Cloud Computing Strategy-New2

i

DRAFT NATIONAL CLOUD COMPUTING IMPLEMETATION STRATEGY

National Information Technology Development Agency

(NITDA)

2019

ii

Table of Contents

CHAPTER ONE: INTRODUCTION ............................................................................................ 1

1.1 Background ............................................................................................................................. 1

1.2 The Cloud First Value Proposition ........................................................................................... 1

1.3 National Strategic Intent for Cloud Adoption .......................................................................... 2

1.4 The Goal .................................................................................................................................. 2

1.5 Making Cloud Computing Deployment and Service Models Choices....................................... 3

CHAPTER TWO: ..................................................................................................................... 8

STRATEGIES FOR IMPLEMENTING CLOUD COMPUTING POLICY STATEMENTS ..................... 8

2.1 Procurement ........................................................................................................................... 8

2.2 Data Classification ................................................................................................................... 8

2.3 International Dimensions of Cloud Computing ..................................................................... 10

2.4 Service Level Agreement and Consumer Protection ............................................................. 10

2.4 Information Security ............................................................................................................. 10

2.5 Cloud Interoperability ........................................................................................................... 11

2.7 Migration to The Cloud ......................................................................................................... 11

2.8 Workforce and Skills ............................................................................................................. 12

2.9 Vendor Lock-in & Data Withdrawal ...................................................................................... 12

2.10 Cloud Registration and Certification ................................................................................... 13

2.11 Cloud Audit and Reporting .................................................................................................. 13

CHAPTER THREE: ................................................................................................................ 15

NIGERIA CLOUD COMPUTING GOVERNANCE ..................................................................... 15

3.1 National Cloud Governance .................................................................................................. 15

3.2 Public Institution Cloud Computing Governance................................................................... 16

CHAPTER FOUR: .................................................................................................................. 19

IMPLEMENTATION PLAN .................................................................................................... 19

CHAPTER FIVE: .................................................................................................................... 22

NIGERIA CLOUD COMPUTING POLICY COMPLIANCE AND ENFORCEMENT FRAMEWORK .. 22

5.1 Compliance Framework ........................................................................................................ 22

5.2 General Enforcement Process ............................................................................................... 24

Appendix ............................................................................................................................ 26

Appendix A1.0: Rational for “Cloud First” value proposition ...................................................... 26

Appendix A2.0: National Strategic Intent for Cloud Adoption .................................................... 26

Appendix A3.0: Cloud Computing Areas of Interoperability Guide ............................................. 27

iii

Appendix A4.0 : Cloud Computing migration steps and requirements ....................................... 28

Appendix 5.0: Focus Areas of cloud computing capacity ............................................................ 32

Appendix 6.0: Focus areas of vendor lock-in avoidance guide .................................................... 32

Appendix 7.0: Focus areas of cloud computing certification criteria ........................................... 33

Appendix 8.0: CSPs Audit Report Metrics ................................................................................... 33

Appendix 9.0: Explanation of proposed cloud computing governance model for PIs and SMEs . 34

Definitions .................................................................................................................................. 37 Table 1.0: A Guide for Choosing Cloud Computing Service Model ...................................... 4 Table 2.0: Cloud Service Model and Delivery Model Matrix ................................................ 6 Table 3.0: Template for calculating data security and sensitivity. .......................................... 9 Table 4.0:Strategy Implementation road map (Short-term) .................................................. 19 Table 5.0: Strategy Implementation road map (Medium-term) ............................................ 19 Table 6.0: Strategy Implementation road map (Long-term) ................................................. 20 Table 7.0: Specialized Strategies ......................................................................................... 21 Figure 1.0:Categories of Cloud Deployment Model .............................................................. 3 Figure 2.0: Cloud Computing Service Model as recognized by Nigeria Cloud Computing Policy.................................................................................................................................... 4 Figure 3.0 Information security levels ................................................................................... 9 Figure 4.0: National Cloud Computing Governance ............................................................ 16 Figure 5.0: Organisational Cloud Computing Governance Model ........................................ 18 Figure 6.0:Enforcement framework ..................................................................................... 23 Figure 7.0:Cloud Migration Decision framework ................................................................ 29

1

CHAPTER ONE: INTRODUCTION 1.1 Background

The National Information Technology Development Agency has developed Nigeria Cloud Computing

Policy to address the challenges of acquiring and deploying computing resources in the most efficient

manners in the public sector. The Nigeria Cloud Computing Policy constitutes set of policy statements

that articulates the government’s strategic plan and direction for cloud computing adoption in the public

sector and by Small and Medium Enterprises (SMEs) that provide ICT-enabled services to the

Government. Implementing the Policy requires actions by various and relevant stakeholders in the cloud

computing space. The National Information Technology Development Agency (NITDA) develops this

Cloud Computing Implementation Strategy as a guide for the Agency, Public Institutions (PIs), Small

and Medium Enterprises (SMEs) and other relevant stakeholders to implement Nigeria Cloud

Computing Policy.

The strategy includes strategic initiatives critical to implementing all the statements issued in the Policy

as well as an implementation framework. The implementation framework includes implementation

road map and compliance and enforcement framework. The strategic initiatives and the provisions in

the compliance and enforcement framework are informed by the challenges, the goal, the “Cloud

First” value proposition and the expected outcomes of cloud adoption as explained in the Nigeria

Cloud Computing Policy.

1.2 The Cloud First Value Proposition The country socio-economic activities and businesses are increasingly dependent on Information

Communication Technology (ICT). The need to make these computing resources available and

accessible is critical to the country’s continuous growth and sustainable development. The country’s

Economic Recovery and Growth Plan (ERGP) recognizes information technologies as an enabler for

promoting a digital-led growth. Digital-led growth cannot happen except the country has policy

direction peculiar to her environment for supporting the government and SMEs to acquire and deploy

computing resources in the most efficient manner.

The “Cloud First” value proposition is aimed at promoting cloud computing as a “first choice”

consideration for acquiring and deploying computing resources by public institutions and SMEs that

provide digital-enabled services to the government except where the cause of deployment is related to

national security concerns or cloud is not the best option politically and economically.

PIs and their IT/ICT departments/units should get themselves aware of the cloud capabilities and

resources necessary to meet their business objectives and expectations as part of adoption process.

2

Therefore, the National Cloud Computing Policy is recommending the concept of “Cloud First” to

acquiring and deploying computing resources in the public sector and among SMEs that provide digital-

enabled services to the government.

NOTE: There would be strong consideration for Indigenous CSPs while implementing the Cloud

First Value Proposition except where cloud requirements or capabilities do not exist locally. At the

same time, the cloud service provision would be highly competitive.

The rationale for Cloud First value proposition are based on the following:

1. Reduced Capital Cost;

2. Efficiency;

3. Digital Service Innovation; and

4. Digital Service Innovation

See Appendix A 1.0 for explanation on the rationale for Cloud First value proposition

1.3 National Strategic Intent for Cloud Adoption

The strategic intent for cloud adoption in hinged on the following:

1. Responsive and efficient public service delivery;

2. Public sector digital transformation;

3. Local ICT industry development and growth, including SMEs;

4. Resources Savings; and

5. Opportunities to better manage human resources

See Appendix 2.0 for explanation on the national strategic intent for cloud adoption

1.4 The Goal The goal of this Policy is to ensure 30% increase in adoption of cloud computing by 2024 among Federal

public institutions (FPIs) and SMEs that provide digital-enabled services to the government. The policy

also targets 35% growth in cloud computing investments by 2024.

