g-cloud program vision uk t1

UNCLASSIFIED

DATA CENTRE STRATEGY, G-CLOUD &

GOVERNMENT APPLICATIONS STORE

PROGRAMME PHASE 2

PHASE 2 SCOPE REPORT

Authors: Martin Bellamy and Gerry Gallagher

Date: 10 February 2011

Version No: 0.35

Data Centre Strategy, G-Cloud & Government Applications Store Programme Phase 2

01 FINAL G-Cloud Vision v0 35.doc5 UNCLASSIFIED 2

Summary of Vision

Introduction

1.1 At the core of the programme is the vision of providing political, business and ICT

leaders with greatly improved agility, flexibility and choice in the ICT that enables the public

sector and to deliver substantial cost savings on both existing and new ICT services. This will

involve a wholesale move to shared utility style ICT services for use as „the default‟ across

the public sector. Citizens, staff and the third sector will benefit from greater innovation and

choice and from more personalised presentation of relevant services from across the public

sector.

1.2 The programme is being designed to address key ICT related objectives set out by

the Operational Efficiency Programme, and those of the Green ICT Strategy, Digital Britain,

Building Britain‟s Future and Smarter Government.

1.3 Recent developments in ICT have made it possible to consolidate ICT Infrastructure

in a way that delivers increased flexibility and responsiveness to business needs whilst

reducing costs. This change involves a move from ICT being provided individually by

organisations procuring their own separate ICT infrastructure, to a new model in which ICT is

provided as a utility which is known as “Cloud Computing”. The flexibility provided by Cloud

computing has enabled its rapid growth and a corresponding lowering of costs.

1.4 Public sector organisations will benefit from ready access to a wide range of pre-

accredited ICT services. These will include both „public cloud‟ services and common and

custom „private cloud‟ services procured by other public sector organisations. Services will

offer usage based pricing, elastic scalability (up or down), and there will be in built flexibility to

switch to alternate services or providers.

1.5 Cost savings will be founded on driving down the number of unique public sector

services through rationalising, sharing and re-using software and infrastructure across

organisational boundaries, joining up buying power by establishing an open and transparent

marketplace that delivers „latest best prices‟ to all, and by introducing standard, automated

processes across the entire ICT lifecycle;- from purchasing new solutions through to

migrating existing services to a new supplier. Industry standards will be used „as is‟ for public

cloud services. For private cloud services common standards and services will be driven „up

the stack‟ to the maximum possible extent; the technical standards landscape will be

controlled by the CTO Council through the cross government Enterprise Architecture (xGEA).

1.6 G-Cloud services will be selected and procured from the Government Applications

Store, and automatically provisioned – either from public cloud providers, or from a private

cloud platform hosted in one of a much reduced number of List X compliant government data

centres; these will also support legacy services during the transition period.

1.7 The way forwards involves substantial change from today‟s ICT delivery model;-

public sector CIO teams will shift from managing the whole ICT lifecycle, to the selection and

integration of relevant services. A federated (rather than centralised) implementation

approach is proposed, allowing many public sector organisations and suppliers to contribute

re-usable assets that can be sourced by others from the Government Applications Store.

Retained ICT organisations will be able to increase focus on business engagement and



achieving value adding outcomes as less effort will be needed on infrastructure management.

There will be choice in the „road-map‟ for each organization; the route chosen will depend on

business priorities and the current ICT and contractual landscape.

1.8 Major change inevitably creates execution risks. Other public and private sector

organisations that have pioneered the move to a shared utility ICT delivery model have had

strong central drive and leadership. Most private sector organisations have had "someone in

charge" on a global basis. The US government has introduced the Klinger Cohen act and

Economic Development act, which mandate some elements of a more common public sector

approach to ICT. The main areas of challenge in successfully moving to the new model

include leadership, business change management, stakeholder engagement and creating a

win-win proposition for business leaders, users of ICT services, public sector ICT

professionals and the ICT supplier community. For the UK, leadership by the CIO Council is

central to achieving the transition within the public sector‟s devolved, federated organisation.

Engagement of Permanent Secretaries and other business leaders will be also be crucial.

The programme will allocate significant resource to the „soft‟ aspects of change; this will

include centrally co-ordinated communications support and sharing of experience.

1.9 The new approach enables substantial benefits in small and medium sized public

sector organisations including local authorities which may be relatively easier to realise in the

short term, as well as significant benefits in central government in the longer term.

Implementation planning will ensure appropriate balance to mitigate the risk that focus on

large organisations „crowds out‟ the potential delivery of larger benefits to the majority.

1.10 Establishing and maintaining „trust‟ will be essential for public sector organisations to

move to the new model – individual organisations will remain responsible for the service they

provide to the public and will need to be able to count on G-Cloud services as being at least

as good as those used today. G-Cloud will be the internal brand for secure, trusted and

shared public sector ICT services;- all G-Cloud services will have common characteristics

including pre-certified standards compliance covering areas such as service delivery,

technical (data, inter-operability etc) and information assurance, provisioning from an efficient

and sustainable data centre, and will be available through the Government Applications Store

at a „value for money‟ best public sector price.

1.11 Given that significant value comes from up front, sharable work on commercials,

service management and information assurance, frameworks will be developed in each of

these areas to enable certification/validation on a component level, so that work does not

have to be repeated when components are assembled into new combinations.

1.12 The transition to the new approach will be achieved through a series of business

focused implementation programmes, each of which will deliver financial and other business

benefits. Some of these will be progressed in parallel. Potential implementation programmes

include Consolidating Data Centres, Utility Applications, Efficient Hosting, Streamlining

legacy, Empowering Business Change, Delivering for Citizens and Staff.

1.13 The programme is adopting a "learning by doing approach” through the “Quick Wins”

work strand. Quick Wins will launch a number of initiatives in February 2010 including several

prototype cloud development environments and a demo version of the Government

Applications Store. These will be available free of charge to public sector organisations. The

strand is exploring extending its scope to build proofs of concept of some automation and



management services. The Quick Wins strand provides a foundation that can potentially be

used to develop a full proof of concept of the future G-Cloud model. CIO Council members

are encouraged to help build programme momentum and early experience by signing their

organisations up to participate in the Quick Wins pilots.

1.14 While further work is needed to determine implementation timescales, the ambition is

to deliver substantial cost savings in the period 2011-2014, to have the proposed approach

fully in place for new services within 3-5 years, and to complete the majority of legacy

rationalisation and migration within 10 years.

Data Centre Consolidation

2.1 Consolidation can commence through inviting suppliers that currently operate multiple

data centres for the public sector to consolidate to two each, with the savings achievable

through estate reductions and virtualisation rebated to their public sector clients. As existing

contracts expire, replacement G Cloud services can then be sourced from the Government

Applications Store where available;- where not, contract renewal can be used to drive

provision of additional G Cloud services as the preferred choice. During the transition period

some unique residual needs will need to be sourced via a conventional procurement

exercise.

2.2 Private G Cloud services will be provisioned from a limited number of sustainable data

centres. Analysis will be conducted to determine whether there is a case for procuring data

centre estate separately from ICT services; this would enable sharing of physical facilities

between multiple G Cloud service providers and ease inter-supplier service transfers.

G Cloud

3.1 There will be 3 main categories of G Cloud branded services:-

Software as a Service (SaaS) which includes managed services, common, utility and custom services, all of which can be configured for use by many Public Sector bodies.

Platform as a Service (PaaS); a framework overseen by the CTO Council that will be used to create and manage provisioning of new business applications based on shared re-usable components ; and

Infrastructure as a Service (IaaS) for hosting existing applications. This includes services providing capability for

o Managing, securing and storing data o Hosting applications

3.2 The G Cloud brand will offer dedicated „private‟ services for public sector

organisations, and trusted public cloud services in each category. Public cloud services are

developing rapidly, and are already used by a number of public sector bodies, for example for

services that do not involve personal data. The range and sophistication of public cloud

services will continue to grow and more of the Public Sector‟s ICT needs will be met from

public clouds as today‟s constraints are addressed over time. These constraints currently

include:-



Information Assurance requirements e.g. data centres are outside the UK;

End to end performance of services from public clouds may not be guaranteed; and

Proprietary standards used by some public clouds create the risk of lock in.

3.3 G-Cloud private cloud services will address these constraints, enabling earlier use of

the shared utility model across the public sector. Private G Cloud services will typically be

provisioned by suppliers using an industry standard platform for example Microsoft Azure,

VMware, or Eucalyptus, an Open Source platform that implements Amazon Web Services

standards.

Government Applications Store

4.1 The Government Applications Store will be the marketplace in which trusted services

can be trialled and then purchased from a variety of sources by the Public Sector. The

services available will include private G-Cloud services, certified public cloud and other ICT

Services (eg COTS); and other public sector ICT services such as PSN services.

4.2 The Government Applications Store will be an open marketplace encouraging both

existing and new suppliers to the Public Sector to participate. New suppliers to the Public

Sector will be able to promote and trial their services as “free” prototypes on the Government

Applications Store in order to gauge market interest, with a defined commercial process to

introduce new categories of service where demand is generated. Services that add new

value will be welcomed into the portfolio provided they meet the minimum assurance

requirements – the approach will be „light touch‟ and will emphasise validating service

outcomes rather than auditing the detailed implementation approach.

4.3 Services available through the Government Applications Store will be certified to

demonstrate their compliance to Public Sector requirements. The scope, service levels,

security accreditation and price of the services will be available for review by potential

purchasers.

4.4 The commercial framework of the Government Application Store will allow

purchasers to buy certified services from an on-line catalogue under a cross public sector

framework contract. Services will be paid for on a per use or subscription basis. The latest

price achieved for the service will be shown to purchasers, however if subsequently a lower

price for this service is achieved by another organisation then this will be made available to

all subscribers of the service - from the point at which the new lower price is achieved.

4.5 The Government Applications Store will encourage re-use of existing services.

Purchasers will be directed to existing Managed Services and then to Common Government

and Utility services. Only if these types of offerings are not suitable will purchasers proceed

to build a custom service. The application services offered will vary from commodity

applications which can be used by any organisation with little change to line of business

applications which will require adapting to a particular organisation.

4.6 In order to avoid “lock in” to a particular infrastructure provider there will be a choice

of at least two infrastructure providers for each application. In principle purchasers will be



able to transfer their chosen application service to another infrastructure provider if required

at some future point, although this may involve some data migration activity.

4.7 Following selection of the application and infrastructure provider, the purchased

service will be provisioned through an automated process in the organisation‟s data context.

This will require standards for common data items, again to be specified by the CTO

Council. Subject to policy and individuals‟ decisions, these standards will also ease the

process of sharing data between different public sector organisations.

4.8 While the Government Applications Store will have a centrally managed „master

catalogue‟, there will be the capability to configure views of the catalogue for specific

communities, for example to enable focus on services most relevant to a particular type of

organisation, or to „grey out‟ services which are not approved by the user‟s organisation.

There will also be the ability to support „Communities of Interest‟, encouraging public sector

organisations and individuals to innovate by creating/configuring and then sharing locally

generated applications. „Closed loop‟ feedback will provide visibility of what‟s working,

enabling future trial and purchasing decisions to be informed by others‟ experiences.



Contents

1. Purpose of Document ........................................................................................................... 11

2. Introduction ............................................................................................................................ 12

3. Why Use Cloud Computing in the Public Sector ................................................................ 14

3.1. Public Sector ICT Landscape........................................................................................... 14

3.1.1. Budgetary Pressures ..................................................................................................... 14

3.1.2. Green Agenda ............................................................................................................... 14

3.1.3. Digital Britain .................................................................................................................. 15

3.1.4. ICT Procurement ........................................................................................................... 15

3.1.5. ICT Strategy for Government ....................................................................................... 16

3.1.6. Quality of Data Centres ................................................................................................. 18

3.2. Developments in the ICT Industry ................................................................................... 18

3.2.1. Will G-Cloud Deliver? .................................................................................................... 20

3.2.2. Will Cloud Computing Happen? ................................................................................... 20

3.2.3. Can the benefits be delivered? .................................................................................... 20

3.2.4. Does G-Cloud depend on leading edge technology? ................................................ 21

3.2.5. Key Risks ....................................................................................................................... 21

3.3. Benefits .............................................................................................................................. 23

3.3.1. Budgetary Pressures ..................................................................................................... 23

3.3.2. Green Agenda ............................................................................................................... 23

3.3.3. Digital Britain .................................................................................................................. 24

3.3.4. ICT Procurement ........................................................................................................... 24

3.3.5. Current Initiatives........................................................................................................... 24

3.3.6. Quality of Data Centres ................................................................................................. 25

3.3.7. ICT Market ..................................................................................................................... 25

4. The New World of G-Cloud .................................................................................................. 26

4.1. G-Cloud .............................................................................................................................. 27



4.1.1. Application and Information Services .......................................................................... 28

4.1.1.1. Personal Information Management .......................................................................... 29

4.1.1.2. Interaction ................................................................................................................... 29

4.1.1.3. Collaboration and Simple Applications .................................................................... 29

4.1.1.4. Resource and Management ..................................................................................... 29

4.1.1.5. Departmental Applications ........................................................................................ 29

4.1.1.6. Data Services ............................................................................................................. 29

4.1.1.7. Line of Business (LOB) ............................................................................................. 29

4.1.1.8. Information Access .................................................................................................... 29

4.1.2. Infrastructure and Platform Services ........................................................................... 30

4.1.3. Data Services on the G-Cloud...................................................................................... 31

4.1.4. Professional ICT Services ............................................................................................ 33

4.1.4.1. Service Management Services ................................................................................. 33

4.1.4.2. System Integration Services ..................................................................................... 33

4.1.5. Exclusions from G-Cloud Scope .................................................................................. 33

