remarks adam montserin ceo, igovtt 2 re-cap of last meeting update on govnett rfp status of the egif...
TRANSCRIPT
Remarks Adam Montserin
CEO, iGovTT
2
Re-Cap of Last MeetingUpdate on GovNeTT RFPStatus of the eGIF Policy
By Kevin Ramcharitar Solution Architect Office, Consulting
Unit
3
Draft Policy Information & Communication Technology &
Systems Specifications ApprovalDenyse White, Consulting Unit
28 March, 2013
Limited IT professionals throughout GoRTT
Administrative/Operational role of National Information Systems Centre
Process established in 1990
NISC subsumed by National ICT Centre 20??
Responsibilities retained by iGovTT 2010
5
IT professionals prevalent throughout GoRTT
Strategic advisory role of iGovTT
Policy last revisited in 2006
Incorporated within the CTB regulations
6
Current State
Inconsistent adherence to the process
Time delays to GoRTT agencies
Value add vs. resource allocation – iGovTT
7
Stakeholders
Ministry of Finance
Central Tenders Board
Permanent Secretaries (Equivalent Accounting Officers)
ICT and Procurement Specialists
8
Governance
9
Compliance Sign-Off
10
Exception Governance
11
Primary Questions
• Do you agree with the purpose as defined in the ICT and Systems Specifications Policy?
• Should there be any inclusions or exclusions to the scope?
• Are there any other legislation or guidelines that should be included for consideration in the adoption of the policy?
• Do you agree with the objective of establishing this devolved authority?
• Are there any other areas that should be included for consideration?
12
Consultation Process
• Consultation Document Circulated• Feedback timeframe – 3 weeks from issuance• Feedback submitted via
– Email - Denyse White – [email protected]– General Comments on Secure Log In Site - http
://www.igovtt.tt/members/– Print Copy
Denyse WhiteNational Information and Communication Technology Company Limited (iGovTT)52 Pembroke StreetPort of Spain624-8001 (fax)
13
14
Thank YouThank YouiGovTTiGovTT
Lord Harris Court52 Pembroke Street
Port of Spain Republic of Trinidad and Tobago
Telephone: (868) 627-5600
Fax: (868) 624-8001Email:[email protected]
Website: www.igovtt.ttFacebook: www.facebook.com/iGovTT
Twitter: @iGovTT
Cloud Computing
Varma Maharaj
Solution Architect Office, Consulting Unit
28 March, 2013
What is Cloud Computing?
The Use of Computing Hardware and Software Delivered as-a-Service over a Network
Common Characteristics of Cloud Computing
Ubiquitous Access
Resource Virtualization
Pay-as-You-Use
Elasticity
Remotely Hosted
Community Cloud
Internet
Employee(Out Of Office)
Agency A Agency D
Agency CAgency B
Employee (Mobile)
C
PublicCloud
Internet
Employee(Out Of Office)
Agency/Office
Employee (Mobile)
Outsourced Cloud Providers
PrivateCloud
Employee(Out Of Office)
Office
Office
Office
OfficeOffice
Employee (Mobile)
HybridCloud
InternetEmployee
(Out Of Office)
OfficeOffice
Office
Employee (Mobile)
Outsourced Cloud Providers
Infrastructure as a Service
Rent fundamental infrastructure:-processing-storage,-networking
Deploy software,applications and evenoperating systems
Software as a Service
No Hardware/Software to Manage
Service Deliveryvia web browser
Platform as a Service
Deploy and develop your own software
Configure hostingoptions
Lowered ICT Costs
Lowered Client License Cost
Pay-as-you-Use
Ubiquitous Access
Reduced Procurement Times and Requirements
24 x 7 Availability
Simplified Centralized Applications
Improved Application Redundancy
Disadvantages of the Cloud
Data Protection
Governance
Security Control
Requires Persistent Connection
Limited features
Benefits of Economies of Scale
Overall Reduction in ICT Operational and Capital Cost
Focus on Services Offered – Less Focus on Management of Infrastructure
Eco-Friendly
Satisfying Infrastructure Demands
Increased Elasticity and Agility
Governance & Ownership
How Developing Countries Approach Cloud:
Leverage For ICT Advancement
Advanced ICT Innovation at Lowered Cost
Begin The Transition to Next Generation Models of ICT Such as Cloud
How Major Countries Approach Cloud:
Incorporate cloud computing in their ICT strategy
Many applications already deployed via the cloud
Enables efficient/effective ICT sharing
United States, United Kingdom and Singapore
Cloud is Here
Structural and Cultural Shift from Traditional ICT
Security Concerns Can Be Overcome
Leverage Existing Government ICT Infrastructure
Explore and Implement a Cloud Strategy
Internet
Hybrid Government
Cloud
Outsourced Cloud Providers
Ministry of Education Other Ministries
Ministry Of Public Administration
Ministry of Works
GovNeTT Private Cloud
Apps
Dedicated Infastructure
Employee (Mobile)
Employee(Out Of Office) Public Cloud
Data Center
Thank YouThank YouiGovTTiGovTT
Lord Harris Court52 Pembroke Street
Port of Spain Republic of Trinidad and Tobago
Telephone: (868) 627-5600
Fax: (868) 624-8001Email:[email protected]
Website: www.igovtt.ttFacebook: www.facebook.com/iGovTT
Twitter: @iGovTT
Security Considerations in Cloud Computing
Khafra Murray, Security & Assurance Unit
28 March, 2013
Security Considerations of the Cloud
No information system is 100% Safe
Understand the risks of cloud computing
How cloud hosting companies have approached security
Law and Jurisdiction are critical
Best practice for companies utilizing the cloud
No System is 100% Safe
Every system once thought secure has been breeched
Cloud services have become and will continue to be a very lucrative target for hackers
It’s still Hardware + Software + People, just not YOUR hardware, YOUR software or YOUR people.