In specific, the cloud computing policy is to achieve the following objectives by 2024:

1. enabling environment for private sector to increase cloud computing infrastructure investments by

35%;

2. clear direction and programs that ensure attainment of 30% increase in cloud adoption and

migration by public sector and SMEs that provide service for the government; and

3

3. enabling and competitive business environment for Nigerian cloud service providers (CPS) and/or

cloud service consulting (CSC) to operate efficiently and profitably in the cloud market place.

The cloud computing policy provides key facts that support the need for cloud adoption by PIs and

those SMEs that provide IT-enabled services to the government. These facts are hinged on the need for

efficiency and real time access to computing resources required by the government to provide highly

accessible and quality services to the populace.

1.5 Making Cloud Computing Deployment and Service Models Choices The Cloud Computing Policy recognizes three internationally well-known cloud deployment and

service models each. Public Institutions and SMEs that are willing to adopt cloud computing would

need to make strategic choices for deployment models and services that meet their business objectives

and computing requirements. The following will help PIs and SMEs make these strategic decisions.

The Policy recognizes three deployment models and they are categorized as follows in figure 1.0 based

on the level of data sensitivity.

Figure 1.0:Categories of Cloud Deployment Model

The service models are described as presented in figure 2.0.

Private Cloud

Public Cloud

Hybrid Cloud

Sensitive Data (National Information Security Data) and mission critical applications

Public or Non-Sensitive or Non-Confidential Data and Non mission critical applications

Combination of Sensitive and Non-sensitive Data with mix of mission and non-mission critical application

Deployment Model Level of Data Sensitivity

4

Figure 2.0: Cloud Computing Service Model as recognized by Nigeria Cloud Computing Policy.

Source: Ray Rafaels Table 1.0 presents the risk and responsibility that PIs and SMEs must note before making a service

model choice. It also prescribes the level of Information Technology (IT) expertise required to

implement each service model and the category of PIs that should opt for it. In addition, it also make

recommendation for PIs based on the level of data generated (either sensitive or otherwise) and the level

of their control on computing resources on the choice of a cloud service model.

PIs are categorized into the following three levels of expertise:

1. High IT Expertise

2. High to Moderate IT Expertise

3. Less IT Expertise

Table 1.0: A Guide for Choosing Cloud Computing Service Model

Delivery Type Risk and responsibility Prescription for PIs or SMEs

5

IaaS

Cloud consumer builds the application

without worrying about the infrastructure

requirements.

The security responsibility is equally

divided between the cloud service

provider and the cloud consumer.

In this model, the risk is segregated and

layered. It is also a shared risk model.

Data

IaaS option is suitable for PIs who generate

sensitive data (especially citizens’ data), use

or keep other PIs’ data.

Control

No control over IT infrastructure (networking,

servers, virtualization) but have control over

operating systems, storage and deployed

applications. A bit of control over of select

networking components (e.g. host firewalls).

Level of IT Expertise:

High

PaaS

The cloud consumer brings the

application expertise along with licenses,

data, and resources, and consumes the

platform shell.

This model is used by consumers who

either lack infrastructure skills or want

to save on high capital expenditure

(capex)

The security responsibility starts to tilt

more towards the cloud provider.

However, the service provider bears

higher risk than consumer as the

provider supports more layers.

Similar to IaaS, this is a shared risk

model,

Data

PaaS option is suitable for PIs who use or

keep other PIs’ data. They can also generate

data (either sensitive or not) but not as much

as in the case of IaaS.

They build software applications in-house

(either through their personnel or outsourced).

Recommended for SMEs that build software

applications for the government

Control

PIs have control over the configurations of the

application development and hosting

environment and fair control over IT

platforms.

No control over IT infrastructure.

Level of IT Expertise

High to Moderate IT Expertise

SaaS Data

6

The cloud consumer does not have the

necessary skills, time, or resources to

setup an application ecosystem and

manage it.

No upfront capex requirement.

The security responsibility is mostly with

the cloud provider. The consumer is

mainly responsible for securing the

client-side vulnerabilities.

The service provider bears most risk.

SaaS option is suitable for PIs who does not

frequently generate data (either sensitive or

not) or use other PIs generated data. They are

more concern about their operational

efficiency.

Recommended for SMEs that provide cloud

service consulting and manage cloud

applications for PIs.

Control

No control over IT infrastructure and

platforms. Less control over application.

Level of IT Expertise

Less IT expertise

The business objectives and computing availability requirements by PIs and SMEs are broadly

categorized into Data Security and Service Availability. These are the major factors for choosing a

deployment model and the corresponding service model. The table 1.0 presents relationship between

the models. It guides PIs and SMEs to make choices that meet their computing requirements based on

data security and service availability.

Table 2.0: Cloud Service Model and Delivery Model Matrix

Service

Model

SaaS PaaS IaaS

Delivery

Model

Private Data security requirements

by consumers are low but

high level of service

availability requirements

expected from cloud

providers.

Vice versa between providers

& consumers

Data security requirements by

consumers are between high

and moderate with high to

moderate level of service


expected from cloud providers.


& consumers

Data security requirements

by consumers are very high

and the level of service


expected from cloud

providers is high.


& consumers

7

Public Data security requirements

by consumers are low and

level of service availability

requirements expected from

cloud providers are between

low and moderate.


& consumers


consumers are moderate to

high and level of service


expected from cloud providers

are high to moderate.


& consumers

Data security requirements

by consumers are moderate

and level of service


expected from cloud

providers is high.


& consumers

Hybrid Data security requirements

by consumers are between

low to moderate and level of

service availability


cloud providers are moderate

to high.


consumers are high to

moderate and the level of



cloud providers are moderate

to high.

Data security requirements is

high to moderate and level of



cloud providers are high.

8

CHAPTER TWO:

STRATEGIES FOR IMPLEMENTING CLOUD COMPUTING POLICY STATEMENTS

There are statements in the Cloud Computing Policy that require certain actions to be taken by NITDA,

PIs, CSPs, and other relevant stakeholders. Implementation of the actions will lead to actualization of

the Policy goal and objectives. The actions demand certain strategies for their implementation and the

strategies are further broken down into strategic initiatives.

Therefore, this chapter presents critical statements/issues in the Nigeria Cloud Computing Policy and

implementation strategy(ies) for each statement. Strategic initiatives are proposed to implement each

strategy. Each of the statement is presented as follows.

2.1 Procurement Traditional purchasing practices and contract terms may hinder the scalable, cost-effective, and

innovative nature of cloud computing. Procurement is a central issue in the development of cloud

computing. Nigerian procurement law supports a yearly procurement contract whereas cloud service

contracts are structured on a “pay as you go” basis. To ensure cloud adoption growth, this challenge

must be addressed appropriately. The following strategies and their strategic initiatives will be adopted.

Strategy 1.0

Development of cloud procurement regulation.

Strategic Initiatives

The following strategic

1. BPP and NITDA, in consultation with relevant stakeholders, will develop Cloud Procurement

Regulation.

2. BPP and NITDA will monitor and ensure compliance to the provision of the regulation

Strategy 2.0

Establishment of Digital Marketplace


1. Design and develop Nigerian Cloud Digital Marketplace.

2. NITDA, in collaboration with relevant stakeholders, will set up governance structure, business

models and operational plan for Nigerian Cloud Digital Marketplace.

2.2 Data Classification

PIs are going to have vastly different types of information and the information will contain varying

levels of sensitivity. The Nigeria Cloud Computing Policy proposed data classification as presented in

Figure 2.0. A detailed explanation is available in the Policy.

9

Figure 3.0 Information security levels

For proper implementation of this data classification by PIs and SMEs that provide service for

government, the following strategy shall be taken into consideration.

