Remarks Adam Montserin

CEO, iGovTT

2

Re-Cap of Last MeetingUpdate on GovNeTT RFPStatus of the eGIF Policy

By Kevin Ramcharitar Solution Architect Office, Consulting

Unit

3

Draft Policy Information & Communication Technology &

Systems Specifications ApprovalDenyse White, Consulting Unit

28 March, 2013

Limited IT professionals throughout GoRTT

Administrative/Operational role of National Information Systems Centre

Process established in 1990

NISC subsumed by National ICT Centre 20??

Responsibilities retained by iGovTT 2010

5

IT professionals prevalent throughout GoRTT

Strategic advisory role of iGovTT

Policy last revisited in 2006

Incorporated within the CTB regulations

6

Current State

Inconsistent adherence to the process

Time delays to GoRTT agencies

Value add vs. resource allocation – iGovTT

7

Stakeholders

Ministry of Finance

Central Tenders Board

Permanent Secretaries (Equivalent Accounting Officers)

ICT and Procurement Specialists

8

Governance

9

Compliance Sign-Off

10

Exception Governance

11

Primary Questions

• Do you agree with the purpose as defined in the ICT and Systems Specifications Policy?

• Should there be any inclusions or exclusions to the scope?

• Are there any other legislation or guidelines that should be included for consideration in the adoption of the policy?

• Do you agree with the objective of establishing this devolved authority?

• Are there any other areas that should be included for consideration?

12

Consultation Process

• Consultation Document Circulated• Feedback timeframe – 3 weeks from issuance• Feedback submitted via

– Email - Denyse White – denyse.white@igovtt.tt– General Comments on Secure Log In Site - http

://www.igovtt.tt/members/– Print Copy

Denyse WhiteNational Information and Communication Technology Company Limited (iGovTT)52 Pembroke StreetPort of Spain624-8001 (fax)

13

14

Thank YouThank YouiGovTTiGovTT

Lord Harris Court52 Pembroke Street

Port of Spain Republic of Trinidad and Tobago

Telephone: (868) 627-5600

Fax: (868) 624-8001Email:igovtt@gov.tt

Website: www.igovtt.ttFacebook: www.facebook.com/iGovTT

Twitter: @iGovTT

Cloud Computing

Varma Maharaj

Solution Architect Office, Consulting Unit

28 March, 2013

What is Cloud Computing?

The Use of Computing Hardware and Software Delivered as-a-Service over a Network

Common Characteristics of Cloud Computing

Ubiquitous Access

Resource Virtualization

Pay-as-You-Use

Elasticity

Remotely Hosted

Community Cloud

Internet

Employee(Out Of Office)

Agency A Agency D

Agency CAgency B

Employee (Mobile)

C

PublicCloud

Internet

Employee(Out Of Office)

Agency/Office

Employee (Mobile)

Outsourced Cloud Providers

PrivateCloud

Employee(Out Of Office)

Office

Office

Office

OfficeOffice

Employee (Mobile)

HybridCloud

InternetEmployee

(Out Of Office)

OfficeOffice

Office

Employee (Mobile)

Outsourced Cloud Providers

Infrastructure as a Service

Rent fundamental infrastructure:-processing-storage,-networking

Deploy software,applications and evenoperating systems

Software as a Service

No Hardware/Software to Manage

Service Deliveryvia web browser

Platform as a Service

Deploy and develop your own software

Configure hostingoptions

Lowered ICT Costs

Lowered Client License Cost

Pay-as-you-Use

Ubiquitous Access

Reduced Procurement Times and Requirements

24 x 7 Availability

Simplified Centralized Applications

Improved Application Redundancy

Disadvantages of the Cloud

Data Protection

Governance

Security Control

Requires Persistent Connection

Limited features

Benefits of Economies of Scale

Overall Reduction in ICT Operational and Capital Cost

Focus on Services Offered – Less Focus on Management of Infrastructure

Eco-Friendly

Satisfying Infrastructure Demands

Increased Elasticity and Agility

Governance & Ownership

How Developing Countries Approach Cloud:

Leverage For ICT Advancement

Advanced ICT Innovation at Lowered Cost

Begin The Transition to Next Generation Models of ICT Such as Cloud

How Major Countries Approach Cloud:

Incorporate cloud computing in their ICT strategy

Many applications already deployed via the cloud

Enables efficient/effective ICT sharing

United States, United Kingdom and Singapore

Cloud is Here

Structural and Cultural Shift from Traditional ICT

Security Concerns Can Be Overcome

Leverage Existing Government ICT Infrastructure

Explore and Implement a Cloud Strategy

Internet

Hybrid Government

Cloud

Outsourced Cloud Providers

Ministry of Education Other Ministries

Ministry Of Public Administration

Ministry of Works

GovNeTT Private Cloud

Email

Apps

Dedicated Infastructure

Employee (Mobile)

Employee(Out Of Office) Public Cloud

Data Center

Thank YouThank YouiGovTTiGovTT

Lord Harris Court52 Pembroke Street

Port of Spain Republic of Trinidad and Tobago

Telephone: (868) 627-5600

Fax: (868) 624-8001Email:igovtt@gov.tt

Website: www.igovtt.ttFacebook: www.facebook.com/iGovTT

Twitter: @iGovTT

Security Considerations in Cloud Computing

Khafra Murray, Security & Assurance Unit

28 March, 2013

Security Considerations of the Cloud

No information system is 100% Safe

Understand the risks of cloud computing

How cloud hosting companies have approached security

Law and Jurisdiction are critical

Best practice for companies utilizing the cloud

No System is 100% Safe

Every system once thought secure has been breeched

Cloud services have become and will continue to be a very lucrative target for hackers

It’s still Hardware + Software + People, just not YOUR hardware, YOUR software or YOUR people.

Risks Inherent to Cloud Computing

Disconnect in Information Control

Disconnect in control systems and policy

Disconnect in SLA interpretations

Black Box Managed Services / Lack of Transparency

Single Points of Failure

Information Control

Data is no longer “on premises” subject to audited physical protections

Data subject to service provider’s backup policies, including off-site storage

Data is subject to service provider’s retention policies

Provider Liability for data loss is minimal

Disconnect in Internal Controls

Service Provider will have their own control mechanisms

Policies (HR, Financial, workflows) internal to the provider and invisible to the cloud subscriber will have an impact on the risk to cloud services.

Processes such as change management may not align to client standards (Microsoft Azure failure 2013)

Service Level Agreements

Do not provide guarantees, only a promise of best effort

Can often be misinterpreted, disagreements in SLA interpretation can stall service delivery

There is always compromise/imbalance between the risk transferred to the provider and the accountability in the event of service or data loss.

Black Box / Lack of Transparency

Service providers provide high level concepts of the architecture, but no more

Hardware and software used in the infrastructure cannot be audited for vulnerabilities by the client

Providers do not permit audits of their operations/processes/policies by the client

Public Cloud subscribers are co-tenants - you don’t know who’s data or what class of data is being hosted along with yours

Single Points of Failure

Despite the distributed nature of many cloud services, even the largest suffer system-wide outages (Amazon, Windows Azure)

Business operations are affected without any powers or access to affect the recovery

Traditional BCP cannot replicate cloud based services

Law

The Patriot Act stipulates than data stored in the USA or under the custodianship of a US company can be accessed by that government in the course of an investigation – Service providers are legally barred from informing subscribers of the access to their data

In T&T it is illegal to store sensitive government data overseas unless the foreign territory provides equal or greater protections for data privacy and confidentiality

Jurisdiction

Data stored in any country is subject to the laws and compliance requirements of that country in preference to any other

Companies registered in the United States can be mandated to provide electronic data stored in any servers under it’s control in any country

In the event of a data breach of GoRTT data at a foreign cloud service provider, the process to grant access to digital evidence would take no less than 6 months

Maintain Control and Confidentiality

Private Cloud deployments over public cloud services

Data encryption for data in motion (client/server) as well as data at rest. – There are security solutions which do this

Ensure that data classification policies are robust and services subscribed to support the class of data

Managing Risk in The Cloud:

Due Diligence

Inquire about exception monitoring and reporting

Vigilance around platform updates and access privileges

Ask where data (including backups) is stored AND processed, and inquire as to the details of data protection laws in the relevant jurisdictions.

Due DiligenceIndependent assessments and certifications

Third party transparency

BCP/DR activities align with cloud based processing and services

Availability guarantees and liability

Find out whether the cloud provider will accommodate of GoRTT security policy

Managing Risk in The Cloud:

Thank YouThank YouiGovTTiGovTT

Lord Harris Court52 Pembroke Street

Port of Spain Republic of Trinidad and Tobago

Telephone: (868) 627-5600

Fax: (868) 624-8001Email:igovtt@gov.tt

Website: www.igovtt.ttFacebook: www.facebook.com/iGovTT

Twitter: @iGovTT

Moderated by Denyse White

50