4.2. Government Applications Store ....................................................................................... 34

4.3. Data Centre Consolidation ............................................................................................... 37

4.4. Organisation and Governance in the world of G-Cloud ................................................. 38

4.5. Roadmap ........................................................................................................................... 40

4.6. Transition ........................................................................................................................... 42

5. Principles ............................................................................................................................... 43

5.1. Commercial Principles ...................................................................................................... 43

5.2. Technical Principles .......................................................................................................... 46

5.3. Information Assurance Principles .................................................................................... 47

5.5. Transition Principles .......................................................................................................... 50

6. Scenarios ............................................................................................................................... 51

7. Conclusion ............................................................................................................................. 52



8. Appendices ............................................................................................................................ 53

A1. Appendix 1 - Glossary of terms ............................................................................................ 53

A2. Appendix 2 Stakeholder list .................................................................................................. 55

A3. Appendix 3 – Details of Scenarios ........................................................................................ 57

A3.1. Central Government Department ICT Service Director ................................................... 57

A3.1.1. Role: ................................................................................................................................. 57

A3.1.2. Challenge: ........................................................................................................................ 57

A3.1.3. Outcome: .......................................................................................................................... 57

A3.2. Local Government Director of Housing ............................................................................. 59

A3.2.1. Role: ................................................................................................................................. 59

A3.2.2. Challenge: ........................................................................................................................ 59

A3.2.3. Outcome A: ...................................................................................................................... 59

A3.2.4. Outcome B: ...................................................................................................................... 60

A3.3. Private Sector Application Provider................................................................................... 61

A3.3.1. Role................................................................................................................................... 61

A3.3.2. Challenge: ........................................................................................................................ 61

A3.3.3. Outcome: .......................................................................................................................... 61

A3.4. Central Government Department ICT Service Director ................................................... 62

A3.4.1. Role: ................................................................................................................................. 62

A3.4.2. Challenge: ........................................................................................................................ 62

A3.4.3. Outcome: .......................................................................................................................... 62

A3.5. Local Government CIO....................................................................................................... 63

A3.5.1. Role: ................................................................................................................................. 63

A3.5.2. Challenge: ........................................................................................................................ 63

A3.5.3. Outcome: .......................................................................................................................... 63

A3.6. Private Sector ICT Provider ............................................................................................... 64

A3.6.1. Role: ................................................................................................................................. 64



A3.6.2. Challenge: ........................................................................................................................ 64

A3.6.3. Outcome: .......................................................................................................................... 64

A4. Appendix 4 Drivers for Change............................................................................................. 65

A4.1. Strategic Drivers for Change ............................................................................................. 65

A4.2. Financial Drivers for Change ............................................................................................. 65

A4.3. Non Financial Drivers for Change ..................................................................................... 66

A4.4. Technological Drivers for Change ..................................................................................... 67

A5. Appendix 5 Programme Risks .............................................................................................. 68

A6. Appendix 6 Information Assurance ...................................................................................... 78



1. Purpose of Document

The G-Cloud, Government Applications Store and Data Centre Consolidation Phase 2

programme started on 5 October 2009 and will run till 12 February 2010. The programme

comprises seven workstrands and a Programme Office function. These workstrands have

been staffed by a mix of civil servants, consultants and industry volunteers.

This document provides a Vision of how the G-Cloud, Government Applications Store and

Data Centre Consolidation will deliver ICT services to the Public Sector. The Vision builds on

the Government Data Centre Strategy Phase 1 Report produced by Phase 1 of the

programme; it is also based on the Government ICT Strategy.

The Vision should be used by stakeholders to gain an overview and high level understanding

of G-Cloud.

The Vision is underpinned by further documents which provide more detail in addition to that

provided in the Vision, these include:

Commercial Strategy

Technical Architecture Strategy

Information Assurance Strategy

Service Management Framework Approach

Service Specification

Transition Approach

Business Plan



2. Introduction

The Government Data Centre Strategy Programme Phase 1 identified the desirability of

consolidating existing public sector data centres and creating a private government

computing cloud (G-Cloud) for the public sector. This document describes the Vision of how

a consolidated set of public sector data centres and a G-Cloud would provide ICT services to

the public sector. It will be used by Phase 2 of the Data Centre Consolidation, G-Cloud and

Applications Store programme to develop more detailed business case and plans,

specifications, architectures and a transition strategy for and to the G-Cloud.

UK Government currently has an extensive and disparate ICT estate supporting the delivery

of services. The emergence of cloud computing and new application delivery models offer

the opportunity to consolidate and improve this existing ICT estate through provision of

standard, commodity ICT services to the whole of the public sector through a government

cloud (G-Cloud).

The government will develop an integrated set of strategies for consolidation of existing data

centres in the public sector, delivery of ICT services through a government cloud (G-Cloud)

and the development of an Application Store for purchase of G-Cloud services.

These strategies will address a number of government objectives:

Reduction of ICT costs

- A sustainable reduction in the operational costs of ICT across public sector to

contribute to the Operational Efficiency Programme (OEP) savings target for

ICT

- The reduction in cost will include a lower cost associated with future change

in ICT service provider specifically the cost of transition to a new provider

Improve government services and agility through use of ICT

- To support a better citizen experience of government services by allowing

government to provide new ICT services faster to meet citizen needs

- Enabling improved responsiveness to ministerial and business generated

changes through faster deployment of ICT services

Reduction of carbon footprint due to Government ICT services

- Through consolidating and optimising use of existing spare ICT capacity and

decommissioning unused capacity

- Adoption of more carbon efficient technology



Improve data centre services

- By removing known issues in existing infrastructure including lack of

resilience and known security concerns

Align with other Government thinking

- Including supporting the objectives of Digital Britain through the deployment

of ICT services and creation of a new market for government ICT services

- Integrating with wider Government ICT initiatives e.g. PSN, Desktop Strategy

to ensure that the overall government ICT Strategy is supported by the G-

Cloud

In order to implement the G-Cloud and support these strategies a set of multi dimensional

changes will need to occur:

Technical – implementation of a G-Cloud architecture covering applications , data

management storage and security services;

Process – implementation of processes to use and manage G-Cloud services;

Commercial – implementation of a commercial framework to permit contracting of

services from the G-Cloud; and

Cultural – a shift to sharing and re-use of ICT services from the G-Cloud

The remainder of this document describes the Vision for Datacentre Consolidation, G-Cloud

and Application Store which will meet these objectives. The services described will be

available to all UK public sector organisations from small bodies through to major central

government departments. The Vision described is for 10 years hence, although many

aspects of the Vision can be implemented within 2 years.



3. Why Use Cloud Computing in the Public Sector

Why should the Public Sector adopt Cloud Computing? What will a new model for delivery of

ICT to the Public Sector bring? Is Cloud computing dependent on new and untried

technology? In this section these questions are answered and why the new model proposed

for ICT in the Public Sector must be implemented is explained.

3.1. Public Sector ICT Landscape

Public Sector ICT has developed to meet the needs of specific public bodies, with limited

sharing of resources, this approach has led to duplication and excess capacity with ICT

system silos in individual public bodies.

Public Sector ICT is now subject to a number of significant drivers for change. These drivers

range from budgetary pressures to ensuring the UK is at the leading edge of the global

digital economy.

3.1.1. Budgetary Pressures

In April 2009, HM Treasury published the Operational Efficiency Programme (OEP) Final

Report which estimated that overall savings of around 20 per cent of the estimated £16

billion annual Public Sector ICT expenditure (£3.2 billion) should be achievable without

compromising the quality of frontline public services. These savings must now be found by

delivering ICT services more efficiently.

3.1.2. Green Agenda

Government runs some of the world‟s largest computer systems and is Britain‟s largest

purchaser of Information and Communication Technology (ICT). This technology is used to

improve the lives of millions of people and can enable smarter ways of working to reduce

carbon. However, this same technology is a major consumer of energy and natural

resources. UK government has made a number of sustainable operational commitments:

Central government office estate will achieve carbon neutrality by 2012;

UK to reduce greenhouse gases by 26% or more by 2020, 60% by 2050; and

Sustainable Operations on the Government Estate (SOGE) targets.



ICT globally emits comparable levels of carbon to the aviation industry, and emissions continue to grow. Recognising this, the Greening Government ICT Strategy set two challenging targets which support delivery of mandatory SOGE (Sustainability on the Government Estate) targets:

government ICT will be carbon neutral by 2012, and

carbon neutral across its lifecycle by 2020.

In order to deliver on these commitments delivery of ICT services to the Public Sector in new

more energy efficient ways which support the Government‟s climate change agenda need to

be developed and implemented.

3.1.3. Digital Britain

The delivery of services to the public by ICT enables wider Government aims for the UK in

the global digital economy and citizen engagement. The Government in the Digital Britain

Report (June 2009) identifies the need for the UK to be at the leading edge of the global

digital economy. The Report also states that “an ambitious and clear programme of The

Digital Switchover of Public Services, to primarily electronic and online delivery, will

unlock significant cost savings, whilst at the same time serving to increase levels of

satisfaction”. The achievement of these aims will require a step change in the efficiency of

ICT procurement and delivery by the Public Sector.

3.1.4. ICT Procurement

Government procurements are overseen by the Office of Government Commerce (OGC)

which has an objective of ensuring the Government gets best value from its spending and

that procurements support the Government‟s sustainability agenda.

Currently the procurement and delivery of ICT programmes in the Public Sector is a lengthy

and costly process. Procurement of large ICT systems can take in excess of 12 months. The

cost of this procurement cycle for both the Public Sector and Suppliers is significant. The

length of time involved means that ICT services in support of new Government policies can

rarely be deployed in the timescale best suited to support the policy. A more agile method of

procuring and delivering ICT in the Public Sector is needed.

These constraints affect Local and Regional Government in addition to central Government.

The OGC is seeking ways in which government procurements can become more efficient

and quicker while supporting sustainability.



3.1.5. ICT Strategy for Government

The CIO Council agreed the overall ICT strategy for Government in summer 2009.

This ICT Strategy supports existing core public sector goals, set in Digital Britain, Building

Britain‟s Future, Excellence and fairness, and the Operational Efficiency Programme:

improving public service delivery

improving access to public services, and

increasing the efficiency of public service delivery

At the heart of the strategy is the creation of a common, secure and flexible infrastructure

that is available across the public sector. It comprises the strands depicted below:



There are 14 strands making up the strategy:

1. The Public Sector Network Strategy - Rationalising and standardising to create a

„network of networks‟, enabling secure fixed and mobile communications for greater capability at a lower price.

2. The Government Cloud (G-Cloud) - Rationalising the government ICT estate, using

cloud computing to increase capability and security, reduce costs and accelerate deployment speeds.

3. The Data Centre Strategy - Rationalising data centres to reduce costs while

increasing resilience and capability. 4. The Government Applications Store (G-AS) - Enabling faster procurement, greater

innovation, higher speed to deliver outcomes and reduced costs. 5. Shared services, moving systems to the Government Cloud - Continually moving

to shared services delivered through the Government Cloud for common activities. 6. The Common Desktop Strategy - Simplifying and standardising desktop designs

using common models to enhance interoperability and deliver greater capability at a lower price.

7. Architecture and standards - Creating an environment that enables many suppliers

to work together, cooperate and interoperate in a secure, seamless and cost-efficient way.

8. The Open Source, Open Standards and Reuse Strategy - Levelling the playing field for procurement, enabling greater reuse of existing tools, fewer procurement exercises and enhanced innovation – all at a lower cost.

9. The Greening Government ICT Strategy - Delivering sustainable, more efficient ICT at a lower price.

10. Information Security and Assurance Strategy - Protecting data (citizen and

business) from harm – whether accidental or malicious. 11. Professionalising IT-enabled change - Improving the capabilities, knowledge, skills

and experience of those involved in ICT-enabled business change through the Government IT Profession.

12. Reliable project delivery - Using portfolio management and active benefits management to ensure that government undertakes the right projects in the right ways.

13. Supply management - Working together to gain maximum value from suppliers – both for individual organisations and collectively across the public sector.

14. International alignment and coordination - Ensuring that international treaties and

directives reflect UK national requirements and that the UK remains at the forefront of delivery.



3.1.6. Quality of Data Centres

The Data Centre Strategy Report produced by the Strategic Supply Board for the Government CIO

Council in September 2009 had a number of findings including:

There is a major opportunity for government to make significant cost savings whilst

delivering improved agility, flexibility, resilience, security and environmental

sustainability. High level analysis suggests a reduction in ICT data centre

infrastructure costs will deliver a net £900 million of cost savings over 5 years, with

recurrent savings of more than £300m a year thereafter;

There are significant variations within the current estate that are not justified by

differences in business needs, which will be rationalised by the approach proposed

in this Vision;

Other organisations have successfully delivered major ICT consolidation

programmes to create a dynamic ICT infrastructure and there is considerable

experience to draw on;

The challenges in consolidating ICT infrastructure are organisational and cultural

rather than technical; and

There is the potential for further cost saving and operational benefits by delivering a

government private Cloud (G-Cloud) in addition to data centre consolidation.

3.2. Developments in the ICT Industry

Recent developments in ICT have made it possible to consolidate ICT Infrastructure in a way

that delivers increased flexibility and responsiveness to business needs whilst reducing

costs. This change involves a move from ICT being provided individually by organisations

procuring their own separate ICT infrastructure, to a new model in which ICT is provided as

a utility which is known as “Cloud Computing”. Over the last few years consumer facing firms

delivering products in large volumes have adopted Cloud computing.

Cloud computing is most frequently cited as providing ICT “as a service” to customers using

a utility model over a network. Cloud computing offers a commercial model of “pay as you

use” thus avoiding the capital expenditure usually associated with provision of ICT. The

flexibility provided by Cloud computing has enabled its rapid growth and a corresponding

lowering of costs. Cloud services can be either infrastructure or application services.