Strategy 3.0

Development of a cloud data classification guide. This will assist cloud stakeholders to classify cloud

data.


1. NITDA, in consultation with relevant stakeholders, will provide a data classification guide

based on data classification framework in the Policy and other parameters. The guide will be put

on the Nigerian Cloud Digital Marketplace.

NOTE: The table 3.0 provides template for cloud stakeholder to properly classify their cloud data. Table 3.0: Template for calculating data security and sensitivity.

Classification Criteria Min. - Max. Score Max. Score

Critical National Data/Information

(Including National Security Info)

=3 (Mandatory) 3

Data containing Personally Identifiable

Persons

=3 (Mandatory) 3

High level =3, Medium Level = 2 and

Low Level = 1

Transactional Data with certain level of

Business/operational Information

Between 1 and 3 3

10

Limited =1, Serious = 2 and Severe or

Catastrophic = 3

Confidentiality Between 1 and 3 3

Integrity Between 1 and 3 3

Availability Between 1 and 3 3

Total Score

2.3 International Dimensions of Cloud Computing

Strategy 4.0

Development of a balanced data localization and cross-border data flow guidelines


1. NITDA will develop cross-border data flow guidelines for efficiency purposes.

2. Provide CSPs’ identification framework based on cross-border data flow guidelines

2.4 Service Level Agreement and Consumer Protection

The quality and reliability of services become important as PIs and SMEs migrate to the cloud. It is

important to ensure the right of consumers and service takers are protected in the cloud space.

Strategy 5.0

Develop an SLA Template for Cloud engagement


a. NITDA will collaborate with relevant cloud stakeholders to develop SLA template for Cloud

engagement

b. NITDA will make the SLA template available on the digital marketplace

Strategy 6.0

Stakeholders’ collaboration for the protection of consumers’ rights.


1. NITDA will engage and partner with Federal Competition and Consumer Protection

Commission (FCCPC) and other relevant stakeholders to ensure monitoring, compliance and

enforcement with the provisions of consumer protection in the Cloud Computing Policy.

2.4 Information Security

The goal of information security in the cloud environment is to protect the confidentiality, integrity and

availability of government data. Therefore, in order to ensure information security, cloud service

providers must put measure in place to ensure data confidentiality, integrity and availability.

Strategy 7.0

Development of a National Cloud Computing Security Guidelines

11


1. NITDA, in collaboration with relevant stakeholders, will develop national cloud computing data

security guidelines.

2.5 Cloud Interoperability

The Nigeria Cloud Policy will enable rapid adoption and the growth of cloud computing. Many CSPs

will operate in the space and consumers of cloud services might want to port from one CSP to another.

The following strategy will be adopted to manage interoperability requirements in addition to adoption

of Nigeria e-Government Interoperability Framework (Ne-GIF) and ISO/IEC 17203:2011 as specified

in the Nigeria Cloud Computing Policy.

Strategy 8.0 Development of Nigeria cloud interoperability guidelines Strategic Initiatives

1. NITDA, in collaboration with relevant stakeholders, will develop Nigeria cloud

interoperability guidelines. The guide will provide direction for cloud consumers to navigate

cloud interoperability requirements. It will consider important areas of interoperability as

prerequisite requirements for choosing a CSP and ensuring cloud interoperability.

See consideration for interoperability requirements in Appendix A3.0 as focus areas of the guidelines

2. NITDA will make Nigeria cloud interoperability requirements available on digital

marketplace

2.7 Migration to The Cloud Moving to the cloud requires orchestrated migration plan to mitigate risks that are involved. The

following strategy will be implemented to ensure PIs and SMEs migrate to the cloud successfully.

Strategy 9.0

Develop cloud migration guide for PIs and SMEs


1. NITDA, in collaboration with relevant stakeholders, will develop cloud migration guide. The

guide will serve as a template to be followed by PIs and SMEs while migrating to the cloud. The

cloud migration guide will consider important steps for cloud migration. In the meantime,

consumers are advised to be guided by the following migration steps or requirements.

12

See consideration for Cloud Computing migration steps and requirements in Appendix A4.0 as focus

areas of the guidelines

2. NITDA will publish the cloud migration guide on digital marketplace portal.

3. NITDA will monitor cloud migration through the IT project clearance committee and other

monitoring mechanisms.

2.8 Workforce and Skills

Cloud adoption means complete change in the way information technologies are acquired and deployed

by PIs and SMEs. Also, the change cuts across organisation processes and people. The people are going

to play a major role in the adoption process and they are the main drivers. If the people with the right

skills are not involved or participated in the cloud adoption processes, the objectives of the exercise

might be defeated. Effective cloud adoption by PIs will depend on developing talent and acquiring

professional IT credentials. The strategy for building the right skills among the public sector workforce

and SMEs is highlighted as follows.

Strategy 10.0

Facilitate the development of special skills for cloud computing in the public sector and among targeted

SMEs.


1. Partnership with private sector (training outfits) and development partners to build cloud

capacity of PI personnel and SMEs

See Appendix 5.0 for focus areas of cloud computing capacity

2. Partnership with strategic organisations such as (SMEDAN etc.) to build cloud adoption skills

and capacity for targeted SMEs.

2.9 Vendor Lock-in & Data Withdrawal Circumstance might warrant PIs or SMEs to migrate from one CSP to another or using multiple CSPs

to accomplish business objectives. Also, data sovereignty and localization regulation requirements

might warrant PIs and SMEs that provide service to the public sector move government data and their

hosting platforms to the shore of the country at any time. Therefore, PIs and SMEs should avoid vendor

lock-in and ensure data withdrawal is possible any time it is mandatory. The following strategy will be

adopted to avoid vendor lock-in and ensure data withdrawal is seamless.

13

Strategy 11.0

Develop vendor lock-in avoidance guide


1. NITDA will provide a cloud vendor lock-in avoidance guide.

See Appendix 6.0 on focus areas of vendor lock-in avoidance guide

2.10 Cloud Registration and Certification To guarantee trust, build confidence of cloud consumers and ensure there is sanity in the cloud

computing space, NITDA will register and certify indigenous CSPs having met certain standards. A

certified Indigenous CSPs will be the beneficiaries of “Nigeria Cloud First Policy”. NITDA will adopt

the following strategies to implement CSPs registration and certification.

Strategy 12.0

Registration of Indigenous CSPs


1. NITDA will establish registration process for CSPs

2. Registration of Indigenous CSPs.

Strategy 13.0

Develop National Cloud Certification Criteria based on international standards and best practices


1. NITDA will develop National Cloud Certification Criteria

See Appendix 7.0 for the focus areas of certification criteria

2. NITDA will publish the Cloud Certification Criteria on Nigerian Cloud Digital Marketplace.

3. NITDA will certify Indigenous CSPs based on the Certification Criteria

2.11 Cloud Audit and Reporting The Nigeria Cloud Computing Policy requires a CSP to provide satisfactory audit reports or respond to

audit requests by NITDA or other statutory bodies. The following strategies will be adopted to

implement the cloud audit and reporting requirements.

Strategy 14.0

Establish cloud system audit and reporting process.

14


1. Audit and reporting process. NITDA will establish audit and reporting process for Indigenous

CSPs.

