedigitaleconomy

– ThisvisioncanbetakenastheGovernment’svisionwithrespecttoICT.

• CloudStrategyVision– Deliveringvalueofe-governmentservicestostakeholdersby

exploitingcloudcomputingservices

– ValuetoGovernmentagencythatoutsources• e.g.reducedtotalcostsofownershipandbetterservicedeliveryetc

– ValuetobusinessesandcitizensthattheGovernmentagenciesserve• e.g.increasedflexibility,convenience,easeofuseofgovernmentservices,better

qualityofservicesetc

StrategicObjective

• ThestrategicobjectiveoftheSharedServicesthemeoftheICTAuthorityStrategicPlan2013-2017is:

Tofacilitateefficientandeffectivedeliveryofgovernmentonlineservicesusingasuitablecombinationofprivateandpubliccloudcomputingofferings

• Oneofthemeansofachievingthisobjectiveis‘todevelopandimplementapublicservicecloudcomputingstrategy’.

– Theobjectiveofthiscloudstrategyis “toexpoundtheaboveSharedServicesstrategicobjectiveandguideitsimplementation.”

DesiredState

• Manymoresharedcommodityservicesandsolutions

ArangeofsharedICTservicesandsolutionsavailableonthecloudsothegovernment,itsagenciesandrelatedbodiescanusewhattheyneed,whentheyneedit,andnotcreateduplicateservicesthatcannotbeshared.

• Scalabilityandflexibility

Theability,ifrequired,fordepartmentsandagenciestochangeinfrastructuretofittotheirneeds.

DesiredState

• Competitivemarketplace

Arangeofserviceprovidersconstantlyimprovingthequalityandvalueofthesolutionstheyofferwhichthegovernmentcantakeadvantageof.

• Readyandeasytouse

Completesolutionsthatarealreadyassuredforsecurity,performanceandservicemanagement

DesiredState

• Costeffectiveness

CloudcomputingwillbringdowntheunitpercostofconsumedITservicebecauseitreducescostofelectricityconsumption,lowerInfrastructurallaborcostofdistribution,andprovidesreliabilityintheeventofdisasterandBusinesscontinuity- highavailabilityandreliability

• HighscalabilityofITinvestment

Thecloudprovideson-demandaccesstosharedresourcesthatreducedupfrontcostofITinvestmentsthroughturningthefixedcapitalexpenditureinITintooperativecostsdependingbaseduponsizeofdemand

DesiredState

• Mobility

Increasedcapacitytoworkfromanywhereandfromanydevice.

• Improvedgovernance

Greatertraceabilityofgovernmenttransactionsandservices

GuidingPrincipals

• IncreasethespeedwithwhichICTservicesaredeployed

• Useofglobalstandardsandbestpracticestoprovidehighqualityandconsistency

• Reducingwastebyavoidingduplication,breakingdownsilosandpromotingsharingofidleresources

• Increaseprojectsuccessratesbysharingofinformationandinter-agencycollaboration

• Useofopenstandardsfordataandarchitecturetofacilitategreaterinteroperability,opennessandre-useofICTsolutions

GuidingPrincipals

• Costconsciousness byreducingpricegovernmentpaysforassetsbyincreasingsharing&re-useofICTservices/solutions

• Promoteflexibility, convenienceandeaseofuseofgovernmentservicesbycitizens

• Agilitytohelpimprovewaygovernmentdeliversbusinesschange

• Enhancingaccountabilityandtrustbyclearlydefininginternalandproviderresponsibilitieswhilebuildingtrustintobusinessprocesses

StrategySpecifics- SaaS

• ICTAuthoritytodesign,implementandmanageICTinfrastructuretodeliversoftwareapplicationservicestoMinistries,Departments,AgenciesandtheCountiesregardlessoftheirlocation.

• Backendactivitieswillbemanagedfromcentrallocationsinaone-to-manymodel.

• SaaS tohaveelementsofPublicandPrivate

StrategySpecifics– SaaS (public)

• Applications,dataorprocesseswhicharepublic-facing,non-sensitive,non-confidential,non-missioncriticalorneedingsignificantfuturescalabilitytobeconsideredforpubliccloud.