At the core of the Cloud computing model are 3 principles:

simplification and standardisation of ICT infrastructure;

automated processes to support activities such as change management and service

reporting; and



enabling of Software as a Service (SaaS) through standards and multi tenanting of

services.

Cloud application services are applications delivered as a service via a network to a browser front end. Cloud application services usually require the creation of a multitenant architecture where one application supports many firms or organisations, but provides a unique view for each. Cloud applications are often SaaS, but not all SaaS applications are cloud application services. SaaS applications delivered as single-tenant applications on dedicated infrastructures are not Cloud application services.

Large corporate firms which have implemented Cloud computing report:

ICT cost reductions of 40-65%;

improved agility in implementing strategy with ICT support; and

improved speed in implementing changes to support business needs.

Public Cloud services are gaining in acceptance by corporate world and the Public Cloud

providers are increasing their capacity and services. Amazon has 1000 staff involved in

developing their Public Cloud offering. Early concerns of the market regarding the security

and service levels offered by Public Clouds are being taken very seriously and

improvements have been made in these areas with further improvements planned. However

a number of firms have decided to setup a Cloud computing model in house, creating a

private cloud for use only within their organisation. This provides a number of advantages:

Cloud services can be tailored to the firm‟s requirements;

security is under the control and monitoring of the organisation; and

end to end service levels are easier to achieve.



3.2.1. Will G-Cloud Deliver?

The G-Cloud model can bring many beneficial changes to the delivery of ICT across the

Public Sector but will it really deliver? In the section below how Cloud computing has the

foundations and track record to succeed is described.

3.2.2. Will Cloud Computing Happen?

What is the evidence that Cloud computing is becoming a standard ICT delivery model:

Large ICT Services Suppliers have invested in the implementation of large global

public clouds;

The ICT industry itself is migrating to the use of clouds to deliver in house ICT

services; and

Private sector organisations are adopting Cloud computing to deliver ICT services.

3.2.3. Can the benefits be delivered?

What is the evidence that the key elements of the G-Cloud – Cloud computing, Data Centre

Consolidation and Software as a Service (SaaS) are capable of delivering the promised

benefits:

Bechtel have adopted a cloud computing model with a resulting saving of 60% on

their ICT costs;

In a data centre consolidation programme Hewlett-Packard have reduced the number

of data centres globally from 85 to just 6;

IBM have reduced their data centres globally from 155 to 7; and

Telegraph Media Group has used SaaS to

- make new functionality available without complex software upgrades

- pay only for the computing power needed

- lower total cost of ownership of ICT.

However in order to gain the benefits of Cloud computing the Public Sector will need to

adopt a new approach to ICT services. The existing approach of defining and procuring

bespoke systems which meet the specific needs of a department will need to shift to an

approach which makes use of standard or generic systems which are available at lower cost

and adapts the processes of the department to use the system.



The commercial potential of cloud computing and cloud services is widely accepted, both in

private industry and in the public sector. The opportunities for cost reduction and efficiency

in the UK public sector are real and achievable, but require significant changes to

procurement practices, delivery frameworks and across the supplier landscape.

A pre-requisite for realisation of the commercial objectives are a set of UK Government

technical & operational standards that can define the G-Cloud based on a (significant)

number of competing infrastructural service providers operating at any appropriate security

level.

However Government has a significant legacy of applications which exhibit many pre-cloud

symptoms, including low server utilisation and high operational costs. It must be understood

that the cloud computing and cloud sourcing paradigms do not always directly lead to

reduced costs - the real challenge will be to ensure that sufficient economy of scale and

standardisation is reached quickly enough to deliver a net saving.

3.2.4. Does G-Cloud depend on leading edge technology?

Does the G-Cloud depend on new and untried technologies which mean that the Public

Sector must take on significant technology risks in its implementation?

In fact the innovation of the G-Cloud model is in its approach to the governance and

management of ICT in the Public Sector rather than the deployment of new technology.

Cloud computing is based on significant amounts of existing technology. Specific aspects of

the G-Cloud may require new technologies but this will not be the norm for the majority of

the G-Cloud if a prudent approach to its design is implemented.

Instead for G-Cloud to be successful Public Sector leadership will need to encourage

existing ICT services to be re-used where possible avoiding bespoke solutions to common

challenges across the Public Sector.

The successful introduction and implementation of the G-Cloud is a leadership not a

technology challenge.

3.2.5. Key Risks

The programme must manage effectively a number of risks in order to deliver the G-Cloud

benefits. These risks cover a number of key areas including: Commercial, Information

Assurance, Technical Architecture, Organisation and Governance.

The full list of key risks to delivery of the programme are listed in Appendix 5. However a

number of key risks are highlighted in the following sections.

3.3.9.1 Commercial

A Commercial approach will be implemented which manages the following risks:

Current resource constrained environment prevents up front investment for G-Cloud

becoming available;



Pricing and contractual framework for the G-Cloud is attractive to Public Sector but

discourages suppliers from making services available on the G-Cloud;

Business case may double count savings with other Public Sector programmes;

Procurement regulations do not allow additional consumers after initial procurement

of the service; and

Take up of G-Cloud proceeds too slowly so benefits will not be significant enough to

attract Public Sector organisations in future.

3.3.9.2 Information Assurance

An Information Assurance approach will be implemented which manages the following risks:

Aggregation of data in G-Cloud raising IL levels beyond 4 and preventing use of G-

Cloud services by public bodies with lower IL infrastructure; and

Common infrastructure and shared nature of G-Cloud cannot be assured by

departmental SIRO model and so are not accredited.

In addition the challenges of situational awareness on the G-Cloud will require approaches

to be developed during the implementation of the G-Cloud.

More details of the Information Assurance principles and approach to risks are provided in

Section 5.3 and Appendix 6.

3.3.9.3 Technical Architecture

A Technical Architecture for the G-Cloud will be developed which manages the risk that

adoption of G-Cloud “locks” the Public Sector into a particular vendor‟s proprietary standards

as industry standards for Cloud technologies are not currently agreed

3.3.9.4 Organisation and Governance

An Organisation and Governance approach will be implemented which manages the

following risks:

G-Cloud is not taken up or deployed effectively across the Public Sector due to de-

centralised nature of ICT governance in the Public Sector; and

Senior stakeholders may not support the implementation of the G-Cloud.

3.3.9.5 Public Sector Network

The G-Cloud programme will have a number of dependencies on the Public Sector Network

programme. Programme managements will work together to ensure that these

dependencies are managed or mitigated in order that the G-Cloud is implemented as

planned.



3.3. Benefits

The new world of the G-Cloud offering utility computing from consolidated data centres and

encouraging re-use of ICT assets through the Government Applications Store will bring a

comprehensive set of benefits across the Public Sector ICT landscape.

3.3.1. Budgetary Pressures

The G-Cloud will deliver a fundamental contribution to the cost savings for OEP and will

facilitate and accelerate the OEP targets. This will be achieved by:


- Reduced hardware maintenance, server capital expenditure, and power

consumption through more efficient and better utilised infrastructure.

- Reduced up-front investment costs through standardisation and sharing of

assets.

- Reduced estate footprint through site sales/repurposing of accommodation.

G-Cloud

- Reduced capital investment in computer infrastructure through utility-based

rental of computing and processing time.

- Reduced server purchase costs through virtualisation of servers across

departments leading to higher utilisation rates

- Reduced data recovery costs through fewer dedicated DR facilities.


- Reduced bespoke application development through reuse of existing

components.

- Reduced application purchase prices through economies of scale.

- Reduced licensing costs through licensing consolidation and reuse.

- Reduced investment costs through SaaS pay for use model

- Volume discounts achieved by purchasers apply to all public sector bodies

already using the service

3.3.2. Green Agenda

The G-Cloud will lead to more efficient use of ICT by the Public Sector so lowering the

carbon emissions associated with delivering ICT services:

Consolidation of data centres will reduce footprint of building estate;



Virtualisation will drive higher server utilisation reducing server footprint; and

Re-use of ICT assets will lower development and project resources used to

implement new services and systems.

The G-Cloud will also facilitate smarter ways of working through integration of government

information and data sources, further reducing government‟s environmental impact and

carbon footprint.

3.3.3. Digital Britain

The G-Cloud will deliver greater agility and speed in the delivery of policy and services,

underpinned by the adoption of shared infrastructure at lower cost. The agility will result from

the ability to re-use existing assets and the new commercial model reducing procurement

timescales and costs.

The G-Cloud will through the Government Applications Store create a marketplace with a

low cost of entry to new and small ICT suppliers encouraging the development of new UK

ICT businesses and supporting the UK‟s position in the digital world.

3.3.4. ICT Procurement

The commercial model of the G-Cloud will be based on pre agreed frameworks. This will

remove the need for lengthy and costly procurements. This will reduce costs for both the

Public Sector and Suppliers. In addition the Public Sector will be able to deliver ICT services

faster in support of policy.

Procurement law will apply to the G-Cloud, and all normal rules will need to be followed. It

will be important to get this right at the outset. This is particularly the case given the arrival

of the regulations implementing the Remedies Directive on 20 December 2009. This puts an

increasing emphasis on the use of legally compliant procurement vehicles.

3.3.5. Current Initiatives

The G-Cloud will complement and support the implementation of existing Public Sector

programmes:

PSN: the G-Cloud will offer PSN a route to market through the Government

Applications Store. In addition the G-Cloud will use PSN services to connect users to

G-Cloud services.

Strategic Desktop: the G-Cloud will provide ICT services for the Strategic Desktop



3.3.6. Quality of Data Centres

Existing data centre space and infrastructure will be rationalised into a smaller set of secure

physical data centres – these will host both the G-Cloud and existing legacy applications

during the migration period. The outcome will be a significantly smaller footprint in highly

virtualised shared data centres which meet government standards for resilience, security

and sustainability at an overall lower cost. This will result not only in a reduction in the costs

of data centres but also in the risks of disruption to delivery of ICT services to the Public

Sector.

3.3.7. ICT Market

The market for Cloud services, IaaS, PaaS and SaaS is expanding; the G-Cloud and

Government Applications Store will offer the Public Sector the opportunity to access this

market. The expansion of this market will provide the Public Sector with new services and

greater competition will help to that these services will be cost efficient.



4. The New World of G-Cloud

The G-Cloud, Government Applications Store and consolidation of existing public sector

data centres are all components of the new model for delivery of public sector ICT services.

The G-Cloud will provide a variety of infrastructure and application services for the public

sector. The Government Applications Store will provide a “portal” to purchase G-Cloud

services. The consolidation of existing data centres will provide both a modern and fit for

purpose environment for the public sector ICT while at the same ensuring that excess data

centre capacity is reduced to meet government cost saving and carbon emission reduction

targets.

These services will be offered both from a UK government specific cloud (G-Cloud) and from

public clouds. Services from the public clouds will be used where the public cloud service

offers appropriate levels of security, service levels and performance for public sector use. It

is anticipated that the levels of security on the G-Cloud will support higher impact levels than

on the public clouds.

The vision is for G-Cloud services to be accessed via the Public Sector Network (PSN) from

the strategic government desktop although in the short term other existing public sector

networks and desktops may be used to access the G-Cloud.



4.1. G-Cloud

G-Cloud: “bringing utility convenience to public sector ICT – shared, flexible, agile,

transparent and efficient allocation of ICT when it’s needed, through sharing standardised

resources to reduce costs”

The G-Cloud is the delivery of Public Sector ICT by a shared secure “utility” style ICT

services infrastructure, underpinned by a new commercial model enabling public bodies to

have the option to pay only for the service at the time when they use it. This approach is now

developing rapidly and is known as “Cloud Computing”. It is enabled by common standards,

and by heavily automated secure business processes that enable substantial reductions in

costs.

“G-Cloud” is the Public Sector brand for the use of certified cloud computing.

There will be 3 main categories of G-Cloud branded services:-

Software as a Service (SaaS) which includes managed services, common, utility and custom services, all of which can be configured for use by many Public Sector bodies;

Platform as a Service (PaaS) will be will be used to provide a platform for creating new business applications based on shared re-usable components. The platform offered will be approved and overseen by the CTO Council;

Infrastructure as a Service (IaaS) will provide ICT infrastructure primarily computing resource and data storage.

The G-Cloud will be a UK Public Sector implementation of “cloud computing” that will provide

both secure, private cloud services and access to certified public cloud services, for example

those provided by Amazon cloud services. These services will range from ICT infrastructure

services through to application and information services and to ICT professional services

such as service management.

The G-Cloud will offer dedicated „private‟ services for public sector organisations, and trusted

public cloud services. The range and sophistication of public cloud services is growing and

more of the Public Sector‟s ICT needs will be met from public clouds as today‟s constraints

are addressed over time. These constraints currently include:-

Information Assurance requirements e.g. data centres are outside the UK;

End to end performance of services from public clouds may not be guaranteed; and

Proprietary standards used by some public clouds create the risk of lock in.

G-Cloud private cloud services will address these constraints, enabling earlier use of the

shared utility model across the public sector. Private G-Cloud services will typically be

provisioned by suppliers using an industry standard platform for example Microsoft Azure,

VMware, or Eucalyptus - an Open Source platform that implements Amazon AWS

standards.



The services offered by the G-Cloud will be defined in a Service Catalogue which any public

sector organisation can use to purchase ICT services. Each service will be described in the

Service Catalogue, its description will include details of the service, service levels offered,

service reports provided, if relevant the increments of capacity offered, time periods or

increments for which the service can be procured and the price of the service.

Services provided by the G-Cloud will be up to security level IL4 only.