2. Annual voluntary report: NITDA shall request CSPs to provide voluntary annual audit report.

See Appendix 8.0 for assessment metrics that would form part of the CSPs reporting template

15

CHAPTER THREE:

NIGERIA CLOUD COMPUTING GOVERNANCE

3.1 National Cloud Governance

In order to ensure coordination of cloud computing project and procurement within and across PI and

SMEs that provide IT-enabled services to the government, it is important to institutionalize a

governance structure that helps to govern cloud implementation from planning, architecture to

deployment, that allows seamless switching from one CSP to another and unclouding in the case of a

need in a more sustainable manner. Cloud services need to be adopted as an integral part of the

organization’s existing operating model. The absence of governance structure that establishes standards

and provides clear direction and consistency in managing cloud services can undermine cloud benefits

and then create unforeseen risks (security, privacy and financial), complexity rather than

interoperability and simplicity.

The proposed national cloud computing governance establishes structure upon which the goal and

objectives of Nigeria Cloud Computing Policy would be achieved. It is a structure that governs

implement strategic initiatives established by the “Cloud Computing Implementation Strategy”. Figure

4.0 presents the proposed national computing governance at the Federal level.

16

Figure 4.0: National Cloud Computing Governance

3.2 Public Institution Cloud Computing Governance Aside the national governance, each FPI or SME that provides IT-enabled service to the government is

expected to develop its cloud governance structure internally in order to ensure IT acquisition and

deployment aligns with the national goal and its business objectives.

Adopting cloud creates shift in the responsibilities of IT/ICT departments- shift from technicality to

contract negotiation, establishing key performance indicators to vendor management. This shift in

responsibilities contributes to IT department’s changing role from operators of technology to governors

Presidency

Promoting National Vision for Cloud Computing (Leadership)

FMC

supervising policy implementation and

promoting investment

Budget & National Planning

Putting cloud computing as part of National IT deployment plan

NITDA -Coordinating implementation across

FPIs; Clearing cloud projects by FPIs; regulating cloud computing space;

facilitating strategic partnerships and investments and carrying out cloud

computing assessment

Federal Competition and Consumer Protection Commission (FCCPC)

Promote cloud competitive market and consumer protection

Bureau of Public Procurement (BPP)

Provide cloud procurement regulation with support for

cloud purchasing models

FPIs and SMEs

Implement cloud computing projects

CPSs

Providing Cloud Service to FPIs &

SMEs

17

of systems and processes. And it requires establishing a cloud governance model that everyone must

follow.

Cloud governance model will enable IT and the business to collaborate in defining the right strategy for

configuration, migration, management and disposition of cloud services. It defines roles and

responsibilities and holds PIs to account for IT investment decisions and resource management for

cloud computing adoption. The cloud governance will manage unnecessary complexity and cost

increase that can arise from uncoordinated procurement of cloud services. It enables IT/ICT department

and the business to collaborate in defining the right strategy for configuration, migration, management

and disposition of cloud services.

However, IT personnel will need to acquire new skills as they transition from operators and tacticians

to vendor managers and governors. These skills, as itemized in the section on workforce and skills,

include understanding not only contractual obligations and service management, but also new and

emerging technologies and processes that may help to better manage cloud services.

Governance structure in each PI and SME will need to span the three pillars of people, process and

technology and encompass the entire cloud life cycle, from identification and configuration to

migration, management and decommission.

NOTE: PIs and SMEs are advised to follow and be guided by this governance model while deploying

and migrating to the Cloud. All the cloud life cycle should be planned and governed by the cloud

governance domain putting in mind the people, process and technology.

18

Figure 5.0: Organisational Cloud Computing Governance Model

See Appendix 9.0 for the explanation on the cloud computing governance model for PIs and SMEs

19

CHAPTER FOUR:

IMPLEMENTATION PLAN The first implementation road map to achieve the goal of the Nigeria Cloud Computing Policy spans a

period of five (5) years (between 2019 and 2024) and is divided into short, medium and long term

respectively. Table 4.0, 5.0, 6.0

Table 4.0:Strategy Implementation road map (Short-term)

S/n Strategy Strategic Initiatives Major Action by

Implementation Timeline (2019-2021)

1.0 Strategy 1.0. Development of cloud procurement regulation.

1. BPP and NITDA, in consultation with relevant stakeholders, will develop Cloud Procurement Regulation.

2. BPP and NITDA will monitor and ensure compliance to the provision of the regulation

BPP & NITDA

2019

2.0 Strategy 3.0 Development of a data classification guide

1. Provision of data classification guide based on data classification framework in the Policy and other parameters.

NITDA 2019

3.0 Strategy 4.0 Development of a balanced data localization and cross-border data flow guidelines

1. NITDA will develop cross-border data flow guidelines.

2. Provide CSPs’ identification framework based on cross-border data flow guidelines

NITDA 2019

4.0 Strategy 5.0 Develop an SLA Template for Cloud engagement

1. Development SLA template for Cloud engagement

NITDA 2019-2021

5.0 Strategy 7.0 Development of a National Cloud Computing Security Guidelines

1. Development of national cloud computing data security guidelines.

NITDA & ONSA

2020-2021

6.0 Strategy 9.0 Develop cloud migration guide for PIs and SMEs

1. Development of cloud migration guide

NITDA 2020

7.0 Strategy 12.0 Registration of Indigenous CSPs

1. Establishment of registration process

2. Registration of Indigenous CSPs

NITDA 2020-2021

8.0 Strategy 13.0 Develop National Cloud Certification Criteria based on international standards and best practices

1. Development of National Certification Criteria

2. Certification of Indigenous CSPs

NITDA 2021

Table 5.0: Strategy Implementation road map (Medium-term)

20

S/n Strategy Strategic Initiatives Major Action by

Implementation Timeline (2022-2023)

1.0 Strategy 11.0 Develop vendor lock-in avoidance guide

1. Development of vendor lock-in avoidance guide

NITDA

2.0 Strategy 2.0. Establishment of Digital Marketplace

1. Design and development of Nigerian Cloud Digital Marketplace.

2. Setting up of governance structure, business models and operational plan for Nigerian Cloud Digital Marketplace.

3. Publication of cloud migration guide on Nigerian digital marketplace portal

4. Publication of Cloud Certification Criteria on Nigeria Cloud Digital Marketplace

5. Publication of cloud SLA on Nigeria Cloud Digital Marketplace

NITDA 2022

3.0 Strategy 14.0 Establish cloud system audit and reporting process.

1. Establishment of audit and reporting process for Indigenous CSPs

2. Request for CSPs annual voluntary report

NITDA 2022-2023

4.0 Strategy 10.0 Facilitate the development of special skills for cloud computing in the public sector and among targeted SMEs

1. Partnership with private sector (training outfits) and development partners to build cloud capacity of PI personnel and SMEs

2. Partnership with strategic organisations such as (SMEDAN etc.) to build cloud adoption skills and capacity for targeted SMEs.

