Prepared for Ministers and Senior Officials from the Caribbean and distinguished participants and attendees of the Caribbean Telecommunications Union (CTU), the Commonwealth Secretariat, the Organization of American States (OAS), and the International Telecommunication Union (ITU) on the occasion of the Caribbean Stakeholders’ Meeting: The Importance of ICTs and their Impact on Regional Development, May 26-28, 2014 in Port of Spain, Trinidad.
Strategic, Privacy and Security Considerations for Adoption of Cloud and Emerging Technologies in the Caribbean
1. Strategic, Privacy and Security Considerations for Adoption of Cloud and Emerging Technologies in the Caribbean
May 27, 2014
Prepared for Ministers and Senior Officials from the Caribbean and distinguished participants and attendees of the Caribbean Telecommunications Union (CTU), the Commonwealth Secretariat, the Organization of American States (OAS), and the International Telecommunication Union (ITU) on the occasion of the Caribbean Stakeholders’ Meeting: The Importance of ICTs and their Impact on Regional Development, May 26-28, 2014 in Port of Spain, Trinidad.
2. For more information, please contact:
Frances Correia, Country Manager, Trinidad and Tobago, Microsoft Corporation, fcorreia@microsoft.com
Josemaria Valdepenas, National Technology Officer for Latin America and the Caribbean, Microsoft Corporation, Josemaria.valdepenas@microsoft.com
Roberto Arbelaez, Chief Security Advisor for the Americas and the Caribbean, Microsoft Corporation, Roberto.arbelaez@microsoft.com
Marie-Michelle Strah, National Cloud Enterprise Architect and WW Enterprise Information Management Lead, Microsoft Corporation, mstrah@microsoft.com
Zohra Tejani, Senior Attorney, Legal Affairs Director, Worldwide Public Sector, Microsoft Corporation, zohrat@microsoft.com
Miguel Sciancalepore, Attorney, Digital Crimes Unit Regional Lead, Microsoft Corporation, miguelsc@microsoft.com
This paper is for informational purposes only. Because Microsoft must respond to changing market conditions, the information contained in this document is subject to change; it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable laws is the responsibility of the user. Subject to the foregoing, the content of this document is licensed to you as follows:
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 United States License.
3. Strategic, Privacy and Security Considerations for Adoption of Cloud and Emerging Technologies in the Caribbean
Table of Contents
Section 1:
Emerging Technologies and Cloud for eGovernment: Strategic Considerations 4
National Cloud and eGovernment ………………………………………………………………… 4
Considerations for Cloud Computing …………………………………………………………… 5
Section 2:
Key Considerations when Partnering with Private Sector Cloud Service Providers: A Brief Overview …………………………………………………………………………………………………......... 8
Security at the Core ………………………………………………………………………………………. 8
Data Privacy and Security ……………………………………………………………………………….. 8
A Note about Security and Privacy Certifications ……………………………………………. 9
Regulatory Compliance and Policies……………………………………………………………….. 9
Section 3:
Private Sector Role in Fighting Cybercrime……………………………………………………… 11
Tools and Technologies Developed by Microsoft to help Governments fight Cybercrime……………………………………………………………………………………………………… 12
4. Section 1: Emerging Technologies and Cloud for eGovernment : Strategic Considerations
1. Introduction
Governments around the world can benefit greatly from advances in cloud computing and emerging technologies to deliver government and citizen services, drive innovation and knowledge transfer from private sector, increase transparency and accountability, accelerate economic development and transformation and ensure data privacy and security. In addition, Federal, state, and local governments and non-government organizations (NGO) are adopting Open Data initiatives powered by the cloud to extract insight and support better decision-making, ultimately transforming how agencies work, engage citizens, and provide eGovernment services.
2. National Cloud and eGovernment
National Cloud is aggregate cloud computing for multiple public sector entities within a country and helps governments save money, deliver more effective services, and compete more effectively in the global economy. Governments at all levels–local, regional, and national–recognize the new opportunities that cloud computing offers for creating an agile and flexible IT infrastructure that supports their services. For today’s government leaders and CIOs, the cloud presents an opportunity to rethink the role IT plays in accomplishing strategy.
Enable Governments to Save Money: National Clouds help reduce delivery costs while also increasing hardware utilization and staff efficiency. By consolidating existing resources and pooling together hardware, facilities, operations, and electricity, governments can use computing resources on a schedule and likely at a lower overall cost.