In order to provide services in the G-Cloud a supplier will undergo a certification process for

both their organisation and each of their services. This certification process will ensure that

services meet the quality and information assurance requirements of the public sector and

will provide consuming public bodies with the confidence that G-Cloud services are suitable

for supporting provision of services to citizens. The information assurance certification will

represent a partial accreditation, a residual element of accreditation which cannot be carried

out centrally remaining with the consuming organisation.

A public sector body will govern the certification process, overseeing and managing the

approval of suppliers and their services.

4.1.1. Application and Information Services

The G-Cloud will provide a variety of application and information services to the public

sector. These services will vary from the purchase of software licenses to access to

government stores of information where this is appropriate from a statutory and information

assurance perspective. The focus will be on re-use of existing assets and use of commodity

services. Existing common application services where possible will be offered so that public

bodies do not need to develop or commission development of new application services.

- ERP

- Flex Desktop

- Gateway (Citizen

and Business

Authentication)

- Payment of

Grants

- Government

Banking

- Government

Vetting

- DVLA./IPS

Verification

- Authentication

Services

- Correspondence

Handling

- Secure Data

Handling (GCHQ)

- CIS (X)

Application & Information Services

Procurement Strand and Crowd Sourcing



Applications available on the G-Cloud will vary from personal productivity tools through to

complex departmental specific applications which are tightly integrated with their data. The

services available for each class of application will vary.

A large proportion of these applications will already be in use elsewhere in the public sector,

so their provision to other public bodies via the G-Cloud will promote re-use of applications

across government allowing the cost reduction for the public sector through both larger

volume discounts and avoidance of new development costs.

Applications will generally be provided as Software as a Service (SaaS), where the body

using the application will pay using a pay for use model.

Applications will be available on at least two different infrastructure platforms so that public

sector bodies can transfer loads between infrastructure suppliers if required.

The different classes of application are described below:

4.1.1.1. Personal Information Management

These are personal productivity applications where data will be specific to the individual or

body. Examples are Email, Calendaring and Contacts.

4.1.1.2. Interaction

These are applications which support contact and interaction with others. Examples are Peer

to Peer communications and Social Networking applications.

4.1.1.3. Collaboration and Simple Applications

These are applications which either support collaborative working or provide support for

common tasks. Examples are workflow and records management.

4.1.1.4. Resource and Management

These are applications which support public sector staff in their daily duties. Examples are

travel booking and expense claiming applications.

4.1.1.5. Departmental Applications

These are applications with data specific to and useful to a department. Examples are

computer based training or small departmental databases.

4.1.1.6. Data Services

These are applications providing access to data. Examples are management reporting and

access to geographic data.

4.1.1.7. Line of Business (LOB)

These are applications which support the functioning of the public body; they will have data

which is specific to that public body. They will require tuning for a particular department.

Examples are a HR application or a CRM system.

4.1.1.8. Information Access

These are applications provided by a department to other public bodies which give access to

data held by the department. The data will generally be tightly coupled to an application. The



G-Cloud will provide this service as a gateway using CTO Council endorsed G-Cloud

services to connect the two public bodies.

This service will only be permitted where statute allows the data to be shared with the

requesting public body and information assurance requirements for the data are adequately

supported across the G-Cloud.

An example of this service is CISx from the DWP.

4.1.2. Infrastructure and Platform Services

The G-Cloud will provide a variety of ICT infrastructure and platform services to the public

sector. These services will be based on a layered architecture model, and are standardised

to widen their applicability to multiple public sector consumers.

A public body will be able to purchase services at multiple layers. For example on one

occasion the body could purchase a server capacity service onto which the body loads its

own operating system and database. On another occasion the body may choose to

purchase a database service into which the supplier has packaged underlying operating

system and server capacity.

Data across the Public Sector continues to expand. A key infrastructure service offering will

be storage services for data, such as SAN services. This offering will enable public bodies

to access and store their data cost effectively in resilient, secure storage, with the ability to

expand or contract the capacity without major capital investment in their ICT infrastructure.

There is an opportunity for greater development of services for Data Management, Storage

and Security separately from services provided for applications processing. This Data

Capability can become a long-term asset in that applications can be chosen accordingly to

meet a given organisations current business priorities.

The G-Cloud will provide data services for storage and management of:

Operational data;

Disk, SAN or offline storage

Memory Capacity

Environment (space, air conditioning & power only)

Database

Operating System

CPU Processor Power

Serv

ice L

evel

Resili

ence

IL L

evel O

ptions



Management Information data for analysis and reporting; and

Archive data for storage.

Database services are becoming common in cloud computing, so in addition database

services will be offered as part of G-Cloud, providing structured storage of data. This service

will enable public bodies to access and use data to support new business services. The G-

Cloud will implement standards that will enable wider, but secure and legislatively permitted

shared access to data resources with other Public Sector bodies where there is a policy

decision to do so.

More detail on G-Cloud data services are provided in Section 4.1.3 Data in the G-Cloud.

In order to ensure that services in the G-Cloud are available from multiple suppliers the

services available will conform to open and industry standards for ICT components. The

capacity of services will be measured using industry standard units.

Services will be defined so that varying levels of resilience, service levels and support allow

consumers to purchase services to host business services of varying priority to the public

body involved. In addition this differentiation will allow the purchase of services with high

levels of resilience and superior service levels for production systems while more cost

effective services with lower service levels are available for development and test services.

Specific specifications of services for purposes such as Disaster Recovery will also be

available.

4.1.3. Data Services on the G-Cloud

Data is one of the key assets of the Public Sector. As it develops, the G-Cloud will become

the repository of a significant portion of Public Sector data. Data also persists beyond an

application, with migration between applications being required as the application stack

changes.

Cloud providers are addressing the new challenges and opportunities management of data

in a cloud environment offers:

Microsoft has implemented cloud-based data platforms which seek to provide a

database service which meets the needs of primarily network based application

access;

Cisco are offering SAN consolidation services and security approaches for multiple

organisation use of SANs;

Amazon offers database services including tools which are scalable to meet the

needs of cloud services; and

Other suppliers are developing data and database services for the cloud.



The continuing expansion of data is a key challenge for Public Sector ICT. The G-Cloud will

provide access to a cost effective, secure and resilient data storage capacity which can be

expanded or contracted rapidly in accordance with business needs of the Public Sector.

In addition the G-Cloud can provide database services which will allow access to structured

data which can be used to support new business services.

The Public Sector will draw on G-Cloud data services for storage and management of:

Operational data;

Management Information data for analysis and reporting; and

Archive data for storage.

The management of this data by the G-Cloud will encompass its complete lifecycle including:

creation or migration onto the G-Cloud;

monitoring of growth including provision of additional storage capacity as needed

protection through appropriate resilience and security;

migration to cost effective storage facilities as full operational use ceases; and

archival or secure destruction at end of life.

The G-Cloud will offer data services which enable wider, but secure and legislatively

permitted access to this resource across the Public Sector.

The development of data standards for the G-Cloud will support widening of access and

ease of data transfer at contract termination for public bodies.

Data is currently often tightly coupled with a business application within a public body‟s ICT

estate. However as data usually persists beyond the life of the application, transition from a

legacy application to a new or enhanced application can involve an expensive and time

consuming activity of data transfer including data structure changes to fit with the new

application‟s requirements. The definition of data standards for G-Cloud which recognise

data persistence has the potential to reduce the amount of effort to migrate data.

In addition the G-Cloud offers the potential to make existing data assets more widely

available across the Public Sector. Capitalising on this potential will require the G-Cloud to

define data standards and a data strategy. A Data Strategy will be developed in Phase 3 of

the programme.

The G-Cloud will offer data services which are compliant with the security and the legislative

constraints that data held in the Public Sector must operate under.

The Public Sector is already adopting standards to make Public Sector data more available

in line with the objectives of bodies such as the National Archives and with the launch of

data.gov.uk. G-Cloud data strategy and standards will be aligned with the existing public

sector work.



However data obtained by the Public Sector must only be used in the manner allowed and

specified by the associated legislation, the strategy for data and the operational controls of

the G-Cloud will ensure that data is not accessed or shared in violation of this principle. This

will require the storage of data in separated infrastructure storage areas. The G-Cloud will

data tools to permit the wider sharing of appropriate data in a controlled manner.

4.1.4. Professional ICT Services

A number of professional services will be provided to support the delivery of G-Cloud

components and to aggregate services from components available on the G-Cloud.

4.1.4.1. Service Management Services

Both suppliers and larger public bodies will offer service management services on the G-

Cloud. This service will manage the overall delivery of services from the G-Cloud so that an

integrated and consistent operational service is provided. These services will include the

service management of operational services such as change management, incident

management and service reporting. The service management will be based on a common

industry accepted framework such as ITIL. This will enable suppliers of service components

to use a standard method for interaction with the service integrator and public sector

consumers. These services will be of particular value to smaller public bodies with limited

ICT expertise available in their organisation.

4.1.4.2. System Integration Services

These services will provide public bodies with services which will integrate G-Cloud

components into coherent services which can be consumed by a public sector body.

4.1.5. Exclusions from G-Cloud Scope

The G-Cloud will provide a wide range of ICT and business services across all of the Public

Sector. These services will be made available over time in line with the G-Cloud roadmap.

The initial G-Cloud services will therefore be limited in range and coverage across Public

Sector compared to the end Vision for G-Cloud.

However even in the final Vision the scope of G-Cloud and Government Applications Store

does not include:

Services which are not ICT services or business services not supported primarily by

ICT systems, for example

- Facilities management;

- Catering services;

- Stationary procurement;



Development of services which are already provided by other strategic Government

projects such as PSN or common desktop, although these services may be

purchased through the Government Applications Store;

IL5 IL5 and above are not provided in the G-Cloud, although such services may be

co-located in the data centres from which G-Cloud services are provided. However

only those elements of an application which are at IL 5 and above are excluded from

G-Cloud, lower security rated components of the application can be hosted within the

G-Cloud;

Legacy services of limited life or applicability which would not justify cost of migration

to G-Cloud;

Making G-Cloud services available to the private sector, eg commercial firms except

for the creation of composite services for resale to the Public Sector, for example

providing infrastructure services to a software house so that it can provide a

complete application service to a set of public bodies; and

Making G-Cloud services available to foreign governments.

There are no exclusions to the Data Centre Consolidation at this stage, However as detailed

design and planning continues it may be necessary to exclude overseas locations due to

reliance on network capacity and information assurance considerations.

4.2. Government Applications Store

Government Applications Store: “enabling faster, more cost-effective and more consistent

certified ICT enabled solutions to business challenges through reusing and sharing

applications and services”

The Government Applications Store is the Public Sector ICT marketplace to readily source,

share and promote Managed Services, Utility Services and Common Services. It will include

Infrastructure components and services aswell as application and business solutions. Only

where existing services cannot meet a public body‟s requirements will Custom Services to

create a new service be available.

The services available will include private G-Cloud services, certified public cloud and other

ICT Services (eg COTS); and other public sector ICT services such as PSN services.

Services available through the Government Applications Store will be certified to

demonstrate their compliance to Public Sector standards and requirements. The commercial

framework of the Government Application Store will allow purchasers to buy certified

services from an on-line catalogue under a cross public sector framework contract. The

scope, service levels, security accreditation and price of the services will be available for

review and comparison by potential purchasers. Services will be paid for on a per use or

subscription basis. The latest price achieved for the service will be shown to purchasers,

however if subsequently a lower price for this service is achieved by another organisation

then this will be made available to all subscribers of the service - from the point at which the

new lower price is achieved.



UK Govt Applications Store

What do you want to do?

Type in query

Home Common ServicesUtility ServicesManaged

ServiceCustom Services Contact usAbout FAQs

Please choose your required service below

Search

Featured Apps

Featured Apps

Featured Apps

Featured Apps

Managed Services

Utility Services

Common Services Custom

Services

The Government Applications Store will provide a portal for public bodies purchasing

services from the G-Cloud. Open Source software and services will be available in the

Government Applications Store encouraging cost effective services to be provided in this

market.

While the Government Applications Store will have a centrally managed „master catalogue‟,

there will be the capability to configure views of the catalogue for specific communities, for

example to enable focus on services most relevant to a particular type of organisation, or to

„gray out‟ services which are not funded by the user‟s organisation. There will also be the

ability to support „Communities of Interest‟, encouraging public sector organisations and

individuals to innovate by creating/configuring and then sharing locally generated

applications. „Closed loop‟ feedback will provide visibility of what‟s working, enabling future

trial and purchasing decisions to be informed by others‟ experiences.

Certification of a service will include review and approval of its information assurance,

service management and commercial elements.

In order to avoid “lock in” to a particular infrastructure provider there will be a choice of at

least two infrastructure providers for each application. In principle purchasers will be able to

transfer their chosen application service to another infrastructure provider if required at some

future point, although this may involve some data migration activity.



Following selection of the application and infrastructure provider, the purchased service will

be provisioned through an automated process in the public body‟s infrastructure and data

context.

The Government Applications Store will continually be updated with new services. It will be

an open marketplace encouraging new suppliers to join the existing community of ICT

suppliers to the public sector. In order to support new suppliers joining a prototyping facility

will be available on the Government Applications Store. The prototyping facility will allow a

supplier to offer free for a period a new service without complete certification. If this service

is taken up by public bodies the supplier will be able to subsequently “upgrade” the service

to certified and chargeable. This will provide an agile way for new and smaller suppliers to

trial new services and join the Government Applications Store. Services that add new value

will be welcomed into the portfolio provided they meet the minimum assurance requirements

– the approach will be „light touch‟ and will emphasise validating service outcomes rather

than auditing the detailed implementation approach.

The Government Applications Store will also list requests for new services from public

bodies. Suppliers and other public bodies will be able to review these requests and decide

whether they wish to provide the suggested service. If new services are created in response

to the requests they will be required to undergo certification before being made available on

the Application Store.