NITDA & CPS NITDA & SMEDAN

2022-2023

Table 6.0: Strategy Implementation road map (Long-term)

S/n Strategy Strategic Initiatives Responsibility Implementation Timeline (2024)

1.0 Strategy 8.0 Development of Nigeria cloud interoperability requirements

1. Develop Cloud interoperability guidelines

2. Publish the cloud interoperability requirements on digital marketplace

NITDA 2023

2.0 Strategy 6.0 Stakeholders’ collaboration for the protection of consumers’ rights.

1. Monitoring, compliance and enforcement with the provisions of consumer protection in the Policy

NITDA & FCCPC

2020-2024

21

3.0 Strategy 9.0 Develop cloud migration guide for PIs and SMEs

1. Monitoring of cloud migration by PIs through NITDA’s IT clearance committee

NITDA 2019-2024

Table 7.0: Specialized Strategies

S/n Strategy Strategic Initiatives Responsibility Implementation Timeline (2019-2024)

1.0 Cloud Computing Readiness Assessment

1. Conduct cloud computing readiness assessment across all sectors of the economy

NITDA 2019-2020

2.0 Promotion of Cloud Migration

1. Monitor and enforce compliance with Cloud First value proposition by FPIs and SMEs

2. Extension cloud computing adoption programs to sub-national PIs

3. Provision of cloud migration technical assistance to FPIs through NITDA IT clearance committee

NITDA 2019-2024

3.0 Cloud Computing Code of Conduct

1. Development of Indigenous Cloud Computing Code of Conduct

CSPs & NITDA

2022-2024

4.0 Promotion of Investment in Cloud Computing Systems in Nigeria

1. Provision of incentives to Indigenous CSPs

2. Encourage and creation of enabling environment for Cloud Computing investments

NITDA, CSPs, BPP

2020-2024

5.0 Monitor, comply and Enforce

1. Continuous monitoring, compliance and enforcement of the provision of the Nigeria Cloud Computing Policy and compliance framework

NITDA, BPP & FCCPC

2019-2024

22

CHAPTER FIVE:

NIGERIA CLOUD COMPUTING POLICY COMPLIANCE AND ENFORCEMENT FRAMEWORK

5.1 Compliance Framework

The Nigeria Cloud Computing Policy states the following:

1. The CSP shall maintain the utmost integrity to protect the data and meet the security

requirements set forth by NITDA; and

2. Data shall not be stored, shared, processed, or modified by CSP in any way that compromises

the integrity of the data.

Therefore, NITDA shall ensure compliance and enforce the above statements through the following

compliance and enforcement framework.

1. NITDA shall identify and register all CSPs operating in Nigeria through registration process and

guidelines.

2. NITDA shall certify CSPs operating in Nigeria based on the NITDA Cloud Certification Criteria

to be provided on Nigerian Cloud Digital Marketplace.

3. NITDA will develop and maintain database of all CSPs and their services on the digital marketplace

platform.

4. CSPs shall be required to submit report to NITDA annually or as it may be requested

5. Where applicable, PIs and SMEs shall ensure compliance to the provision of the Cloud Computing

Policy and/or compliance framework

6. NITDA shall, in the next 3 years shall ensure implementation of the strategies and strategic

initiatives in this document

7. NITDA shall employ the following compliance tools:

Self-Reporting: NITDA will provide templates and technology platform for self-reporting or filings

by CSPs.

In the absence of technology platform, CSPs or any other entity shall submit physical copy of the report

to NITDA in the following manner:

I. The report shall be addressed to the Director General of NITDA.

II. The Director General shall direct the department responsible for regulation, monitoring and

enforcement to handle the report.

III. The report shall clearly specify the following:

a. The full name of the entity;

b. Title of the report

A soft copy of the report, as indicated above, can be submitted to NITDA’s official email:

[email protected]

23

Verification: Where necessary, NITDA shall verify audit information submitted by CSPs and PIs to

ensure its accuracy, veracity and validity.

Monitoring: NITDA shall institute a systematic, continual or periodic, active or passive observation of

CSPs and PIs’ cloud systems to ensure compliance with general rules and processes laid down.

Audit: Where necessary, NITDA shall investigate or examine records, processes and procedures of

CSPs and PIs to ensure they are in compliance with the requirements of the policy and/or compliance

framework. This will be based on NITDA’s established cloud system audit and reporting process

8. If there is any breach of the provision of the policy and compliance framework, NITDA shall

enforce it through the following enforcement process or framework:

Figure 6.0:Enforcement framework

Surveillance: Where necessary, NITDA shall institute specific and deliberate monitoring exercise to

identify breach with the policy and/or compliance framework.

Complaint Filing: Where necessary, NITDA may wish to accept complaint filing by NITDA’s

personnel or any interested parties of non-compliance with the provisions of the Policy and/or

compliance framework. The complaints must meet the following requirements:

I. A complaint must be filed in writing, either on paper or electronically.

II. A complaint must name the person or entity that is the subject of the complaint and describe

the acts or omissions believed to be in violation of the applicable provision(s) of the policy

and framework.

Investigation: NITDA will investigate any complaint filed against a CSP or PI when a preliminary

review of the facts indicates a possible violation of the provision(s) of the cloud policy and/or

24

compliance framework. In the case of third party filing, NITDA shall investigate any complaint filed

by third parties and may also do so based on a special audit or “spot check”.

Administrative Sanctions: Where NITDA has ascertained that a CSP is in breach of any of the

provisions of the cloud policy and compliance framework, NITDA may issue and order for compliance.

NITDA may also issue other administrative orders to include::

I. Suspension of service pending further investigations;

II. Order for CPS in breach to appear before a panel to determine level of liability;

III. Issue public notice to warn the public to desist from patronizing or doing business with the

CPS; and

IV. Refer the CSP in breach to other Self-Regulatory Organization (SRO) for appropriate

sanctions

Criminal Sanction: Where NITDA has determined that a CPS is in breach of the cloud policy and

compliance framework; it may seek to sanction officers of the organization as provided for in Section

17(x) of NITDA Act 2007. NITDA shall seek a fiat of the Honorable Attorney General of the

Federation (HAGF) or may file a petition with any sanction authority in Nigeria. This may include; the

Economic and Financial Crimes Commission (EFCC), the Department of State Security (DSS), the

Nigerian Police Force (NPF), the Independent Corrupt Practices Commission (ICPC) or the Office of

National Security Adviser (ONSA) among others.

5.2 General Enforcement Process

Table 8.0:Cloud Computing General Enforcement

S/n Enforcement Activity Description of Action

1 Documentation of

Breach

1. At this stage it is required that a report, memo, petition or complaint is officially submitted to NITDA through the office of the Director General of NITDA.

2. The Document must be duly signed by an Officer of NITDA or the external complainant.

3. For external complaint; the document must be written and signed by an Individual either in personal capacity or a group (of persons or companies) or registered entity (registered with the CAC).

2 Request for Additional Information and Investigation

If it appears NITDA is not sufficiently briefed or may need further information to arrive at a conclusion of breach of the policy and/or compliance framework, the following procedure should be employed:

1. “Request for Additional Information" should be issued to either the complainant, the alleged violator or any other party

25

who maybe in a position to provide clarity on facts of the allegation of breach.

2. Invite relevant parties for an “Investigation Meeting” to elicit facts to established breach.

3. “Request for Investigation in partnership with law enforcement agencies.

3 Continuation or Termination of Enforcement Process

Where NITDA is satisfied that there is a prima facie evidence on a breach, the NITDA can:

1. Request for a response from the violator stating the allegations against them;

2. In the event NITDA finds the explanations of the alleged violator coherent and sufficient, NITDA will respond to the allegation and enforcement will be terminated

4 Notice of Enforcement Where NITDA is satisfied that a breach of the Cloud Computing Policy and/or compliance framework has occurred;

1. NITDA will then issue a “Notice for Enforcement”” citing the specific breach and demand mandatory compliance within a specific time frame from the date of the service of notice. (30 days or 60 days as the case of breach may demand).

2. NITDA may issue an administrative fine or penalty in line with extant regulation

5 Issuance of Public Notice (OPTIONAL)

NITDA may consider issuing a public statement warning the public and other agencies of Government of the dangers of dealing with a violator who has breached the provision(s) of the Cloud Computing Policy and/or compliance framework

6 Request for Sanction 1. Where a violator does not take steps to address breach or consult with NITDA as to what steps to be taken to remedy breach after the period stated in the "Notice for Enforcement"; or

2. Where the Regulation only provides for sanction of violator in accordance with Section 17x NITDA Act;

3. NITDA may file an official Petition or Notice for Sanction to the Office of the Attorney General of the Federation, citing stating the following:

i. Original complaint; ii. Enforcement process initiated by NITDA; and

iii. Implication of the action of the violator to the development of ICT in Nigeria.

iv. A copy of the notice should be copied to the Presidency and the Office of the Secretary of Government of the Federation (OSGF).