• Respectiveimplementingagenciesshouldalsoconsidercomplianceandbudgetaryrequirements.

• Examples:– opendata,publicinformationrepositories,analysisofnon-sensitiveor

non-confidentialdataandfront-endelementsofonlineservicesorappsthatdonotstoresensitivedata.

StrategySpecifics– SaaS (private)

• Applications,dataorprocesseswithcharacteristicslike:sensitive,confidentialandmissioncriticalshouldbeconsideredforprivatecloud.

• Theimplementingagencyshouldalsoconsidercompliancerequirements.

• Examples:– financialsystems,procurementplatforms,HRsystems,identitydetails,

medicalrecordsandfinancialdetails.

StrategySpecifics- IaaS

• Governmenttoestablishinfrastructurethatcanbesharedandprovidedtootherstakeholdersasaservice.

– Thisinfrastructuretobeaccessibletootherorganizationswithingov onneedbasis

• TheGovernmentCoreConnectivityNetwork(GCCN),theNationalOpticFibre BackboneInfrastructure(NOFBI)andCountyConnectivityInfrastructure(CCI)representsthebasicinfrastructureonwhiche-governmentservicesrun.

– ThisinfrastructurecannotbeoutsourcedgiventheprivacyandconfidentialityofsomeoftheGovernmentdatasets.

– Thegovernmentwillthereforehavetoensurethatthisinfrastructureisreliableandrecruithighlyskilledpersonstosupportit.

StrategySpecifics– IaaS strategies

General• Consolidationofthevariousconnectivityprojectsintoone

integratednetworkthatprovidesseamlessconnectivity

• Reviewthedesignofthenetworkelementsandimprovetheirscalability,reliability,securityandcost

• Outsourcecertainelementsofthenetworkinfrastructureinordertomanagescalability,effectivenessandcost.e.g.,constructionofinfrastructure,maintenanceandredundancy

• ConsolidatetheprocurementandmaintenanceofICTinfrastructure acrossthenationalgovernmentMinistries,DepartmentsandAgencies.

StrategySpecifics– IaaS strategies

General• ReviewtheoperationofNOFBI byOrangegivenitsunacceptably

lowqualityofservice,intertwiningwithOrangeinfrastructure,openaccesstoductsandterminationpoints.

• ConsiderprovidinginfrastructureasaservicetotheCountyGovernmentsandprovidelastmileconnectivitywithappropriatetechnologies,e.g.whitespaces,Wimax,

• DevelopandretainacoreICTinfrastructureteamthathastherequisiteskillstodesign,implementandmaintainthecoreGovernmentinfrastructure.

StrategySpecifics– IaaS strategies

Computingandstorage• BuildanetworkofdistributedGovernmentDataCentersbased

onglobalstandardsandbestpracticetoensurehighavailability.

• MigrateallexistingcriticalapplicationsthatarecurrentlyingovofficestoGovernmentownedandmanageddatacenters

• ConsolidateallGovernmentbudgetsforDCs intheshorttomediumterminordertoconsolidateandreducecosts.– beginwithasurveytoidentifywhoinGovernmenthasDCplansinthe

shorttomediumtermandbuildcaseforconsolidationandtransfertoadistributedGDCsapproach.

StrategySpecifics– IaaS strategies

Computingandstorage• Introduceacommercializationmodel(e.g.sharingspaceand

services)inGDCstoguaranteesustainability

• Markettocriticalanchortenantswhocanusethegovernmentcloudinfrastructureasaservicee.g.KRA,CBK,KPLC

• ForallGDCs,outsourceallnon-coreelements,especiallypowerandbackupsystems,coolingandHVACtolocalqualifiedcompanies.

• BuildcapacityinGovernmentfordatacentrepersonnel– IntroduceaDCcareerpaththatensuresthatDCprofessionalscangrowto

thetopinatechnicalcareer

StrategySpecifics– IaaS strategies

Disasterrecoveryandbusinesscontinuity• Formissioncriticalapplicationshighavailabilitymustbe

guaranteed.Itisthereforenecessarytoruntheapplicationsinactive-activemodeintwodatacentres

• Fornon-missioncriticalapplications,anactive-passiveapproachacrosstwodatacentres butwithclearrestoretargetsisrecommended

• Fordisasterrecovery,primaryandsecondarysitesshouldbeseparatedbyaminimumdistanceasperglobalbestpractice

StrategySpecifics- PaaS

• PaaS enablesgovernmenttoprovidetoolsondemandthatenablesubscriberstodevelopnewapplicationsorservices.Thecloudbasedapplicationdevelopmenttoolsalsoenabletesting,deployment,collaboration,hostingandmaintenanceofdevelopedsolutions.