The public sector body will be responsible for identifying in advance:

which services users in the body can purchase;

which users are allowed to purchase services; and

which disallowed services can be seen by users. So that if necessary a user

can raise a request/justification for a currently unapproved for purchase

service to be made available for purchase within their public body.

The Government Applications Store will be designed so that potential purchasers of services

are directed to existing managed services, then common and utility services only if these

sources do not yield a satisfactory option will the purchaser be able to commission a custom

solution, which must meet G-Cloud certification standards. This approach will encourage re-

use of existing services, thereby reducing cost for the public sector by preventing

unnecessary development of new applications and maximising volume discounts with

existing Suppliers.



4.3. Data Centre Consolidation

Data Centre Consolidation: “delivering public sector ICT services from the optimum

number of high performing, energy-efficient, cost-effective and standards-based data

centres”

Existing data centre space and infrastructure will be rationalised into a smaller set of secure

physical data centres – these will host both the G-Cloud and existing legacy applications

during the migration period. The outcome will be a significantly smaller footprint in highly

virtualised shared data centres which meet government standards for resilience, security

and sustainability at an overall lower cost.

Consolidation can commence through inviting suppliers that currently operate multiple data

centres for the public sector to consolidate to two each, with the savings achievable through

estate and virtualisation rebated to their public sector clients. As existing contracts expire,

replacement G-Cloud services can then be sourced from the Government Applications Store

where available;- where not contract renewal can be used to drive provision of additional G-

Cloud services as the preferred choice. During the transition period some unique residual

needs will need to be sourced via a conventional procurement exercise.

All services delivered from existing facilities will be analysed to identify those which may be

discontinued, combined, re-engineered or replaced in order to improve service delivery

efficiency and lower the risk exposure on delivery of public sector ICT services.

Consolidation will focus on removing data centres with significant issues:

Lack of resilience;

Security concerns;

Lack of capacity (space or power); and

Situated in areas of risk eg sited on a floodplain so at risk of flooding.

Consolidation will include implementing the Phase 1 recommendation that a set of mandatory minimum standards for data centre security and resilience across government are produced and that the consolidated data centres adhere to these standards.

Substandard data centres will be addressed either by improvement of the facility or transition of its load to a more appropriate facility. Adoption of a transition approach will only be carried out where transition costs do not outweigh benefits of the transition.

The data centre consolidation will provide a set of modern, resilient, secure data centres. The data centres will be a mix of private and government owned but will be managed to meet requirements across government and provide services to the G-Cloud. They will make services available to government and application providers on a fair and flexible basis. This approach which fosters competition will be underpinned by appropriate technical and commercial arrangements.



A set of the data centres will remain outside the G-Cloud to provide specific non commodity type services that the G-Cloud is not designed to provide. An example of these services would be where a public body requires services at IL 5 or IL 6 security level.

It is intended that Data Centre Consolidation will be progressed through three parallel projects which will;

Consolidate Public Sector owned Data Centres

Consolidate Private Sector owned or operated Data Centres

Procure new services from the market both for infrastructure and Data Centre facility services

A standard benchmark (e.g. Rack as a Service) will be established to enable the comparison of the cost and quality of facilities from the various sourcing routes.

4.4. Organisation and Governance in the world of G-Cloud

The G-Cloud involves substantial change from today‟s ICT delivery model; - public sector CIO

teams will shift from managing the whole ICT lifecycle, to the selection and integration of

relevant services. Retained ICT organisations will be able to increase focus on business

engagement and achieving value adding outcomes as less effort will be needed on

infrastructure management.

Technical standards for the G-Cloud will be controlled by the CTO Council through the cross

government Enterprise Architecture (xGEA). A regulator/authority will be responsible for:

Maintenance of standards applicable to services including security

Certification of suppliers and supplier services

The delivery of services on the G-Cloud will conform to a comprehensive service

management framework based on ITIL. This framework will cover the management of

processes such as:

Change Management

Incident Management

Service Reporting

Larger government departments may interact directly with suppliers on the G-Cloud,

however for many public sector bodies a Service Manager will provide a service

management service which ensures that the body has an integrated set of services from the

G-Cloud and that delivery of these services is managed.



The options for organisation and governance in the G-Cloud are being developed by the G-

Cloud Phase 2 programme.

Regulatory

or Authority

Body

responsible

for

Standards

and

Certification

Department C

Department B

Department A

Service Catalogue

G- Cloud

Service

Management

Service

Management

Application

Services

Professional

Services

Infrastructure

Services



4.5. Roadmap

The implementation of the Data Centre Consolidation, G-Cloud and Government

Applications Store will cover a period of 5 or more years, but an objective of the roadmap will

be that the achievement of benefits will commence early. The approach to building the G-

Cloud will be to build blocks of ICT services to support Public Sector digital capabilities and

then roll these out through the G-Cloud across the Public Sector.

The identification of and prioritisation of services to be built will be based on the

requirements of Public Sector bodies and communities. For example if secure email facilities

is identified by a group of Local Authorities as a service they require urgently then this would

be an early service made available on the G-Cloud.

The roadmap for specific services and their sequencing on the G-Cloud will be a deliverable

of Phase 3 of the programme. However in the remainder of this section the approach to

developing this roadmap is described and a potential roadmap is outlined.

Where appropriate the approach taken to implementation will be to identify public bodies

with existing plans to procure or implement a service suitable for inclusion on the G-Cloud,

this public body will then lead on the procurement of the service for the G-Cloud ensuring

that the procured or developed service meets the security, technical and contractual

certification requirements of the G-Cloud. The new service will then be available to all public

bodies for sharing and re-use via the Government Applications Store. This approach will

minimise the need to fund central development and procurement of services, in addition it

will ensure that each new service already has a committed market providing confidence to

private sector suppliers that participation in the procurement is worthwhile and will result in

genuine new business.

Risk management of the G-Cloud will also dictate the sequencing with which new services

are introduced. In the early stages – years 1 and 2 of the programme, private cloud, lower

criticality services with moderate service level and security requirements will be added.

Example services could include existing services such as Government Gateway or DCSF

collaborative working.

As confidence in the G-Cloud brand grows and the Government Applications Store becomes

a dynamic and vibrant market place, services which are critical to Public Sector delivery and

have higher service level and security requirements will be incorporated into the G-Cloud.

Public cloud services will also be enabled at this time. Early candidates for inclusion on the

G-Cloud will include the „Champion Assets‟ endorsed by the Government CIO Council‟s.

Subject to funding approval, the programme will be initiated in Spring 2010 to startup the

delivery of Data Centre consolidation, G-Cloud and Government Applications Store.

However, once the operational management and regulatory functions of the G-Cloud

become mature, the programme will transfer further development of the G-Cloud to these

bodies and itself be wound down.

The programme will be responsible for those aspects of the G-Cloud implementation will

require central control for example the procurement of the Government Applications Store.



The programme will manage the organisational and cultural activities required to transition

public bodies to use of the G-Cloud. The G-Cloud will require a cultural change in the ICT

departments of public bodies. In the G-Cloud identification of business needs and matching

re-usable assets rather than procurement and management of custom solutions will be

critical to cost effective delivery of ICT. An approach to equipping the ICT department with

the structure and skills to successfully move to this G-Cloud way of working will be provided

by the programme to participating public bodies.

While the definitive approach to implementation of the G-Cloud will be delivered in Phase 3,

a potential approach is outlined in the succeeding paragraphs:

A planned engagement programme across public bodies will identify the „early adopter‟

public bodies for creation and re-use of G-Cloud services. A small group of early adopters

across Central and Local Government in year 1 will pioneer use of the G-Cloud. The G-

Cloud will be extended to larger groups of public bodies in further years, with existing

adopters expanding the percentage of services they draw from the G-Cloud over time.

In order for the G-Cloud to deliver its benefits it must become a trusted brand. This will be

enabled by the risk managed approach to delivery of the G-Cloud but could also be

supported by the publicising of G-Cloud successes for example an annual G-Cloud Award

could be initiated.

Potential milestones in year 1 include:

Setup of management function for G-Cloud including regulator

Procurement of Government Applications Store

Initiate a consolidation programme for Public Sector owned Data Centres

Initiate a consolidation programme for Private Sector owned or operated Data

Centres

Procurement of new infrastructure and Data Centre facility services for ICT services

Implementation of some G-Cloud services by at least two central government

departments

Implementation of private G-Cloud services for a local authority

Key achievements in year 2- 3

Front line “innovation culture” established

First G-Cloud Awards ceremony held

Launch of public cloud services

Early adopters will now have 40% of relevant ICT services from G-Cloud

Consolidation and closure of more data centres across Public Sector and suppliers

G-Cloud becomes self funding

Early adopters have 70% of relevant ICT services from G-Cloud

During succeeding years, the G-Cloud could continue to expand by:

Completion of data centre consolidation

Adoption of G-Cloud across remaining public bodies

Public Sector retained ICT departments complete transition to new model



During this period the G-Cloud becomes a trusted and reliable brand for Public Sector ICT

services. Suppliers will use the G-Cloud as the primary route to market for providing ICT

services to Public Sector. Digital services of high criticality to citizens and Public Sector will

become established on the G-Cloud, re-use of digital assets will be the predominant model

in Public Sector ICT. The approach to delivery of ICT services in Public Sector will be based

on an established culture of sharing assets.

4.6. Transition

The approach to transition to the Vision of the G-Cloud must meet a number of

requirements:

Transition must take place in a manner which ensures that public sector services

are not disrupted;

Individual G-Cloud services are made available as soon as suitably available and

certified rather than when all planned services are ready so that the resulting

savings can begin quickly;

Public bodies moving to the G-Cloud must not incur unnecessary costs by

terminating existing contracts early; and

The public sector must have the skills and governance in place to purchase and

manage services provided by the G-Cloud.

These requirements mean that the transition to the Vision will take place in a phased

manner. Phasing of the transition will affect both the implementation of the G-Cloud itself

and its adoption by individual public bodies.

Services will be introduced to the G-Cloud by suppliers over time. The initial Service

Catalogue for the G-Cloud will reflect those services which are technologically feasible to

provide over the G-Cloud today, as suppliers and public sector understanding of the

potential of G-Cloud develops both parties will make new services available. In addition the

types of services available will evolve with technology, as new technologies appear the

potential services and their economic feasibility for provision through the G-Cloud will

change leading to new services continually being added to G-Cloud. This approach to

implementation of the G-Cloud will ensure that its initial use is not delayed while large

numbers of services are developed for deployment in a “big bang” launch.

An individual public body will adopt the G-Cloud in a phased manner also. This will allow the

public body to purchase services from the G-Cloud as existing ICT contracts for those types

of ICT services terminate. This means that the public body will not need to terminate

contracts early and incur termination charges unnecessarily.

Another advantage of this phased approach is that it avoids the risk of a “big bang”

implementation of G-Cloud at a public body where potentially all its services are at risk of

failure at go live. It also allows the public sector to develop the skills required for managing

G-Cloud services over time.



A detailed approach to Transition is being prepared as part of the G-Cloud Phase 2

programme.

5. Principles

The Vision has been developed based on a number of principles which cover Commercial,

Technical, Operational and Transition aspects of the G-Cloud. The principles govern the

extent, outcomes and structure of the Vision.

5.1. Commercial Principles

The commercial principles will support the creation of a commercial framework to support a

transition to cloud computing and cloud sourcing enabling sustained lower costs, improved

agility and better service.

Ease of Change: Creating a marketplace where purchasers can switch easily

between providers at the end of contracts and establish the principle of contract

migration and make provision for it by:

- limiting the term of contracts

- Minimise termination clauses

- Open standards for connecting

- Allow the market to determine the best approach to term contracts

- Transition (see later)

Comparable Pricing: Pricing should reflect total cost of service and be priced on

a utility model by a measurable unit (transaction, user, month, capacity). Pricing

should incorporate and make visible all additional service charges, or costs of

change. The ultimate aim is for no term contracts. Different business models may

exist for different parts of the stack (IaaS, PaaS, SaaS) and for different IL levels

Ease of Transaction: To minimise the transaction cost for purchase of service

through the cloud. Transacting should be standardised, simple, and low cost for

both parties by:

- Frameworks should be designed for categories of service to incorporate

simplified legal requirements

- Single standardised version of Ts & Cs would be optimal incorporating legal

concepts determined by the framework



Market Access: Ensure a competitive open market and that suppliers can deliver

and scale what is being sold. Limit the barriers to entry. Achieve this by:

- Establishing a code of conduct laying out expectations and responsibilities of

all participants

- Establishing a cloud certifier role

- Application Store and G-Cloud should be available to all entrants provided

that they meet certain criteria including:

Technical validation

Business probity

- Accreditation standards should be open, and published

- Technical access standards should be open and published

- Prototyping facility to allow suppliers to trial new services in an agile manner

Reusable Intellectual Property: To create a commercial model which supports

reuse of IP by incentivising suppliers to sell services which share or reuse

retained government IP in the cloud and creating an environment where the

cloud is the most profitable and accessible marketplace to build a rich

marketplace of useable services

Governance and Dispute: To protect customer and provider with comfort that

the service represents their interests fairly. Ensure that all players adhere to the

rules and principles of the cloud. Establish a place of arbitration/recourse for

disputes within the system. Ensure that the Crown doesn‟t abuse its position to

place onerous demands on entrants, and to trust the market to find an acceptable

balance of risk and value. This can be achieved by:

- Establishing an independent body to act as ultimate arbiter, and to uphold

spirit of principles

- The arbiter should be an independent body representing suppliers and the

government



Framework for Contracting: To minimise supplier effort to access G-Cloud with

a simple government procurement framework by:

- Developing a single method for contracting with the public sector for an

agreed basket of services

- A standard set of terms and conditions which apply across all customers

- Treating the crown as a single customer

- Transferability of reusable assets under this agreement between agencies

- 'Accessibility of shared services across public sector customers'

Management Information Transparency: For the market to work effectively

suppliers will need to share pricing and supply data openly. We will incorporate a

Service Information principle into contracts and access framework to open

access to pricing and volume transaction data

Compliance: To ensure that once a viable marketplace exists, government

departments use it. Ensure that there is no duplication of sales costs for

suppliers. Incentivise compliance/ penalise non-compliance. Achieve this by:

- Creating a framework (voluntary or mandated) which encourages all

departments to adopt frameworks and pricing levels

- Link adoption and savings to recognisable OEP savings

- Ensuring that a penalty process exists to penalise non-standard choices

Transitioning and Transforming: To encourage incumbent providers to

transition service prior to the termination of contracts. Taking into account the

need for large scale transformation of legacy to allow consumption of G-Cloud.