9. NITDA shall ensure PIs and SMEs put appropriate governance structure in place for

Cloud project implementation.

26

Appendix Appendix A1.0: Rational for “Cloud First” value proposition

1. Reduced Capital Cost: The reduction in capital cost can be achieved through initial cost of

acquiring and deploying IT infrastructure and other computing resources, hiring of technical

personnel, maintaining and managing resources as well as taking advantage of economy of scale

offer by the Cloud;

2. Efficiency: Efficiency is realized through real time and on-demand self-provisioning of

computing resources. Cloud computing offers public institutions and SMEs the needed agility for

responsive digital service delivery. NITDA has noticed epileptic nature of digital service delivery

in the country with respect to certain critical government services. Once traffic gets to the peak

for a particular digital service, citizens/government customers begin to experience delay in getting

the service. This would be greatly eradicated through strategic adoption of cloud computing;

3. Digital Service Innovation: Digital service innovation will be highly promoted through adoption

of cloud because of the edge gained as result of cloud efficiency;

4. Elasticity: Cloud has ability to provide customize computing services as needed. Computing

service can be shrunk or grown based on demand. This will help public institutions and SMEs pay

as use thus reducing waste of computing resources.

5. Information Security: Due to security requirements to protect data of businesses and certain

government operations, Cloud Service Providers (CPSs) are deploying the latest security

measures and controls on the cloud. CPSs have capabilities to offer the best security and

implement Business Continuity Plans than individual organisations with server rooms and data

centers.

Appendix A2.0: National Strategic Intent for Cloud Adoption

1. Responsive and efficient public service delivery and public sector digital transformation:

Government agencies will leverage cloud to provide responsive and efficient public service in a

transparent manner. This includes the ability to provide better healthcare, social amenities, justice,

public safety, and education services among others.

2. Local ICT industry development and growth, including SMEs: Cloud technologies will create a

competitive advantage in favour of small to medium enterprises (SMEs) that provide computing

service to the Government. By adopting cloud technology, SMEs hold immense potential for

generating employment opportunities, development of indigenous technology, diversification of

the economic and forward-integration with established sectors such as banking,

telecommunication, oil and gas among others.

27

3. Resources Savings: Migrating to the cloud can help streamline processes in many public

institutions in Nigeria. Systems are too dispersed among organisations, creating inherent

inefficiencies in the national public IT architecture. Instead of consolidating these services under

a central government platform, which may be too rigid to meet the needs of individual

organisations’ applications, contracting cloud services can both drive efficiencies and enhance the

customisation of IT service solutions. Also, cost savings will be expressed through:

4. Opportunities to better manage human resources: Qualified IT professionals are a scarce

resource in Nigeria and around the world. Using those resources to handle routine issues like

server maintenance, patching, and other low-level support activities is wasteful of their training,

experience, and talent. By moving these process-oriented tasks to cloud service providers, public

institutions can invest in their human resources to re-train them for value-adding skills and

activities, such as customised application development and innovative services.

Appendix A3.0: Cloud Computing Areas of Interoperability Guide Consumers and CSPs should be aware of the following areas of interoperability.

I. Data Portability;

II. Application Portability;

III. Platform Portability;

IV. Application Interoperability;

V. Platform Interoperability;

VI. Management Interoperability; and

VII. Publication & Acquisition Interoperability

In addition, the guide will also consider the following as prerequisite requirements for

choosing a CPS:

I. Standard user interfaces, APIs, protocols and data formats for SaaS;

II. Open cloud technologies for platform and application dependencies for PaaS;

III. Standard or widely accepted application packaging formats such as Open

Virtualization Format (OVF), Cloud Data Management Interface (CDMI) and

Docker for IaaS. Also, open and/or standard business interfaces and APIs will be

considered;

IV. The use of standard enterprise integration tools such as Cloud Management Platform

(CMP) to manage integration, interoperability and portability between multiple cloud

and on-premise services;

V. Support for standard security technologies;

VI. Service-oriented architecture (SOA) design principles; and

VII. Standard enterprise access management capabilities

28

Appendix A4.0 : Cloud Computing migration steps and requirements These steps or requirements are going to form part of the cloud migration guide:

Identification of what cloud services (SaaS, PaaS, and/or IaaS) and data will be provided and establish

from where the services will be provided.

I. Establishment of where the migration will occur.

a. In-house data center (on premise) – owned and operated by the organization.

b. External data center (off premise)– outsourced to a commercial cloud service provider.

II. Definition of what cloud deployment model will be used:

a. Public cloud – available for use by the general public and located on the premises of

the cloud service provider.

b. Private cloud – the cloud infrastructure is dedicated to a specific organization or

community of customers. The community might be from a community of

organizations that share common concerns (e.g., missions, security, policy,

compliance guidelines, etc.). It may be located on the premises of the customer or the

cloud service provider.

c. Hybrid cloud – a combination of two or more of the above cloud deployment models

– public, community, or private.

III. Development of migration/implementation approach

a. Conduct a Proof of Concept and define a set of requirements for implementation.

b. Implement in full or phases. That is implement all requirements at once or incremental

phases based on a cost vs benefits vs risk analysis to define the implementation

strategy. It is recommended that phased approach is used.

c. Phasing strategies may include the following:

i. Implement a set of requirements based on priorities that have an

immediate operational impact and are achievable in the specified time

ii. Migrate low risk capabilities first to learn lessons and refine plans for

future increments.

iii. Implement requirements in an evolutionary manner in which solutions

are implemented, evaluated, and improved on incrementally.

IV. Identify the framework to be used for the migration. The migration framework in the

Nigeria Cloud Computing Policy is recommended.

29

Figure 7.0:Cloud Migration Decision framework

V. Risk management/mitigation.

a. Identify actual and possible implementation risks that may adversely impact (or are

impacting) implementation, and lay out a mitigation strategy for them.

b. Consider risks at the cloud provider’s and cloud customer’s locations as well as the

transport (communications) network connecting them. Also, consider risks in

integrating new cloud technology with legacy systems, networks, infrastructure,

processes, etc.

c. Categorize risks by impact and likelihood to ensure that risks are addressed by priority.

d. Identify operational risks that may adversely impact the capability once it is

operational. These risks may be due to natural, technological, or human causes., and

may be universal or geographically dependent.

e. Risk Mitigation.

i. Develop risk mitigation strategies for both implementation and operational

risks.

ii. Determine testing requirements to ensure the new capabilities are operating

as planned/needed.

f. Determine the need for availability and reliability standards, which drive the following

considerations to minimize risks and provide resiliency (the ability to recover from

issues):

i. Need for redundancy of equipment and/or communications paths

(networks).

ii. A continuity of operation plan (COOP) or disaster recovery (DR) plan

and possibly an alternative site in case of long term or catastrophic failure.

30

g. Track these risks in a documented Risk Registry that identifies the risks,

priorities, mitigation strategies, responsibilities, dates for resolution, level of risk,

and status.

h. Consider a fall back plan to restore services to their original state in case of

implementation failure.

VI. Involve experts (acquisition and contract officers) early to help define the acquisition

and contract strategy.

a. Determine requirements for acquiring, upgrading, replacing, or eliminating

equipment, software, communications infrastructure, etc. A gap/redundancy

analysis can help with this.

b. Leverage open, vendor-neutral standards to provide open competition and avoid

becoming locked in to a specific vendor.