Improve Government Service Delivery: National Clouds enable end-to-end solutions with common user experiences while also offering the ability to grow dynamically to fit changing governmental needs. Offer applications and services that support government innovation and enable cost-effective cloud-designed applications that can dynamically scale to meet demand.
Help Governments Transform to Be More Effective and Globally Competitive: National Clouds empower governments to get precisely the services and capabilities they need by moving to the cloud when and how they want. Data and applications can be available on-premises, through the private and/or public cloud, enabling agencies to configure to the combination most compatible with their needs.
5. Example: Driving Open Data Initiative Because it makes services available over the network, the cloud frees governments from standardizing on specific devices or servers. That way, constituents can access services from any device, whether they’re on mobile phones, tablets, laptops, or desktops. In its first move into the cloud, the UK’s Transport for Greater Manchester hosted an open data platform to foster mobile app development—and enable greater mobile device usage by its employees, citizens, and visitors.
3. Considerations for Cloud Computing
What’s challenging for a government agency is to sort through the universe of cloud offerings and determine the right cloud solution and the right service provider for their particular political and business requirements, ecosystem, and organizational culture.
Public clouds, managed in data centers by a provider, can be agile and budget- friendly, providing scalability and cost benefits. Public clouds are often the most cost effective and scaleable options. They offer a security-enhanced environment, but may not be fully compliant with privacy regulations and may impose rigid limitations on configurability. In a public cloud, the cloud provider keeps the environment continuously up-to-date.
Private clouds, or those managed by a service provider (on-premises or hosted by a third party), can provide better security features for the most sensitive and private data.
While these are more customizable and offer the government more control, the costs of the private cloud may be higher because the agency must also purchase and manage the infrastructure.
When building a private cloud, the government or service provider needs to build continuous process improvements into the design so the system can evolve from the moment it goes into production.
A mix of private, service provider and public clouds in a hybrid cloud, can provide an optimal mix of cost and control, but requires strategy, planning and an enterprise architectural approach up front to drive value realization and alignment with IT with political and economic goals of the country (i.e. not “infrastructure for infrastructure’s sake”).
eGovernment and Planning for the Cloud
When deciding whether to deploy Iaas, PaaS or SaaS solutions in public, private, service provider or hybrid clouds, there are several steps to take into consideration.
6. 1. Establish the Business Case
a. Develop a national cloud strategy aligned to political and economic goals of country
b. Assess cloud readiness of the country (ICT, power, legal and procurement frameworks)
c. Examine TCO (total cost of ownership) of options presented below
2. Develop a National Information Strategy
a. Adopt Information architecture and Enterprise Information Management approaches
b. Develop programs to determine data classification, sovereignty and locality
c. Implement rigorous identity and access management programs
3. Conduct an Application Portfolio Rationalization
a. Adopt Enterprise Portfolio Management approach to ALM and development
b. Adopt security standards in design for trustworthy computing
c. Use IA and EIM models to break through application and data silos and introduce efficiencies
d. Leverage API economy and Open Data Initiatives to drive application development
4. Map National Cloud Opportunities
a. Explore the market for national data centers and shared services
b. Explore the market for aggregation and cloud brokerage
c. Create demand and go to market strategies for customers to adopt national cloud
d. Improve eGovernment services through national cloud use
5. Assess Human Resources Challenges
a. Use public procurement as a tool to support local IT sector and workforce development
b. Develop strong public-private partnerships with strategic private sector entities for strategy, implementation and support
6. Designing for Performance and Security: Hybrid Cloud Architectures
a. Steps 1-5 above are critical business and information architecture components of national cloud
b. The research and analysis in steps 1-5 will clarify cloud transformation and migration strategies as well as drive business requirements for hybrid cloud architectures
7. c. Develop roadmap and governance framework
References:
United Nations. Department of Economic and Social Affairs. Guidelines on Government Data for Citizen Engagement. http://workspace.unpan.org/sites/Internet/Documents/Guidenlines%20on%20OGDCE%20May17%202013.pdf
United Nations Conference on Trade and Development. Information Economy Report 2013: The Cloud Economy and Developing Countries. http://unctad.org/en/PublicationsLibrary/ier2013_en.pdf
Prepared by: Marie-Michelle Strah, PhD, National Cloud Enterprise Architect and WW Enterprise Information Management Lead, Microsoft Corporation, mstrah@microsoft.com
8. Section 2: Key Considerations when Partnering with Private Sector Cloud Service Providers: A Brief Overview
Enterprise cloud services, from productivity software-as-a-service to workloads or apps in cloud operating systems, can help governments serve their citizens more effectively and cost-efficiently. However, the e-Government destination necessarily involves a journey with check-points on security, data privacy and transparency, and regulatory compliance. What are the key considerations for governments when partnering with cloud service providers on this journey?