Allow suppliers to transition business models to cloud principles within a given

time frame. Ways of achieving this are:

- Encouraging and allowing different commercial principles to hold for transition

proposals, ie: contract renewals, longer contracts

- Suspending commercial principles for suppliers in some markets whilst critical

mass is built up

- Suspending commercial principles to allow incumbents to transition in return

for extended contract length

- Short term contract extensions to enable the transition of aggregated

common demand

- Paying a transitional premium during the transition period to non-continuing

data-centre vendors.



5.2. Technical Principles

These principles focus on governing the Vision in its technical aspects such as capacity,

technical standards and security constraints.

Resilience: A variety of levels of resilience will be available for the services

available through the G-Cloud. Consumers of G-Cloud services will be able to

choose the level of resilience for the service procured. Where appropriate for

example if a service is used to support a non production service such as testing a

consumer can procure a service without any resilience;

Security: The services provided by the G-Cloud will conform to Government

standard security. Multiple levels of security (IL 0 – 4) will be supported within the

G-Cloud and a consumer can choose the appropriate level of security for the type

of service being supported;

Standards: G-Cloud services will be based on open and/or industry standards as

much as is possible. This will enable multiple suppliers to provide services via the

G-Cloud;

Scalability: The G-Cloud will provide scalable services. These services will be

“elastically” scalable, i.e. the capacity of a service can be increased and

decreased;

Services: G-Cloud and Application Store will support a variety of sourcing

models including provision of ICT infrastructure, ICT professional services (eg

Service Management), provision of software, Software as a Service (SaaS) and

gateways to public sector applications amongst others; and

Certification: Services offered by suppliers must be certified by an appropriate

entity before they can be made available on the G-Cloud and Application Store

so that consumers can be confident that services are of appropriate quality and

use proven technologies.

Data: Consuming bodies will own their data and at the termination of a service or

application can request the return of the data. Standards will need to be adopted

to enable applications created by one organisation to be re-used by other

organisations within their data context.

Presentation standards: Consideration will be given to the need for

presentation standards to readily enable coherent aggregation of services from

multiple public sector organisations.



5.3. Information Assurance Principles

A summary of the Information Assurance strategy is provided in Appendix 6. This section

summarises the key principles of the Information Assurance approach.

Information Assurance Policy: There will need to be a fundamental change

from the current IA policy and practice when information risk management moves

from the current model of risk management by each organisation for their own

services and information to truly shared risks to services and information cutting

across multiple organisational boundaries.

Information Assurance Risks: IA risks will be managed by segregating the

services and information based on their Threat, Impact and Compliance profiles.

The current lack of technology assured to an acceptable level has meant that the

roadmap for the IA strategy will begin with physical segregation of domains

covering these groupings of services. The objective is to rationalise these

physical segregations as assured technology becomes available to manage the

risks. This includes continued work to investigate the assurance that can be

gained from public cloud services and what types of service might be suitable for

some types of public sector information.

SIRO Responsibility: The G-Cloud will bring about a fundamental change to

ownership and responsibility for IT services delivered to the public sector.

Organisational SIROs will remain responsible for the risk ownership of their

information wherever is stored or processed. Similarly organisational SROs will

remain responsible for managing the information risk for specific programmes or

projects to ensure they meet the objectives agreed with their SIRO and board.

Federated Information Assurance Accreditation: In order to realise potential

efficiencies in the application of IA processes in the G-Cloud environment, SIROs

and SROs will need to rely on risk management decisions made by their peers or

3rd parties. Without this change there will severe duplication of effort and

inconsistency in assurance results. This is a major change to the current model

of information risk ownership, but without removing the accountability or the

organisational SIROs or SROs.

G-Cloud SIRO: The creation of a G-Cloud SIRO that is responsible for the

Confidentiality, Integrity and Availability of the utility services and supporting

infrastructure of the G-Cloud. Similarly there is a requirement for a G-Cloud SRO

who will have overall responsibility for delivery of security for the operation of the

G-Cloud. The G-Cloud SIRO will also need to provide oversight (and co-

ordination) with respect to the public cloud elements of the hybrid G-Cloud

Aggregation: Aggregation by association in effect raises the protective marking

of the combined pieces of information (both the threat and business impact will

rise). There needs to be a procedural process backed up by technology to ensure

that information is afforded appropriate protection.

Policies: HMG IA Standards, Policies and practices will need to be amended to

adequately model the risks reflected by the G-Cloud environment.



Compliance: There will need to be a set of assured services and components

that build to a point that allows the risk owners and risk managers of consuming

organisations to make a minimum amount of evaluation before reaching a

decision on the use any particular service available from the applications store.



5.4. Operating Principles

These principles focus on governing the Vision in its operational aspects such as service

management, change management and service reporting.

Services: The scope and detail of services will be clearly defined in a Service

Catalogue;

Service Management: The delivery of services will be managed using a

framework based on accepted industry standards such as ITIL. This will include

processes for incident management, change management and service reporting;

Service Integrator: A service integration offering will be provided by Suppliers so

that public bodies will have access to support in integrating G-Cloud services to

create a comprehensive ICT service for their organisations;

Governance: The roles and responsibilities of supplier, service integrator and

consumer of services will be clearly defined;

Service Levels: The range and detail of Service Levels available for service will

be defined in the Service Catalogue;

Change Management: The procedure for change to services including notice

period will be clearly defined;

Capacity: Service capacity can be varied for defined periods of time. The

minimum period and increments over which/by which a service capacity can be

varied will vary by service, but will be defined in the Service Catalogue; and

Monitoring: Service Levels will be monitored by the supplier or service integrator

and reported to consumers of services. Reporting intervals will be defined as part

of the service description in the Service Catalogue.



5.5. Transition Principles

The transition from the existing ICT estate to the new model of the G-Cloud will be governed

by a series of principles which protect against disruption to public services and the incurring

of unnecessary costs by the public sector.

Phasing: G-Cloud services will be designed so that individual public sector

organisations can adopt G-Cloud services in an incremental manner if required

so that a “big bang” approach to adoption of G-Cloud services is not mandatory;

Implementation of Services: The G-Cloud will be capable of evolving the type

and capacity of services provided so that services are made available based on

proven technologies at any point in time;

Current Contracts: Existing public sector ICT contracts will not be terminated

early to facilitate an adoption of G-Cloud services unless appropriate transition

can be managed in a cost effective way;

Planning: Replacement of traditional ICT services with G-Cloud ICT services by

a public body will be accompanied by the development and implementation of a

comprehensive transition plan for that public body covering both the

technological, service management, organisational and governance aspects of

the adoption of the G-Cloud so that transition to the G-Cloud does not impact

delivery of services to citizens; and

Risk Management: Transition will be delivered in a „risk managed‟ way.



6. Scenarios

In order to refine the Vision described in this document a series of scenarios were reviewed

and walked through by the Cabinet Office Datacentre Consolidation, G-Cloud and

Application Store Phase 2 programme leadership team on 22nd October 2009.

The results of these reviews are documented in the appendix 3.



7. Conclusion

The Vision will provide a significant number of tactical and strategic benefits to UK

Government and its provision of services.

The Vision is a platform upon which the next steps for implementation of data centre

consolidation, G-Cloud and Government Applications Store can be based.

The Vision will be used as a platform for the development of a specification of the services

on the G-Cloud and a Transition Strategy for consolidation of data centres and

implementation of G-Cloud and Government Applications Store.

These specifications and the strategy will be used to inform a business case to government

for implementation of the Vision.



8. Appendices

A1. Appendix 1 - Glossary of terms

Term Definition

Application Store Synonym for Government Applications Store.

Cloud Computing Gartner Definition: a style of computing where massively scalable

ICT-enabled capabilities are delivered 'as a service' to external

customers using Internet technologies.

The provision of computing platform/storage services has been the

initial focus for many Cloud Computing providers but any ICT

resource e.g. applications, data, and middleware can be delivered in

this style.

COTS Common Off The Shelf software packages.

ESB (Enterprise

Service Bus)

An ESB is an integration layer or mechanism linking different

components and services in the ICT architecture of an organisation

G-Cloud The G-Cloud is the delivery of Public Sector ICT by a shared secure

“utility” style ICT services infrastructure, underpinned by a new

commercial model enabling public bodies to have the option to pay

only for the service at the time when they use it. This approach is now

developing rapidly and is known as “Cloud Computing”. It is enabled

by common standards, and by heavily automated secure business

processes that enable substantial reductions in costs.

“G-Cloud” is the Public Sector brand for the use of secure cloud

computing.

Government

Applications Store

The Government Applications Store is the Public Sector ICT

marketplace to readily source, share and promote complete “out of

the box” applications, business solutions and services. Infrastructure

components and services can also be procured from the G-Cloud to

create a new service in response to a specific business requirement.

It is used by public sector bodies to purchase services which will then

be automatically provisioned on the G-Cloud.

IaaS Infrastructure as a Service

Impact Level (IL) A UK Government standard for assessing the impact of possible

compromises to the Confidentiality, Integrity or Availability of

information in the public sector

Infrastructure ICT hardware components including servers and SANs



ITIL ITIL (ICT Infrastructure Library) is a service management framework.

It is widely used in the ICT industry to manage the delivery of

services.

List X Status "List X" refers to the Security Clearance of a facility such as a data

centre. The term refers to contractors or subcontractors to the public

sector which have been formally placed on List X because they are

undertaking work marked CONFIDENTIAL or above at their facility or

data centre. List X is not available on request; it has to be

"sponsored" by a Contracting Authority (CA) in UK Government

PaaS Platform as a Service

PSN PSN (Public Sector Network) is a UK Government programme to

provide a common network for purchase across all of the public sector

SaaS (Software as

a Service)

A model of software deployment whereby a vendor licenses an

application to customers for use as a service on demand. In general

the service operates on a „pay as you go‟ model

Service Catalogue A list of all the services available in the G-Cloud at a particular time.

For each service it will include Price, Service Levels, Resilience,

Capacity, IL level, Reporting and Duration options



A2. Appendix 2 Stakeholder list

Name Organisation

Andy Nelson MoJ – CIO

John Suffolk Cabinet Office – SRO

Bill McCluggage Cabinet Office – Deputy Government CIO

Martin Bellamy Cabinet Office – Programme Director

John Fotheringham Deloitte

Annette Vernon Home Office – CIO

Tim Wright DCSF – CIO

Phil Pavitt HMRC – CIO

Nick Hopkinson GCHQ – CIO

Dean James DWP – CICT COO

John Taylor MOD – CIO

Roy Marshall Communities – CIO

Christine Connelly Health – CIO

Julian David Intellect

Derek Kay Deloitte – Cloud Computing SME

Toby Spanier Deloitte - Business Planning Workstrand Lead

Joe Penman HP - Business Planning Workstrand Co-Lead

Nicky Stewart OGC - Commercial Strategy Workstrand Lead

Barry Matthews Alsbridge - Commercial Strategy Workstrand

Co-Lead

Stuart Aston Microsoft - Information Assurance Workstrand

Co-Lead

Wendy Wright Deloitte - PMO Workstrand Lead

Alex Rees IBM - PMO Workstrand Co-Lead

Dilip Parmar CLG - Quick Wins Workstrand Lead

Andy Bates Cable and Wireless – Quick Wins Workstrand



Co-Lead

Mike Truran DWP - Service Management Workstrand Lead

David Greenway Capgemini - Service Management Workstrand

Co-Lead

Eileen Logie DWP - Service Management Workstrand Deputy

Lead

Gerry Gallagher Deloitte - Service Specification and Business

Transition Planning Workstrand Lead

Andy MacLeod Cisco - Service Specification and Business

Transition Planning Workstrand Co-Lead

Miles Gray Connecting for Health – Technical Architecture

Workstrand Lead

Kate Craig-Wood Memset - Technical Architecture Workstrand

Co-Lead



A3. Appendix 3 – Details of Scenarios

In order to refine the Vision described in this document a series of scenarios were reviewed

and walked through by the Cabinet Office Datacentre Consolidation, G-Cloud and

Application Store Phase 2 programme leadership team on 22nd October 2009.

There are six scenarios each based on a different stakeholder within ICT services for the

Public Sector. Each scenario investigates the ways in which the G-Cloud will affect how this

stakeholder deals with a challenge to delivering ICT services.

The sections below describe the scenario and the results of the team‟s investigations of the

scenario and its challenges in the new world of the G-Cloud.

A3.1. Central Government Department ICT Service Director

A3.1.1. Role:

ICT Service Director in Central Government department

Current ICT services range from PC support to running of bespoke applications on a

mainframe

A3.1.2. Challenge:

10 year outsource deal for department‟s ICT services coming to an end in 12 months

A3.1.3. Outcome:

How will the G-Cloud help?