VII. Establish an approach to performance management/measurement

a. Define the expected/required Quality of Service (QoS) metrics in the form of:

i. Describe the expectations for how services will be delivered to the

customer (e.g., reliability, availability, and maintainability requirements;

incident response times; etc.) as itemized in the SLAs template.

ii. Operating Level Agreements (OLAs) describing the expectations for how

the service delivery organization will work with supporting

organizations.

b. Identify:

i. Specific performance metrics to be captured.

ii. Minimum acceptable threshold values and the targets values.

iii. How they will be captured (i.e., the tools to capture them, and how the

tool will need to be configured).

iv. How and when they will be reported.

VIII. Plan for and acquire the necessary financial and staffing resources to cover the initial

acquisition and implementations costs as well as life cycle sustaining costs.

a. Identified estimated funding required to cover:

i. Acquisition costs:

• Data center hardware (infrastructure, storage, services, etc.).

• Software (applications, licensing, etc.).

• Networking hardware (routers, switches, etc.).

• Transport costs.

• Support costs (logistics, training, manpower/personnel).

31

ii. Contract costs.

iii. Life cycle operations and sustainment costs:

• O&M costs.

• Manpower/personnel.

• Logistics.

• Training.

• Software acquisition or licensing fees.

• Life cycle replacement.

• Facility requirements (e.g., power, air conditioning, cabling, floor

space).

a. Identify new or changed staffing requirements to support the migration and

follow-on O&M. This should address both numbers and skill sets.

b. Ensure necessary funding and staffing are available in time. Cloud migration

budget should be submitted as early as possible to mitigate funding risk.

IX. Identify activities required to transition from the current “As Is” to the new “To Be”

cloud environment.

a. Establish a mechanism to identify and track completion of transition activities.

b. Review/update the relevant processes and governance.

c. Establish training requirements for new technologies, tools, processes,

governance, etc.

d. Establish/update staffing requirements if any changes.

e. Prepare facilities for new equipment or staff, and ensure the facilities can handle

any changes that impact the physical structure (e.g., power, air conditioning,

cabling, etc.)

f. Over-communicate transition events with supported and supporting

organizations.

g. At the time of transition, arrange for turnover of key materials such as passwords.

X. Identify and plan for security and privacy related activities

a. Define and implement appropriate security controls at both the cloud provider

and cloud consumer locations.

b. Identify cloud security standards, framework, and security/privacy best practices,

such as those developed by the Cloud Security Alliance.

c. Ensure certification, accreditation, or other operating authorization actions are

planned and scheduled, and necessary authorizations to migrate and operate are

in place on time.

32

Appendix 5.0: Focus Areas of cloud computing capacity

I. In-house cloud set up: The following areas of skills and competencies among others are needed

for PIs’ personnel that are to build internal cloud competencies

a. Concept of Virtualization

b. Cloud configuration and Management

c. Cloud Migration planning & implementation

d. Cloud Deployment within Multi-Cloud Environments

e. Cloud Security

f. Database Skills

g. Programming Skills

h. Linux Skills

i. DevOps

j. Quality Assurance

k. Information Security

II. Outsourced Cloud Service:

a. Cloud deployment and service delivery models: Decision on Public, Private and Hybrid

deployment models as well as IaaS, PaaS and SaaS service delivery models.

b. Business and financial skills

c. Enterprise Architecture and Business Needs Analysis

d. Serverless Architecture

e. Cloud Migration planning & implementation

f. Project Management

g. Contract and Vendor Negotiation

h. Security and compliance

i. Data Integration and Analysis

Appendix 6.0: Focus areas of vendor lock-in avoidance guide The guide shall take into consideration the following:

I. Identify primary Cloud Vendor lock-in Risks

a. Data transfer risk

b. Application transfer risk

c. Infrastructure transfer risk

d. Human resource knowledge risk

II. Criteria for choosing CPS

33

a. The criteria should include the following:

b. Service Dependencies and Partnerships

c. Contracts, Commercials and SLAs

d. Reliability and Performance

e. Security and Compliance

f. Infrastructure Management

g. Migration Support, Vendor Lock in and Exit Planning

h. Certification and Standards (standard interface and APIs)

i. Technologies and Service Roadmap

Appendix 7.0: Focus areas of cloud computing certification criteria

I. set of requirements for virtualization, cloud architecture, operations, performance, security,

interoperability, data privacy, data portability, regulatory compliance and governance by

considering contents and recommendations from:

a. International cloud certification bodies (such as Cloud Security Alliance, Computing

Technology Industry Association, EuroCloud Start Audit among others) suitable for

CPS operating an IaaS, PaaS and/or SaaS cloud service models and also in the areas of

cloud security issues.

b. Industry standard cloud certification such as Certificate of Cloud Security Knowledge,

ISO/IEC 27001:2013, Code of practice for cloud privacy ISO/IEC 27018, Cloud

Certified Professional, CompTIA Cloud Essential among others;

c. Others include Cloud Industry Forum (CIF) Code of Practice, Controls and Assurance

in the Cloud: Using COBIT 5,

Appendix 8.0: CSPs Audit Report Metrics The evidence of the following assessment metrics will be required and form a template for CSPs audit

report:

I. Security of Cloud Resources

a. Physical Security

b. Hosting & Data Logic Security

c. Authentication & Authorization

d. Cloud users access approval processes

e. Review processes for super and regular users’ access and authorization to cloud

applications

f. Network connections & Data Transmission

34

II. Data protection policies, procedures and practices at both Cloud Service providers and

user organizations.

a. Type and sensitivity of Data sent to and potentially stored in the cloud

b. Compliance to data protection requirements (in line with Nigeria Data Protection

Regulation- NDPR)

c. Evidence of compliance with internationally recognized cloud best practices

d. CPS’ policies and procedures to protect data stored

e. CPS’ evidence of international Cloud certification

f. Level of access (create/read/update/delete) that the CPS’ personnel have to the data,

particularly on sensitive information and other cloud installed and configured

infrastructure, platforms and applications.

III. Risks related to the use of virtual operating system in a multi-tenant cloud.

a. Risk associated with virtualization and multi-tenant environment especially patched

and process for monitoring and patching of known vulnerabilities in hypervisor

technology

b. Assessment of multi CPSs collaboration

c. Protection of logs.

IV. Procedures related to incident management, problem management, change and access

management in context of use of Cloud services.

a. Operational process documentation: policy, procedures, roles and responsibilities.

b. Compliance to Service Level Agreement (SLA).

c. Appropriate use of monitoring tools and reports.

d. Compliance with business continuity plan

V. Comply with national regulatory requirements.

a. Compliance with country’s regulatory requirements such as Nigeria Data

Protection Regulation (NDPR), National Cybersecurity Policy (NCPS)

Appendix 9.0: Explanation of proposed cloud computing governance model for PIs and SMEs Identification: The identification cycle is a preparatory stage where the computing resources (network,

servers, operating systems, storage, database, programming language, applications, services etc.) to be

procured, acquired and deployed are planned, analysed and documented.

Configuration: The configuration stage involves selecting and configuring the computing resources in

alignment with the organization’s business objectives for cloud adoption both at on-premise and in the

35

cloud respectively. It also involves selecting CSP service options best suited to organization’s business

objectives.

Migration: This involves process of moving data, applications or other business elements from on-

premise to the Cloud Service Providers’ cloud computing environment as well as between CPSs cloud

computing environments. The strategy for cloud migration is prescribed in Migration to the Cloud

section.