• ExamplesofplatformsthatcanbedeployedasaserviceincludeContentManagementSystems(CMS),SpatialDataInfrastructure(SDI),DataWarehousesandOpenDataplatforms.

//MoreworktobedoneonPaaS

StrategyImplementation– Keyissues

1. PolicyRecommendations

2. StrategicProjects

3. Funding

4. Standards

5. GovernanceStructure

6. ChangeManagement

7. CriticalSuccessFactors

8. RisksandMitigationStrategies

9. MonitoringandEvaluation

StrategyImplementation– Keyissues

PolicyRecommendations• ConsolidationofnetworkinfrastructureandDCbudgetsinMDAs• Consolidationofmissioncriticalapplicationshostedinhigh

availabilityenvironmentandinDCsdesignedtoglobalstandards• Nodevelopmentanddeploymentofsilosystems- Thesystems

developedorprocuredbyMDAsshould:– begeneric– bestandards-based– shareinfrastructure,includingstorage,networklinksandinformation

withoutduplication– beintegratedwithothersystemsaccordingtoaguideline(operation

manual)tobedevelopedbyICTA

StrategyImplementation– Keyissues

StrategicProjectsCategory Project Timeframe

GDCs Upgrade GDC Ruaraka 6 months

Implement a containerized DC 12 months

Complete Naivasha DC 18 months

Build a Tier 4 DC 2-3 years

Build other DCs to achieve distributed network of DCs > 3 years

Network Infrst Complete NOC to manage infrastructure 6 months

Re-design GCCN and on-board key clients 6 months

Fast-track NOFBI phase 2 implementation 24 months

Fast-track CCP phase 2 and ensure all key county offices are connected 15 months

Applications Implement Government Enterprise Architecture to facilitate integration 6 months

Migrate applications designated for public cloud 12 months

Legal/Regulatory fwrk Review legal frameworks for procuring cloud services 12 months

Review regulatory framework (consumer privacy, confidentiality, etc.) 12 months

Review data protection legislation 12 months

StrategyImplementation– Keyissues

FundingSources• Government

TheNationalGovernmentwillconsolidateallICTbudgetsinMDsinthelineMinistry(MoICT).

• AgenciesandCountyGovernmentsACstofundspecificaspectsofcloudcomputinginconsultationwiththeICTAuthorityandpayforsomeofthesharedservicesthattheyneedandareavailableinaGovernmentprivatecloud.

StrategyImplementation– Keyissues

FundingSources• PrivateSector

DevelopmentofsuitableincentivesandtaxbreakstoprivatesectorbothwithinandoutsidetheICTsectortofundsomeofthecloudcomputingprojects.– Incentivesmayinclude:DevelopmentofSpecialPurposeVehicles/Private

SectorConsortiumsandwaiversoncertainlevies,licensingfees,taxincentivesandtaxbreaks.

• DevelopmentPartnersKenyawill;leverageonherfundingprioritieswhenapproachingdevelopmentpartners(bi-lateral,multi-lateralorotherdevelopmentpartners)whohaveICTatthetopoftheirsupportpriorityliststofundsomeofthecloudcomputingprojects.

StrategyImplementation– Keyissues

StandardsGlobalstandardsexistsuchas– ISO/IECJTC1/SC38(standardizationofCloudComputingandDistributed

Platforms)– ISO27018:2014(codeofpracticerevolvingaroundtheprotectionof

PersonallyIdentifiableInformation(PII)inpublicclouds)– COBIT(governanceandmanagementbybridgingthegapbetweencontrol

requirements,technicalissuesandbusinessrisks)– ICTAhasbeenworkingonasetofguidingstandards

• TheKenyanGovernmentshouldthereforeensurethatitadoptsglobalpracticespriortotheadoptionanddevelopmentofcloudservices.