- Providing efficient procurement process

- Reduced time in definition of requirements

- Provide choice and competition

- Time savings (procurement)

- Agreed framework for SLA

- Enable budget planning

- Provide risk reduction

What features would G-Cloud need to have?

- G-cloud would need to have the following features: transparency in its

processes, security, provide scalability and resilience.

- The G-cloud would also need to contain agility

- In order to view the different services on offer, the G-cloud would require a

shop window

- Provide environment where we don‟t need to pay for what we don‟t need or

use

Will G-Cloud be able to provide all requirements?

- Short term, yes, but only in terms of core products

- In terms of more specific products in 2012 it will not be in a mature state

How will the role and skills in the ICT group of the Department change with the

use of G-Cloud?



- Different type of commercial awareness and knowledge

- Increased visibility across govt departments

- Different approach to service management

What assumptions have you made?

- We are in 2012

- 3 key challenges = green agenda, digital Britain, reducing overall cost



A3.2. Local Government Director of Housing

A3.2.1. Role:

Director of Housing in Local Government

A3.2.2. Challenge:

New government legislation requires local authority to monitor new aspects of private

rental property in the borough

Responsibility will be given to the borough in 6 months time

Existing ICT systems are at full capacity and do offer appropriate functionality

A3.2.3. Outcome A:


- Provide scale

- Enable us to buy more of the same thing

- We don‟t need to go through a competitive procurement process

- Provide resilience

- Easy to terminate


- Similar to Scenario 1, for example G-cloud would need to have transparency

in it‟s processes, Security, provide scalability, resilience, and agility

- In order to view the different services on offer, the G-cloud would require a

shop window

- Provide agreed commercial principles


- Yes

How will the role and skills in the ICT group of the Department change with the use

of G-Cloud?

- There would be little change in skills


- There is a service that already exists and provides the appropriate

functionality

- Current capacity is provided by the G-cloud

- Business change has already taken place, therefore there will be little change

in terms of skills



A3.2.4. Outcome B:


- Provide a brokerage service


- Aggregated demand

- Application sharing/re-use of applications


- Yes

How will the role and skills in the ICT group of the Department change with the use

of G-Cloud?

- The role would require someone who is more focussed on strategy

- There would be a certain amount of headcount reduction

- The remaining staff would be required to perform a different type of support

and maintenance

- Less bespoke applications and a reduction in the number of legacy systems

would mean more standardised skill sets with less specialist knowledge

required


- Existing ICT systems DO NOT provide the appropriate functionality

- All required applications have already been purchased by the Crown



A3.3. Private Sector Application Provider

A3.3.1. Role

Small private sector software group

Just completed successful software implementation at a Police force

Functionality of software developed would be relevant to other Police forces

A3.3.2. Challenge:

Software group has limited marketing and sales resources

A3.3.3. Outcome:

How will the Application Store help?

- The application store would provide a low cost shop window

- A rating system would enable users to rate services/applications and add

comments

- Provide a window on certified solutions

- Reduced cost of sale/procurement, which would also mean a reduced price

point

- A small application provider could use a larger shared infrastructure to build

applications leading to a reduction in barriers to entry

What features would the Application Store need to have?

- Star ratings

- Associated services/infrastructure services

- Want to have categories of solution i.e. „other customers have bought this‟

How will the processes and skills of the Software firm change to use Application

Store?

- Going to have to change to online marketing

- How you get paid for your sales/for your application will affect your cash flow

- Have to align your process around standardised service management

- Certification services

- Change your support services/provide maintenance packages

- Move resources from design to implementation

- Lower cost of sale


- Central certification i.e. Once a product is certified it doesn‟t require re-

certification to be sold on or over time

- Don‟t have to compete every time i.e. Not a bidding system for use of

services/applications

- The department could also want to integrate it and sell

- Standard desktop environment

- Standard application development environment



A3.4. Central Government Department ICT Service Director

A3.4.1. Role:

ICT Service Director in Central Government department

G-Cloud provides infrastructure for application supporting Department‟s main function

A3.4.2. Challenge:

Changes in economic environment mean that capacity requirements will increase in

next 3 months significantly beyond projections when G-Cloud services were contracted

A3.4.3. Outcome:


- Elastic scalability

- By buying standard solutions, it is easier for the supplier community to roll out

the things that you want

- Season ticket concept:: cost will vary with the length of time, the longer you

have it the cheaper it will be

- Balanced demand across Government e.g. as the demand for the DWP goes

down, the demand for the HMRC will go up and vice versa

- Give advice on the extra things you might need to make the applications

work


- Standard building blocks

- Speed of procurement

- Flexible offerings

- Ability to aggregate demand


- No , does not include networks


- Application store included access to PSN services

- Minimum period of the rental terms becomes a differentiator

- Standardised units across the G-cloud

- Defined time period for which prices are fixed

- Minimum time period for which a price will be held firm



A3.5. Local Government CIO

A3.5.1. Role:

CIO in Local Government

G-Cloud infrastructure services provided to Social Services department

A3.5.2. Challenge:

Performance of G-Cloud services has recently deteriorated

Social Services director very concerned as social workers effectiveness being impacted

A3.5.3. Outcome:

How can CIO resolve issue with G-Cloud?

- There is a shift in the commercial model that results in the CIO being able to

easily switch providers (low switch costs) for continuous poor performance

What features would G-Cloud need to have both in technical and governance

terms to enable resolution of the issue?

- A back room/account management team pulling things together

- Point of vertical escalation

- Point of negotiation of requirements

- Application service rating

What roles and skills would the CIO need in his team to resolve the issue?

- Business understanding of local Government to offer re-use/other services

- CIO role will have to change to incorporate capacity management and

forecasting

- Replace ICT procurement with a G-cloud ICT person within the local

Government office

- Lead to in-house expertise

- A change in the retained ICT capability


- That there is a single point of contact for all cloud services

- Frontline has some business knowledge

- There is some knowledge of the service provider



A3.6. Private Sector ICT Provider

A3.6.1. Role:

Supplier of infrastructure and application services to Central Government department

A3.6.2. Challenge:

Supplier‟s 10 year outsource contract for the department‟s ICT services coming to an

end in 12 months

Current ICT services range from PC support to running of bespoke applications on a

mainframe

A3.6.3. Outcome:


- G-Cloud will provide opportunities to increase market share in public sector

- Offers broader international scope for repeat business

- Reduced bid costs because the organisation has cloud accreditation


- Brokering service so that application providers can offer applications across

the cloud

- Published open standards for interoperability


- G-cloud will not provide all requirements as there may be legacy/heritage

systems that may remain outside the cloud


- The supplier was going to be accredited and move into the cloud



A4. Appendix 4 Drivers for Change

In section 2.1 above, an overview of the factors affecting Public Sector ICT is provided. In

this appendix the drivers for change in Public Sector ICT are listed.

A4.1. Strategic Drivers for Change

CSR010 VFM Programme: OEP annual ICT saving targets of £3.2Bn achievable in

three years including £1.6Bn from the ICT Collaborative Procurement Strategy.

‒ G-Cloud will deliver a fundamental contribution to the OEP and will facilitate

and accelerate the OEP targets.

Climate change: Greening Government ICT white paper (July 2008) energy efficiency

and ICT equipment disposal recommendations. Government is Britain‟s largest

purchaser of ICT.

‒ G-Cloud will facilitate smarter ways of working through ubiquitous and secure

access to data, further reducing government‟s environmental impact and

carbon footprint.

Digital Britain: strategic vision for ensuring that the UK is at the leading edge of the

global digital economy. This requires a step change in the efficiency of the delivery of

purchases and ICT procurement.

‒ G-Cloud will deliver greater agility and speed in the delivery of policy and

services, underpinned the adoption of shared infrastructure at lower cost.

A4.2. Financial Drivers for Change

Cash releasing benefits have been estimated as significantly in excess of £900m over 5

years, with savings of £300m per annum thereafter.

These will be achieved by:


‒ Reduced hardware maintenance, server capital expenditure, and power consumption through more efficient and better utilised infrastructure.

‒ Reduced up-front investment costs through standardisation and sharing of assets.

‒ Reduced estate footprint through site sales/repurposing of accommodation.

G-Cloud

‒ Reduced capital investment in computer infrastructure through utility-based rental of computing and processing time.



‒ Reduced server purchase costs through virtualisation of servers across departments leading to higher utilisation rates

‒ Reduced data recovery costs through fewer dedicated DR facilities.


‒ Reduced bespoke application development through reuse of existing components.

‒ Reduced application purchase prices through economies of scale.

‒ Reduced licensing costs through licensing consolidation and reuse.

‒ Reduced investment costs through SaaS pay for use model

A4.3. Non Financial Drivers for Change

Significant intangible and qualitative benefits are enabled by the Programme:


‒ Increased resilience and reduced risk through improved and modernised facilities.

‒ Enhanced business agility through faster virtual server provisioning.

‒ Improved sustainability through more energy efficient estate.

G-Cloud

‒ Improved dynamic scalability through accessing additional resources for peak demand.

‒ Enhanced ability to transition ICT staff to more value-adding activities through reducing the need for maintenance and patching.

‒ Reduced project timescales through reuse of building components.


‒ Enhanced business agility through easier and less lengthy procurements due to framework contracts

‒ Improved licence compliance through centralised monitoring and management.

‒ Enhanced purchasing decision making through better pricing transparency and comparability.

‒ Increased Information Assurance through being built-in to certified solutions.



A4.4. Technological Drivers for Change

Cloud computing has come of age driven by real advances in:

‒ architecture

‒ security

‒ web platforms

‒ elastically scalable processing

‒ utility computing, on-demand services, grid computing and software as a service.

‒ Virtualisation providing ability to:

‒ Drive higher server utilisation rates

Use of commodity server resources

‒ Standardised components leading to easier recovery in event of failure

‒ Service Oriented Architecture providing

‒ Enhanced integration mechanisms between applications

‒ Ability to re-use application components

Process automation providing

‒ Standard support mechanisms

‒ Enhanced agility

‒ Improved visibility of service performance

UNCLASSIFIED

A5. Appendix 5 Programme Risks

PROGRAMME RISKS

(AS AGREED AT THE PROGRAMME BOARD ON 10TH DECEMBER)

# Category Owner Risk Description Likelihood Impact Mitigation Approach

6

G-Cloud, Data

Centre

Consolidation

MT

There is a risk that pricing and commercial terms for

G-Cloud and data centre migration may be

insufficient to encourage industry investment and

participation

High High

Ensure that terms adequately reward

commercial risk commensurate with

value for money and cost savings

8 All MB

Failure to secure senior and early departmental

commitment to G-Cloud may prohibit service uptake

and infrastructure sharing

High High

Effective senior stakeholder management

to ensure understanding and buy-in

Programme to engage regularly with CIOs

10 G-Cloud GG

Delivery of the G-Cloud benefits will require strong

central coordination across Dept and LA boundaries -

this is how the private sector successes to date have

been achieved. This requires a radically new ICT

governance and organisational approach for the

Public Sector. If this change is not appropriately

implemented, achievement of G-Cloud benefits will

be significantly impaired and/or delayed.

High High

Tech Architecture workstrand lead to

review and ensure open standards are

appropriately reflected

Peer review process to validate

appropriate use of open standards.

Obtain early senior stakeholder support

for proposed governance models



12 G-Cloud DS

Failure to agree an appropriate IA model will prevent

departments from using shared infrastructure and

suppliers from easily providing services over the G-

Cloud.

High High

DS to engage CESG and other critical

stakeholders to facilitate understanding

of impact and changes required by G-

Cloud and to gain commitment to

proposed IA model


1 All MB

There is a risk that the programme may not receive

cross Government support and commitment required

to deliver key elements of the G-Cloud strategy

Medium High

Regularly assess support/commitment

from Government (both Business and

Technology perspective)

Demonstrate/communicated benefits of G-

Cloud

2 All TS

There is a risk that the team will not get sufficient

data or engagement from departments, and will

therefore not be able to produce a robust business

case

Medium High

Secure at least one major government

department to be fully involved in the data

collection process.

Engage with a cross selection of

departments to gather data



13 Apps Store NS Procurement rules may prohibit the establishment of

pan government purchasing, re-use and sharing. Medium High

Commercial team to identify procurement

model(s) for the G-Cloud and test these

early with EU and UK procurement

specialists to validate their proposals.

14 Quick Wins DS There is a risk that security accreditation constraints

may prohibit quick wins from going live. Medium High

Quick Wins workstrand is aware of this and

is working closely with the Information

Assurance workstrand to ensure that any

quick wins developed are able to go live.

18 Data Centre

Consolidation DS

There is a risk that failure to create common security

standard for data centre evaluation may inhibit the

Data Centre consolidation

Medium Medium

1. DS to progress with Technical Architecture and DC teams and;

2. Assess viability of selecting/ using current standards


19 Data Centre

Consolidation DS

There is a risk that any one data centre (if there are

12) may not be secure enough to cater for the total

data held

Medium Medium

Ensure that data centre consolidation

approach defines sufficient data centres

and appropriate data separation strategies



17 All MB

There is a risk that incoming regulation may make

PUE (Power usage effectiveness) higher than 2.0

illegal and this may mean that we have to change our

target DC / transition approach (move more rapidly

than planned)

Medium Low Ongoing monitoring of emerging regulation

3 All TS

There is a risk that senior stakeholders’ expectations

regarding the projected savings for DC consolidation,

G-Cloud and Apps Store (as documented in the ICT

strategy) cannot be met as the detailed analysis to

validate the high level extrapolation of industry

benchmarking has not yet been completed.

Low High

Progress validation of savings ASAP and

ensure stakeholders are provided with

upper and lower savings projections

11 All EL

There is a risk that different interpretations for App

Store and G-Cloud governance and commercial

framework across the programme will inhibit the

creation of the Service management framework.