Management: The management cycle involves exercise of administrative control over public, private

and hybrid cloud delivery models; IaaS, PaaS and SaaS cloud service models and as well as

management of multiple services across different CSPs. It is recommended that a standard Cloud

Management Tools is adopted. The management may include: self-service capabilities, workflow

automation, cloud analysis among others and it is best governed when there is formal Cloud Portfolio

Management (CPM) in place.

Decomposition: This is a process of decommissioning of cloud services or migrating from the cloud to

on-premise.

The following explains six domains that span the entire cloud lifecycle:

Procurement/Finance management. Adopting cloud require a shift from the traditional budgeting

system which is annual in the public sector. A new cloud procurement regulation should suffice for

cloud financial planning and management. It is recommended that PIs take advantage of the new

procurement regulation to be established by BPP.

NOTE: FPIs should consider appointing a cloud finance subject matter professional who

understands the total cost of ownership of cloud services, can track service consumption and can

provide cost transparency in line with the new cloud procurement regulation.

Cloud service provider management. It’s imperative for PIs/SMEs to have a properly integrated

business ecosystem that enables them have a single view of their cloud services. They are to understand

who is accountable for managing cloud services and establish a framework by which IT and the

business/mandate have a clear understanding of the performance metrics and contract requirements with

cloud vendors.

Cloud Portfolio management (CPM): Ability to manage cloud investments requires establishing a

formal framework for Cloud Portfolio Management (CPM). Cloud portfolio management provides a

means by which an organization can control and govern existing services, new services, and well as the

Cloud providers and the relationship with them. PIs/SMEs cloud portfolio should consider aligning

36

their organizational portfolio more broadly to determine additional opportunities and risks associated

with adding a cloud portfolio. Managing cloud portfolio requires:

2. Provider Relationship Management (PRM): Critical requirements for Cloud Portfolio

Management is to manage the provider relationships. FPIs and SMEs should learn how to develop

strategic relationships with key CSPs and proactively manage the relationship from a contractual

as well as from a technology transfer perspective. This is far more than mere vendor management

performed by the procurement professionals. PRM requires a closer and collaborative relationship

with key CSPs to facilitate advance previews of new services, R&D collaboration, early trials of

new services, as well as joint planning for service adoption.

3. Manage a Portfolio of Cloud Services: Another key requirement of cloud Portfolio Management

is managing many different Cloud services from all providers. All the services in the catalog must

be managed effectively, ensured they are adding value to the organisation strategic objectives.

Portfolio of cloud services requires the following among others:

4. Aggregate Services into a Catalog: as part of the portfolio management process, organisaton’s

available Cloud services must be aggregated into a single cloud catalog for easy management.

5. Manage service equivalent across CSPs: This is to provide redundancy for heavily-used and

mission critical services. This must done in strategic manner.

6. Compare cloud service performance across CSPs: Continually analyse and evaluate relative

service performance of CSPs.

Managing Cloud services using portfolio management best practices will help ensure the best Cloud

solutions and services are available with basis for Cloud pricing arbitrage. Specifically, cloud portfolio

approach will:

i. Streamline the management of multiple cloud resource pools, both public and private;

ii. Avoid lock-in to a particular cloud vendor;

iii. Gain visibility and governance of cloud usage across the enterprise;

iv. Maintain the security and reliability of critical systems in the cloud;

v. Measure cloud resource consumption and enforce budgets;

vi. Prevent waste and optimize spend levels; and

vii. Ensure that applications and data are in compliance with both internal policies and

regulations.

Integration/interoperability: The problem of interoperability or integration is caused by the fact that

each vendor's cloud environment supports one or more operating systems and databases, each cloud

contains hypervisors, processes, security, a storage model, a networking model, a cloud API, licensing

models and more. The governance structure by FPIs and SMEs should provide procedures that ensure

integration and interoperability from resource and technology perspectives.

37

Architecture: Cloud adoption should be reflected in the overall enterprise architecture of each FPI and

that of the country, that is, the Nigeria Government Enterprise Architecture (NGEA) framework. As

such, organizations need to clearly articulate the vision and goals of stakeholders through the cloud

enterprise architecture.

Operations: To sustain cloud service operations, FPIs and SMEs should establish desk office to address

and support cloud-specific issues for a better and seamless user experience. Clear organization and

assignment of authority will set the scope for the appropriate control, escalation and exception

management systems.

Definitions Small Medium and Enterprises (SMEs): refers to enterprises which have an annual turnover

not exceeding Five Hundred Thousand Naira (N500,000).

Public Institutions (PIs): means Ministries, Departments, Extra-Ministerial Departments and

Agencies of Government at Federal, State and Area Council levels.

Federal Public Institutions (FPIs): means Ministries, Departments, Extra-Ministerial

Departments and Agencies of Government at the Federal level.

Cloud Computing: refers to computing model for ubiquitous, convenient, on-demand and real

time network access pool of configurable and rapidly provisioned computing resources

(networks, servers, storage, applications and services among others) required by and available

to FPIs and SMEs to carry out their businesses and operations.

Cloud Service Providers (CSPs): refer to local and/or international cloud computing service

providers rendering service to FPIs and SMEs in Nigeria.

Cloud Stakeholders: Comprised of the PIs, FPIs, SMEs and CSPs

Cloud Migration: refers to the process of moving data, applications, hardware, software,

network infrastructure and/or other business elements and services to a cloud computing

environment.

38

Cloud Adoption: refers to the process or strategy that provides incentives for the public

institutions and SMEs to use the cloud computing for their computing requirements in way that

is efficient and sustainable.

Cloud First Policy: refers to the Federal Government of Nigeria’s strong commitment and

support for cloud computing service adoption, especially from a local cloud service providers,

as a first choice consideration while deploying and accessing computing resources in the public

sector and by the SMEs that provide computing services to the public sector.

In-house/On-premise: refers to computer systems that are located within the physical confines

of Federal Public Institutions and SMEs in Nigeria.

Vendor lock-in: refers to a situation in which FPI or SME using the cloud product or service

of a cloud service provider cannot easily transition to competitor’s cloud product or service.

Public Cloud: Cloud infrastructure provisioned for open use by the general public. It may be

owned, managed, and operated by a business, academic, or government organisation, or some

combination of them.

Private Cloud: Cloud infrastructure provisioned for exclusive use by a single organisation. It

is managed and operated by the organisation, a third party, or some combination of them. It

may be located on- or off-premises.

Hybrid Cloud: Cloud infrastructure which is a composition of two or more distinct private

and public cloud infrastructure, which remain unique entities but are bound together by

standardised or proprietary technology that enables data and application portability.

Infrastructure as a Service (IaaS): refers to a multi-tenant cloud service where consumer

does not manage or control the underlying cloud infrastructure, but has control over operating

systems, storage, deployed applications, and possibly limited control of select networking

components (such as host firewalls).

Platform as a Service (PaaS): refers to delivery service where consumer does not manage or

control the underlying cloud infrastructure including networking, servers, operating systems,

39

or storage, but has control over the deployed applications and possibly application hosting

environment configurations.

Software as a Service (SaaS): refers to delivery ,model where consumer does not manage or

control the underlying cloud infrastructure including network, servers, operating systems,

storage or individual application capabilities, with the possible exception of limited user-

specific application configuration settings

Cloud Data: Refers to data produced or commissioned by government, government controlled

entities or government service providers (e.g. SMEs) which is hosted in the cloud.

The Policy: refers to Nigeria Cloud Computing Policy.

Documents

Cloud Computing Strategy-New2