Security at the Core: Global cloud service providers have a massive footprint of millions of servers which translates into cost efficiencies in buying hardware, deploying hardware and even negotiating electric rates. These cloud providers can justify enormous investments in security because the costs are spread over many servers and data centers in a way that most customers could not justify if they were establishing their own data center for a few thousand users.
Physical Security. Cloud service providers should offer leading perimeter security at data centers, environment controls, multi-factor authentication, extensive monitoring, 24x7 onsite security staff, and days of backup power.
Restricted data access and use. Access to government user data should be restricted by the cloud service provider. Government user data should be accessed only when necessary to support the government’s use of the cloud services. Strong authentication, including the use of multi-factor authentication, helps limit access to authorized personnel only. Access should be revoked as soon as it is no longer needed.
Data encryption. The provider should provide data encryption at rest and in transit between the government user and the provider, with a roadmap for encryption enhancements.
Incident response. Provider should have a global, 24x7 incident response service that works to mitigate the effects of attacks and malicious activity. The incident response team follows established procedures for incident management, communication, and recovery, and uses discoverable and predictable interfaces internally and to Government users.
Data Privacy and Transparency
Privacy prioritized. Governments should expect cloud services to be designed for privacy. For example, are the enterprise cloud services segregated from consumer cloud services? The provider’s business model (e.g., online advertising) can also
9. reveal the provider’s priorities. Government users should demand clear contractual commitments and limitations about how the cloud service provider will use its customers’ data. For example, the cloud service provider should not use customer data or derive information from it for any advertising or similar commercial purposes.
Data ownership, portability, and deletion. Governments should insist on contractual commitments that confirm the government’s ownership of its data. Governments should be able to access its data at any time without the assistance of the cloud service provider. Contract commitments should also include clear timeframes for when the customer can extract its data and when the provider will delete the customer data upon the expiration or termination of the cloud services contract.
Transparency. Private cloud services providers must be transparent and indicate to governments where their data will be stored and whether they will use subcontractors to process that data. To the extent possible, cloud services providers should attempt to redirect law enforcement requests for data to the customer. Reports on such law enforcement requests should be made available
A note about security and privacy certifications: Key third party and government certifications to look for are listed below. Cloud services providers should be willing to share third-party verification results.
• ISO 27001 is a broad international information security standard.
• ISO 27018 will soon be an international data privacy standard.
• Service Organization Control (SOC) reporting framework for SOC 1 Type 2 relates to the design and operating effectiveness of a service provider’s controls.
• UK G-Cloud Security Accreditation: UK Federal Government cloud security program
• FEDRAMP/FISMA: US Federal Government cloud security requirements
• Validation by European Union data protection authorities (DPAs) and the European Commission that contractual commitments meet European Union (EU) privacy law’s rigorous standards.
Regulatory Compliance and Policies
Existing regulations. Regulations covering special segments of data, such as healthcare data or financial services information, can pose special compliance challenges when moving regulated data to the public cloud. However, a trusted private sector partner can help an agency remain compliant. Examples: See the case studies of the
10. Goodbody, the largest stock broker in Ireland, and the Government of the US Virgin Islands.
Policy considerations for new regulations. Proposed laws and regulations (or updates to existing ones) that impact cloud services should strike the right balance. Two key areas of focus:
Data must be allowed to flow freely. Consistency and predictability of regulations across countries can help protect data in the cloud while facilitating private sector operations as data travels across numerous national borders.
Security from unauthorized access. Prioritizing a safe cloud can help encourage adoption of cost-effective cloud services.
Cloud services provided by the private sector can be a cost-effective, efficient way to achieve e-Government goals. However, the right considerations must be made along the way. Whether developing a procurement tender for cloud services or whether developing regulations that will govern data in the cloud, it is important to understand how the private sector can serve as trusted partners for governments in the key areas of security, data privacy and transparency, and regulatory compliance.