Low High

Arrange more cross strand meetings to

lock-down a single definition for service

management. Model service management

architecture and challenge cross strand

interpretations in work strand.




15 All MG There is a risk that as a result of stating our preferred

approach, one industry model/ method becomes

dominant / de facto and others are incompatible /

sidelined. Low High

Technical Architecture and peer reviewers

to ensure standards are open/ fair to allow

multiple industry models

4 All TS There is a risk that the business case may double

count savings with PSN programme and other existing

programmes, thus weakening our or their business

cases. Low Medium

Identify potential double counts. Evaluate

the extent to which this programme will de

risk their delivery or provide the means to

achieve them. Do not set a separate target

on top of OEP etc. for programme benefits -

i.e. the programme enables benefits to be

realised across current governmental

targets. Need urgent clarity on the scope

boundaries of PSN and G-Cloud to avoid

this scenario

5 All MB

There is a risk that insufficient engagement with the

CIO community prior to 5th

February will result in a

subsequent lack of buy-in to the business case and

Vision.

Low Medium

Implement an appropriate engagement plan

for CIO engagement prior to the CIO

council. Request support from the

Programme Board in engaging with CIO

stakeholders




7 All MB Failure to secure early, senior industry engagement

(CXO-level) may constrain G-Cloud service provision

decisions and prioritisation of investment in FY

2010/11 Low Medium

Implement appropriate industry

engagement plan using Intellect and other

appropriate industry bodies

20 All MB There is a risk that suppliers may develop Cloud

approaches for Public Sector based on the status quo

and thereby limit the cost efficiencies of G-Cloud. Low Medium

Ensure that development of transition plans

includes appropriate governance to

introduce non status quo approaches such

as introduction of new suppliers and

technologies

21 G-Cloud,

Apps Store MB There is a risk that if the PSN or Desktop are not

available on time it will cause unnecessary delay Low Medium

The Vision and transition approach should

be developed such that we do not have a

dependency on the availability of

Desktop/PSN and that our infrastructure is

agnostic of network or desktop service

22 Apps Store NS Failure to incorporate into contract terms the ability to

use a purchased application across multiple

government entities will result in applications not

being shared/re-used across government TBD High

Commercial to progress, optional Make “the Crown” the entity in contracts

rather than individual departments



16 All MB There is a risk that commercial and carbon gains are made by departments on their own and the G-Cloud does not deliver large enough incremental savings

TBD Medium MB to provide mitigation w/c 17th January

POTENTIAL PROGRAMME RISKS

(SUBMITTED BY HMT FOR CONSIDERATION FOR INCLUSION INTO RISK REGISTER)


23 All TBC

Government Governance of the

Programme

Delivery of the G-Cloud benefits will require

strong central coordination across Dept and

LA boundaries - this is how the good private

sector successes to date have been

achieved. This requires a radically new

governance and organisational approach.

TBD [high]

Input is being actively sought from CIOs in both local and central

government sectors, in order to build a high level of buy-in to the

programme’s direction of travel, deliverables, and governance

model.



24 All TBC

Funding/ upfront investment

In the current resource constrained

environment, upfront investment funding

will be particularly difficult to secure.

TBD [high]

Alternative funding routes will be explored, including funding from

within the public sector CIO Community, and also upfront funding

from suppliers that is then repaid through service charges (HMT

would be content with this provided this does not add to the

national debt and still produces significant savings post high interest

rates levied). HMT can consider providing new funding for the

central project team, but first want the project to explore whether

the CIO Community would fund these costs from existing budgets,

on the basis that the investment will help deliver savings later on.

Early adopters could provide seed funding, further reducing the

barriers to entry (and affordability constraints) for later adopters.


25 All TBC

Achieving critical mass quickly If the programme does not achieve a certain critical mass within the first 2-3 years, benefits will not be significant enough to attract public sector organisations in the future.

TBD [high]

Develop a business case which delivers significant benefits for a reasonable level of funding within 2-3 years. Enable the early adopters to share in the benefits of increased downstream scale, as more organisations make use of the programme. The Programme Director will engage the SRO and the Chair of the Programme Board to develop a broader socialisation and engagement approach post the CIO Council meeting.



26 All TBC

Political Sponsorship

This IT-enabled programme may not be viewed as

appealing to Ministers.

TBD [high]

Work is already underway across government to secure political

support for the programme as part of the wider ICT Strategy.

Angela Smith has issued the ICT Strategy to ministers and their

departments, who have all formally accepted it. (Confirmation of

support from HMT still in progress.) The programme is positioned

as an enabler of government policy, including OEP, Digital Britain,

Smarter Government, Building Britain’s Future and the Green ICT

Strategy – hence it centres on improving efficiency and delivering

relevant business change capability, through buying IT differently

and therefore should appeal to a delivery focused politicians.

Government policy is to enable decentralisation, and efficient IT

decentralisation can only be undertaken successfully (and cost

effectively) with the strong central co-ordination for standard IT

assets, infrastructure and processes that will be delivered by the

programme.

27 All TBC

Transition Plan

Though the vision and end destination of the programme are clear, the journey is not currently developed enough to provide stakeholders with sufficient confidence of the programme’s success.

TBD [high]

Work is still in progress on the governance and organisational model, and the transition plan. Discussions are underway with programme board members, and departments and LAs – the proposed way forwards will be reviewed at the next programme-HMT meeting in late January.

APPENDIX



Abbreviation Name

MB Martin Bellamy (Programme Director)

TS Toby Spanier (Business Planning Lead)

NS Nicky Stewart (Commercial Strategy Lead)

MG Miles Gray (Technical Architecture Lead)

GG Gerry Gallagher (Service Specification / Transition Planning Lead)

EL Eileen Logie (Service Management Deputy Lead)

HMT HM Treasury


UNCLASSIFIED

A6. Appendix 6 Information Assurance

Information Assurance (IA) Workstream Report Summary

1. This workstream report, referred to as the Information Assurance Strategy (IA Strategy)

for ease of reference, sets out the vision and initial proposals for an IA Strategy covering the vision of the of the Public Sector IT Strategy for Data Centres, Government Applications Store and a Government Secure Cloud (G-Cloud) environment. It should be read alongside the G-Cloud Vision and the Commercial, Service Management and Technical Architecture workstream reports. Where necessary parts of these documents have been reproduced in the IA Strategy for the ease of the reader. Annex A gives a brief account of the working method of the IA Workstream in devising the IA Strategy.

Vision and Scope

2. The vision of the G-Cloud programme is set out in Reference A covering the creation of a single „hybrid‟ cloud1 for the G-Cloud environment providing multiple services across a

range of assurance requirements. In order for the IA strategy to set out the IA areas that will need to be covered, this strategy has created an IA Scope. The IA Strategy also sets out an initial proposal for a roadmap identifying the steps that will need to take place to identify if this vision is achievable.

3. The IA Strategy identifies the IA benefits of cross public sector IA governance, assured utility computing components, service re-use and application rationalisation.

4. CONCLUSION: There will need to be a fundamental change from the current IA policy and practice when information risk management moves from the current model of risk management by each organisation for their own services and information to truly shared risks to services and information cutting across multiple organisational boundaries.

5. CONCLUSION: IA risks will be managed by segregating the services and information based on their Threat, Impact and Compliance profiles. The current lack of technology assured to an acceptable level has meant that the roadmap for the IA strategy will begin with physical segregation of domains covering these groupings of services. The objective is to rationalise these physical segregations as assured technology becomes available to manage the risks. This includes continued work to investigate the assurance that can be gained from public cloud services and what types of service might be suitable for some types of public sector information.

1 The definition of “Cloud” is in accordance with those as defined by the NIST.



Governance and Roles

6. CONCLUSION: The G-Cloud will bring about a fundamental change to ownership and

responsibility for IT services delivered to the public sector. Organisational SIROs will remain responsible for the risk ownership of their information wherever is stored or processed. Similarly organisational SROs will remain responsible for managing the information risk for specific programmes or projects to ensure they meet the objectives agreed with their SIRO and board.

7. CONCLUSION: In order to realise potential efficiencies in the application of IA processes in the G-Cloud environment, SIROs and SROs will need to rely on risk management decisions made by their peers or 3rd parties. Without this change there will severe duplication of effort and inconsistency in assurance results. This is a major change to the current model of information risk ownership, but without removing the accountability or the organisational SIROs or SROs.

8. RECOMMENDATION: The creation of a G-Cloud SIRO that is responsible for the Confidentiality, Integrity and Availability of the utility services and supporting infrastructure of the G-Cloud. Similarly there is a requirement for a G-Cloud SRO who will have overall responsibility for delivery of security for the operation of the G-Cloud. The G-Cloud SIRO will also need to provide oversight (and co-ordination) with respect to the public cloud elements of the hybrid G-Cloud

9. RECOMMENDATION: The IA regime will look to CIO/CTO Council groups for strategic direction, as well as the agreement that services, architectures and information flows (i.e. information exchange standards) are consistent with the CTO Council‟s Service Orientated Architecture, especially when looking at the re-use of applications and components when building new services. CTO/CIO council groups will act as counsel for the G-Cloud IA governance structures.

10. RECOMMENDATION: Phase 3 of the programme to work via the Cabinet Office (IS&A), who work in close collaboration with CESG, to engage with the SIRO community to test the proposals in this strategy. In particular the roles and responsibilities related to G-Cloud SIRO, G-Cloud SRO and organisational SIRO.

Asset Valuation and Aggregation

11. CONCLUSION: Asset valuation, involving aggregation (both accumulation and association) is a key challenge going forward for the IA strategy. Engagement with the Pan Government Accreditors, CESG, CPNI, IADG and a selection of SIROs will be required to reach an agreed approach to this issue. The expectation is that aggregation by accumulation will cause an increase in the Impact Levels for Confidentiality, Integrity and Availability, in many cases by at least one level.

12. CONCLUSION: Aggregation by association in effect raises the protective marking of the combined pieces of information (both the threat and business impact will rise). There



needs to be a procedural process backed up by technology to ensure that information is afforded appropriate protection.

13. CONCLUSION: There is a need to articulate the architectural principles that will allow the de-aggregation of information. E.g. mechanisms to ensure that normal users cannot view or retrieve an entire dataset. These mechanisms need to be evaluated appropriately so that they can be used as risk treatments. This work should begin at the start of Phase 3.

14. CONCLUSION: The availability of a given service is inherently limited by the underlying services, e.g. the network and the data centre. There is parity in terms of the levels of availability between each of the services provided in the data centre and the network, e.g. any data centre should be able to support a service that requires support up to IL4.

15. CONCLUSION: The aggregated level of impact for the loss of a number of services or data centres may well reach as high as IL6. In some cases the aggregated impact of the compromise to the confidentiality, integrity of a single utility computing service used by a large proportion of the public sector may also reach as high as Impact Level 6.

Risk Assessment, Risk Management and Service Assurance Methodologies

16. CONCLUSION: Current HMG IA Standards, Policies and practices will need to be amended to adequately model the risks reflected by the G-Cloud environment.

17. RECOMMENDATION: The creation of new product and service assurance methodologies covering shared services and shared data/information operating in a cloud environment. This is necessary to enable efficient, reusable assessment of applications and services to facilitate the delivery, composition and risk management of services. The governance of the G-Cloud environment must include oversight of all protective monitoring, forensics, incident management and compliance activities.

18. RECOMMENDATION: Phase 3 should begin with a comprehensive Threat and Risk Assessment covering the issues of asset valuation and aggregation.

Assured Technologies

19. RECOMMENDATION: Phase 3 should begin with urgent research work in to the assurance available in current technologies to assist in creating the initial G-Cloud environment. E.g. Resource sharing technology such as virtualisation, Gateway Services, Identity Management (including authentication and authorisation) and Encryption.



20. CONCLUSION: Without assured virtualisation technology and an effective federated and brokered Identity, Authentication and Authorisation model for the Public Sector, many of the IA and business benefits will not be realised. Where resource sharing technology with strong containment is desirable, it is likely that tools to manage deployment will also be required.

Compliance

21. CONCLUSION: A common issue with cloud computing concerns the demonstration of legal and statutory obligations. This subject will be taken forward with Treasury Solicitors (TSoL) and the Information Commissioners Office (ICO), as well as the SIRO community in the next phase of the Datacentre and G-Cloud programme. One of the single biggest risks to the successful creation of a community cloud for the public sector will be an inability to demonstrate legal and statutory compliance.

22. CONCLUSION: The areas of responsibility for Codes of Connections and authorisation for applications and services are still to be resolved. The expectation is that the G-Cloud SIRO will be responsible for the authorisation of utility services. The responsibility for authorising agility services, including those hosted on utility services, may well rest with the organisational SIRO. We will need a method of understanding whether any consumer is attempting to breach the use of the IA conditions related to the use of a service.

23. CONCLUSION: There will need to be a set of assured services and components that build to a point that allows the risk owners and risk managers of consuming organisations to make a minimum amount of evaluation before reaching a decision on the use any particular service available from the applications store.

Roadmap

24. RECOMMENDATION: The proposal for an IA roadmap is in section 5. The G-Cloud Commercial Strategy gives an indicative timeline. In Phase 3 of the programme, the IA roadmap and roadmaps from other strands will need to be aligned and a common timeline agreed.

25. To achieve the vision of a single physical community cloud there is a requirement to create assured multiple logical instances of a resource on a single physical platform. There is also a requirement for tools to manage deployment of logical instances of those resources.



There has only been enough time and detailed information gathering during Phase 2 of this

programme to create a set of IA proposals and suggested principles to the many IA

questions and challenges posed by the use of Public and Private Clouds. The IA

Workstream recommends that paper based scenarios and pilots (including quick wins) are

used to test the proposals made in the paper and create more detailed policies and

procedures.