Risks Inherent to Cloud Computing
Disconnect in Information Control
Disconnect in control systems and policy
Disconnect in SLA interpretations
Black Box Managed Services / Lack of Transparency
Single Points of Failure
Information Control
Data is no longer “on premises” subject to audited physical protections
Data subject to service provider’s backup policies, including off-site storage
Data is subject to service provider’s retention policies
Provider Liability for data loss is minimal
Disconnect in Internal Controls
Service Provider will have their own control mechanisms
Policies (HR, Financial, workflows) internal to the provider and invisible to the cloud subscriber will have an impact on the risk to cloud services.
Processes such as change management may not align to client standards (Microsoft Azure failure 2013)
Service Level Agreements
Do not provide guarantees, only a promise of best effort
Can often be misinterpreted, disagreements in SLA interpretation can stall service delivery
There is always compromise/imbalance between the risk transferred to the provider and the accountability in the event of service or data loss.
Black Box / Lack of Transparency
Service providers provide high level concepts of the architecture, but no more
Hardware and software used in the infrastructure cannot be audited for vulnerabilities by the client
Providers do not permit audits of their operations/processes/policies by the client
Public Cloud subscribers are co-tenants - you don’t know who’s data or what class of data is being hosted along with yours
Single Points of Failure
Despite the distributed nature of many cloud services, even the largest suffer system-wide outages (Amazon, Windows Azure)
Business operations are affected without any powers or access to affect the recovery
Traditional BCP cannot replicate cloud based services
Law
The Patriot Act stipulates than data stored in the USA or under the custodianship of a US company can be accessed by that government in the course of an investigation – Service providers are legally barred from informing subscribers of the access to their data
In T&T it is illegal to store sensitive government data overseas unless the foreign territory provides equal or greater protections for data privacy and confidentiality
Jurisdiction
Data stored in any country is subject to the laws and compliance requirements of that country in preference to any other
Companies registered in the United States can be mandated to provide electronic data stored in any servers under it’s control in any country
In the event of a data breach of GoRTT data at a foreign cloud service provider, the process to grant access to digital evidence would take no less than 6 months
Maintain Control and Confidentiality
Private Cloud deployments over public cloud services
Data encryption for data in motion (client/server) as well as data at rest. – There are security solutions which do this
Ensure that data classification policies are robust and services subscribed to support the class of data
Managing Risk in The Cloud:
Due Diligence
Inquire about exception monitoring and reporting
Vigilance around platform updates and access privileges
Ask where data (including backups) is stored AND processed, and inquire as to the details of data protection laws in the relevant jurisdictions.
Due DiligenceIndependent assessments and certifications
Third party transparency
BCP/DR activities align with cloud based processing and services
Availability guarantees and liability
Find out whether the cloud provider will accommodate of GoRTT security policy
Managing Risk in The Cloud:
Thank YouThank YouiGovTTiGovTT
Lord Harris Court52 Pembroke Street
Port of Spain Republic of Trinidad and Tobago
Telephone: (868) 627-5600
Fax: (868) 624-8001Email:[email protected]
Website: www.igovtt.ttFacebook: www.facebook.com/iGovTT
Twitter: @iGovTT
Moderated by Denyse White
50