Reference: Facilitando the Cloud: Data Protection Regulation as a Driver of National Competitiveness for Latin America, Horacio E. Gutierrez & Daniel Korn, Inter-American Law Review, February 12, 2014. http://inter-american-law- review.law.miami.edu/facilitando-cloud-data-protection-regulation-driver-national- competitiveness-latin-america/
Prepared by: Zohra Tejani, Senior Attorney, Legal Affairs Director, Worldwide Public Sector, Microsoft Corporaton, zohrat@microsoft.com
11. Section 3: The Growing Threat of Cybercrime: Overview
The private sector has an important role in helping the public sector fight the threat of cybercrime. How does Microsoft collaborate?
The private sector has a key role in particular in the fight against Cybercrime. In particular a technology company such as Microsoft has an interest in securing a safe internet for its customers and consumers.
While there are multiple types of cybercrime, Microsoft focuses on three main areas where Microsoft has an opportunity to make a direct impact to create a safe digital world.
Malware Disruption
IP crimes including piracy
Protecting consumers focusing on vulnerable populations: Child Protection
Malware Disruption
Malware is capable of all kinds of evil activities that can do an untold amount of damage without warning, like stealing confidential information as well as large sums of money. Malware undermines the trust in the internet and technology. Microsoft helps protect customers and consumers from malware and to raise the cost of doing business for the criminals. Microsoft plays offense and collaborates with law enforcement to do botnet takedowns.
Vulnerable Populations: Child Protection
One focus of Microsoft is addressing the issue of technology-facilitated child sexual exploitation, particularly the exchange of child pornography. Microsoft works closely with governments, expert NGOs, researchers, industry, law enforcement and others on new and important ways to combat these threats to better protect children from further harm.
IP Crimes including Piracy
Organizations that employ unlicensed software (non-genuine or illegal software) are subjected to important legal and security risks. Such security risks range from the possibility of getting infected by malicious software code (Virus, Trojans, Worms,
12. Spyware, etc.), to data loss, identity theft, corruption of your internal network and permanent harm to your IT systems, compromising the organization information.
Microsoft Collaboration
Microsoft collaborates with governments though its Microsoft Digital Crimes Unit, which is an international legal and technical team. Microsoft has cybercrime experts across the areas of malicious software crimes, IP crimes, and technology-facilitated child exploitation. The team is comprised of more than 100 attorneys, investigators, business professionals, and forensic analysts.
Since February 2010, for example Microsoft has disrupted eight botnets tied to criminal organizations committing consumer, financial and advertising fraud.
Tools and Technologies Developed by Microsoft to help Governments fight Cybercrime
Cyberforensics: Cyberforensics is a new investigative capability built on state-of- the-art technology which enables the detection of large-scale cybercrime, such as online fraud and identity theft, perpetrated by criminals located thousands of miles away.
CTIP (Cyber Threat Intelligence Program): As part of each of Microsoft’s botnet takedown operations, it works with Internet Service Providers (ISPs) and Computer Emergency Response Teams (CERTS) to rescue and clean computers from the control of the botnets.
For instance, when Microsoft seizes the command and control infrastructure of a botnet, it severs the connection between the cybercriminals running a botnet and the computers they infected with that botnet’s malware.
These infected computers continue to try to check into the botnet command for instructions until they are cleaned of the malware. Every day Microsoft’s system receives hundreds of millions of attempted check ins from computers infected with malware such as Conficker, Waledac, Rustock, Kelihos, Zeus, Nitol, Bamital, Citadel and ZeroAccess.
PhotoDNA: In 2009, Microsoft, in cooperation with digital imaging expert Dr. Hany Farid of Dartmouth College, created a technology called PhotoDNA to the National Center for Missing and Exploited Children (NCMEC) to help address the distribution
13. of graphic child pornography online. PhotoDNA has begun to change the way child exploitation is fought by empowering online service providers to find, report and eliminate images that would previously have gone undetected, and by helping law enforcement investigate reported cases more quickly and more efficiently.
SitePrint: A tool to map out online organized crime networks selling illicit products online, incorporating a unique web site fingerprinting technology. This technology has been used to dismantle international organized crime network (OCNs).
Prepared by: Miguel Sciancalepore, Attorney, Digital Crimes Unit Regional Lead, Microsoft Corporation, miguelsc@microsoft.com