StrategyImplementation– Keyissues

GovernanceStructure• GovernancestructureinNationalICTMasterPlanshallbeused• Strengtheningneededparticularlyon:

– Whomakesdecisiononaddingcloudservicesandhowwillitbefunded;– HowITresourcesareallocatedandscheduled;– Whowillberesponsibleformanagingthecloudserviceproviderandhow

cloudservicesbemanagedandcontrolled.

• Cloudgovernancestructuresforconsiderationandcustomization:– TheUSFederalCloudComputingInitiativeGovernanceStructure– GovernmentofCanadaITServicesGovernanceStructure– Scheper’s CloudGovernanceModel– Guo’s CloudGovernanceModel– MicrosoftCloudGovernanceModel

StrategyImplementation– Keyissues

ChangeManagement• Someareasneedingmanagement:• Changestoorganizationalprocesses:

– Staffshouldbeprepared.Changesintheprocessesaffectingmanyaspectslikedailyoperations,rolesandresponsibilities.

• Stakeholderengagement:– Astakeholderengagementplan.Activelykeepstakeholdersupdated.

• Training:– Includingbutnotlimitedtolegal,technical,businessanalysis,systems

architecture,changemanagement,vendormanagementandgovernance.

• Awareness:– Allbemadeawareofnewapproach,challengesandanticipatedbenefits.

StrategyImplementation– Keyissues

CriticalSuccessFactors– Sevenkey1. DevelopingacompetentsupportteaminGovforCC2. Operationalization oftheGovernanceStructureintheNational

ICTMasterPlan(CabinetSteeringCommitteeChairedbyHEthePresident)

3. Managingchangewithingov andgeneralpublic4. Legal/regulatoryframeworkstoencourage&supportCC

adoption

5. AvailableandreliableGovernmentICTinfrastructure

6. Funding,especiallyforscalingandrecurrentexpenditure

7. ActiveengagementandparticipationofCountyGovernments

StrategyImplementation– Keyissues

RisksandMitigationStrategies

Risks Mitigation Strategies

1 Resistance to change Implement a change management program with key elements mentioned above

2 Inappropriate procurement legislation

Amendment of the procurement legislation to allow for procurement and scaling of cloud services

3 Insufficient or inadequate legal and regulatory environment

Strengthen the legal and regulatory environment to support the new paradigm

4 Lack of funding to support new set ups and additional costs of utilizing public cloud

Consolidation of cloud focused budgets by different MDAs

StrategyImplementation– Keyissues

RisksandMitigationStrategies

Risks Mitigation Strategies

5 Poor quality services, including unavailability of services due to threats like cyber attacks, distributed denial of service attacks and system failures, loss of data security and protection because of the off-premise characteristics of third party providers, etc.

● Professional due diligence of service providers

● Establishment and enforcement of comprehensive contractual agreements with relevant consequences of liabilities

● Enforce strict SLAs and monitor them closely

● Clustering, replication and disaster recovery solutions to achieve the necessary reliability.

StrategyImplementation– Keyissues

RisksandMitigationStrategies

Risks Mitigation Strategies

6 Loss of privacy and data assurance due to aspects like breaches, access, ownership and storage location

● Establishment and enforcement of comprehensive contractual agreements with relevant consequences of liabilities

● Standards enforcement and audit controls measures

● Privacy and security laws enforcement ● For public cloud, ensure understanding

of applicable laws.● Appropriate exit strategies

7 Lack of pricing clarity in variety of costs

Transparent contractual agreements drafted and managed by qualified persons.

8 Unavailability of relevant skills Develop appropriate capacity building and career progression programs

StrategyImplementation– Keyissues

MonitoringandEvaluation• M&EofperformanceshallbetheresponsibilitytheShared

ServicesDirectoratICTAuthority.

• ThisDirectorwillmonitortheimplementationofthestrategyonaquarterlybasisandreporttotheICTAuthorityCEO,theICTABoardandotherrelevantunitsinGovernment.

Nextsteps…

Stakeholderengagements

Revisions

Adoption

@tomwansa