Observations on the Canadian government cloud RFI

The Government of Canada issued a Request for Information (RFI) on December 2, 2014 requesting comments on the topic of strategies for adopting cloud solutions.  The final closing date for submissions was January 30, 2015 so the responses are now being reviewed.  This RFI is part of a consultative process that is being used to formulate a cloud computing strategy for Canada.

Other articles have commented on the RFI including IT World Canada (February 5 and February 12) and Michael Geist.  I thought I would add my own two cents worth to the discussion.

The objectives of the RFI (my paraphrasing) were to obtain:

• Views on the direction the government should take with respect to cloud computing (NOTE: I would guess the general answer from vendors would be deploy it as soon as possible!)
• Comments on the business risks and mitigation strategies associated with cloud computing, especially with respect to security and privacy
• Suggested choices of performance parameters that would align with current product capabilities
• Comments on the adequacy and clarity of standard contracts and contract terms and conditions for use with cloud service contracts, and
• Ideas and suggestions for vocabulary, processes, methods of supply and security methods.

The government has essentially adopted the NIST definition for cloud computing (although this should now be updated to use the new ISO/ITU standards).  Cloud solutions for the government have been divided into five deployment scenarios:

1. GC Cloud: a cloud service offering being developed that is owned, managed, hosted and operated by the Shared Services Canada, exclusively for government use. It is not stated whether the GC Cloud is to be a multi-tenant private cloud, a community cloud or a common private cloud. It also does not indicate if external interconnections (e.g., to hosted private clouds) are allowed, in which case it would be classed as a hybrid cloud. There is also no statement as to whether GC Cloud would be part of any Pan-Canadian cloud.
2. Private cloud(s): one or more cloud service offerings that are owned, managed, hosted and operated by cloud service providers outside the government premises, exclusively for government use. There is no indication whether these are to be multi-tenant private clouds or a common private cloud. It is assumed that there will be multiple clouds from different providers.
3. Community cloud: this scenario is not well specified, and basically repeats the NIST definition. The example is a partnership between different “public sector governments.” Conceivably, the government could also form other types of communities such as with its suppliers and/or other partners.
4. Public cloud: one or more industry service offerings that are available to the general public (e.g., Gmail and O365). The RFI states that a public cloud may be provided by a government but does not elaborate. It is assumed that public-facing government web sites and open data sites would qualify as public clouds since they are available to the general public.
5. Hybrid cloud: a composition of two or more of the above scenarios (NOTE: In my opinion this is not really a distinct scenario but is a combination of the other scenarios).

Several questions immediately come to mind:

• Does this RFI suggest anything about the state of knowledge, understanding and maturity on the part of the government? Are they really asking the vendors to tell them what to do?
• Why hasn’t the government asked more about such things as operations, provisioning, performance, minimum compliance, identification, etc.?
• Is this RFI really telegraphing what the government will request in an upcoming RFP, as some have apparently assumed? For example, the data residency requirements as spelled out in the RFI.

Although there are two major themes driving cloud policy in general, the emphasis of this RFI is on the first theme:

• Guiding and directing the planning, design and procurement of cloud-based solutions for the Government of Canada, and possibly for other levels of government (the so-called Pan-Canadian Cloud opportunities); and
• Fostering the overall development of the Canadian cloud computing “industry” and the innovations that it could stimulate for Canadian providers.

The RFI questions were divided into four specific topic areas (although there are overlaps).  Comments were requested on the following significant items (this is not a complete list):

Policy framework

1. Whether or not using in-house GC Cloud would hinder deployment of PaaS/SaaS services
2. Proposed strategy statements that would include restricting residency and processing of government data to Canadian locations and would require data encryption
3. Strategy statements that would require a review and assessment of the provider’s internal operations and processes
4. Whether any policy amendments are needed to enable a Pan-Canadian approach for the federal, provincial, territorial and municipal governments

Business (and technical) considerations

1. How to increase agility and improve delivery efficiency for public services
2. How to encourage the growth of a Canadian cloud marketplace, and the appropriate timeframe for cloud developments
3. Prerequisites needed within the government for adopting cloud solutions
4. Validity of the application service models (roles and responsibilities) defined by the government (NOTE: Not all relevant cases are covered, but I do agree that different contracts are needed)
5. Service-level agreements including performance metrics, service credits and monitoring methods (NOTE: There is ongoing work in ISO JTC1/SC38 that could be applied here)
6. Managing cloud “sprawl” with a focus on the increasing distribution of data and the growing need for cloud service integration
7. How to fairly evaluate vendor qualifications
8. Termination of services, avoidance of vendor lock-in, use of cloud brokers and disaster recovery considerations

Procurement

1. Pricing and pricing evaluation methods including financial management processes
2. Accommodating rapid changes in technology (especially service changes and new features) within a contract
3. Graceful termination of contracts
4. Relative benefits of the different service models and which benefits the Government the most
5. Categorization of cloud software (NOTE: To me this is an interesting area that relates to service directories and stores – how does a user acquire individual services?)
6. Terms and conditions for cloud procurement and how they may differ from more traditional contracts

Security and privacy

1. The overall government approach to cloud security
2. The decision matrix for applications including the classification of data, the location of data storage, the levels of data confidentiality and availability requirements
3. The necessity of keeping cloud data in Canada to ensure only Canada’s laws are applicable
4. The feasibility of adopting control profiles that are aligned with data sensitivity
5. Transparency of the provider’s resources, including such things as supply chain processes, facility security, and personnel clearances
6. Alignment of security certification with other countries (such as FedRAMP in the USA)

A lot of work would be needed to prepare a full response to this RFI and, clearly, there are many other questions that could have been asked.  Given the competitive nature of the cloud market and the almost continuous change, it is also likely that many of the answers will be outdated quickly.

Perhaps it is also worth considering the following strategic questions:

• Is cloud computing truly a paradigm shift that has to be treated as a business innovation rather than just a technology development?
• Can a single corporate/government policy cover all of the different permutations and combinations of cloud models?
• Are current procurement and vendor selection practices suitable for cloud solutions that are agile, pay-as-you-use, continuously evolving and long lasting?
• Are both corporate and vendor management and governance practices adequate to meet the security, identity, reliability and operational challenges of cloud computing?
• How will Canada’s cloud computing policy look when it is finally delivered by the Government?  Hopefully it will take its place along with those of the USA, UK, EU, Australia, etc.