Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
i
DRAFT NATIONAL CLOUD COMPUTING IMPLEMETATION STRATEGY
National Information Technology Development Agency
(NITDA)
2019
ii
Table of Contents
CHAPTER ONE: INTRODUCTION ............................................................................................ 1
1.1 Background ............................................................................................................................. 1
1.2 The Cloud First Value Proposition ........................................................................................... 1
1.3 National Strategic Intent for Cloud Adoption .......................................................................... 2
1.4 The Goal .................................................................................................................................. 2
1.5 Making Cloud Computing Deployment and Service Models Choices....................................... 3
CHAPTER TWO: ..................................................................................................................... 8
STRATEGIES FOR IMPLEMENTING CLOUD COMPUTING POLICY STATEMENTS ..................... 8
2.1 Procurement ........................................................................................................................... 8
2.2 Data Classification ................................................................................................................... 8
2.3 International Dimensions of Cloud Computing ..................................................................... 10
2.4 Service Level Agreement and Consumer Protection ............................................................. 10
2.4 Information Security ............................................................................................................. 10
2.5 Cloud Interoperability ........................................................................................................... 11
2.7 Migration to The Cloud ......................................................................................................... 11
2.8 Workforce and Skills ............................................................................................................. 12
2.9 Vendor Lock-in & Data Withdrawal ...................................................................................... 12
2.10 Cloud Registration and Certification ................................................................................... 13
2.11 Cloud Audit and Reporting .................................................................................................. 13
CHAPTER THREE: ................................................................................................................ 15
NIGERIA CLOUD COMPUTING GOVERNANCE ..................................................................... 15
3.1 National Cloud Governance .................................................................................................. 15
3.2 Public Institution Cloud Computing Governance................................................................... 16
CHAPTER FOUR: .................................................................................................................. 19
IMPLEMENTATION PLAN .................................................................................................... 19
CHAPTER FIVE: .................................................................................................................... 22
NIGERIA CLOUD COMPUTING POLICY COMPLIANCE AND ENFORCEMENT FRAMEWORK .. 22
5.1 Compliance Framework ........................................................................................................ 22
5.2 General Enforcement Process ............................................................................................... 24
Appendix ............................................................................................................................ 26
Appendix A1.0: Rational for “Cloud First” value proposition ...................................................... 26
Appendix A2.0: National Strategic Intent for Cloud Adoption .................................................... 26
Appendix A3.0: Cloud Computing Areas of Interoperability Guide ............................................. 27
iii
Appendix A4.0 : Cloud Computing migration steps and requirements ....................................... 28
Appendix 5.0: Focus Areas of cloud computing capacity ............................................................ 32
Appendix 6.0: Focus areas of vendor lock-in avoidance guide .................................................... 32
Appendix 7.0: Focus areas of cloud computing certification criteria ........................................... 33
Appendix 8.0: CSPs Audit Report Metrics ................................................................................... 33
Appendix 9.0: Explanation of proposed cloud computing governance model for PIs and SMEs . 34
Definitions .................................................................................................................................. 37 Table 1.0: A Guide for Choosing Cloud Computing Service Model ...................................... 4 Table 2.0: Cloud Service Model and Delivery Model Matrix ................................................ 6 Table 3.0: Template for calculating data security and sensitivity. .......................................... 9 Table 4.0:Strategy Implementation road map (Short-term) .................................................. 19 Table 5.0: Strategy Implementation road map (Medium-term) ............................................ 19 Table 6.0: Strategy Implementation road map (Long-term) ................................................. 20 Table 7.0: Specialized Strategies ......................................................................................... 21 Figure 1.0:Categories of Cloud Deployment Model .............................................................. 3 Figure 2.0: Cloud Computing Service Model as recognized by Nigeria Cloud Computing Policy.................................................................................................................................... 4 Figure 3.0 Information security levels ................................................................................... 9 Figure 4.0: National Cloud Computing Governance ............................................................ 16 Figure 5.0: Organisational Cloud Computing Governance Model ........................................ 18 Figure 6.0:Enforcement framework ..................................................................................... 23 Figure 7.0:Cloud Migration Decision framework ................................................................ 29
1
CHAPTER ONE: INTRODUCTION 1.1 Background
The National Information Technology Development Agency has developed Nigeria Cloud Computing
Policy to address the challenges of acquiring and deploying computing resources in the most efficient
manners in the public sector. The Nigeria Cloud Computing Policy constitutes set of policy statements
that articulates the government’s strategic plan and direction for cloud computing adoption in the public
sector and by Small and Medium Enterprises (SMEs) that provide ICT-enabled services to the
Government. Implementing the Policy requires actions by various and relevant stakeholders in the cloud
computing space. The National Information Technology Development Agency (NITDA) develops this
Cloud Computing Implementation Strategy as a guide for the Agency, Public Institutions (PIs), Small
and Medium Enterprises (SMEs) and other relevant stakeholders to implement Nigeria Cloud
Computing Policy.
The strategy includes strategic initiatives critical to implementing all the statements issued in the Policy
as well as an implementation framework. The implementation framework includes implementation
road map and compliance and enforcement framework. The strategic initiatives and the provisions in
the compliance and enforcement framework are informed by the challenges, the goal, the “Cloud
First” value proposition and the expected outcomes of cloud adoption as explained in the Nigeria
Cloud Computing Policy.
1.2 The Cloud First Value Proposition The country socio-economic activities and businesses are increasingly dependent on Information
Communication Technology (ICT). The need to make these computing resources available and
accessible is critical to the country’s continuous growth and sustainable development. The country’s
Economic Recovery and Growth Plan (ERGP) recognizes information technologies as an enabler for
promoting a digital-led growth. Digital-led growth cannot happen except the country has policy
direction peculiar to her environment for supporting the government and SMEs to acquire and deploy
computing resources in the most efficient manner.
The “Cloud First” value proposition is aimed at promoting cloud computing as a “first choice”
consideration for acquiring and deploying computing resources by public institutions and SMEs that
provide digital-enabled services to the government except where the cause of deployment is related to
national security concerns or cloud is not the best option politically and economically.
PIs and their IT/ICT departments/units should get themselves aware of the cloud capabilities and
resources necessary to meet their business objectives and expectations as part of adoption process.
2
Therefore, the National Cloud Computing Policy is recommending the concept of “Cloud First” to
acquiring and deploying computing resources in the public sector and among SMEs that provide digital-
enabled services to the government.
NOTE: There would be strong consideration for Indigenous CSPs while implementing the Cloud
First Value Proposition except where cloud requirements or capabilities do not exist locally. At the
same time, the cloud service provision would be highly competitive.
The rationale for Cloud First value proposition are based on the following:
1. Reduced Capital Cost;
2. Efficiency;
3. Digital Service Innovation; and
4. Digital Service Innovation
See Appendix A 1.0 for explanation on the rationale for Cloud First value proposition
1.3 National Strategic Intent for Cloud Adoption
The strategic intent for cloud adoption in hinged on the following:
1. Responsive and efficient public service delivery;
2. Public sector digital transformation;
3. Local ICT industry development and growth, including SMEs;
4. Resources Savings; and
5. Opportunities to better manage human resources
See Appendix 2.0 for explanation on the national strategic intent for cloud adoption
1.4 The Goal The goal of this Policy is to ensure 30% increase in adoption of cloud computing by 2024 among Federal
public institutions (FPIs) and SMEs that provide digital-enabled services to the government. The policy
also targets 35% growth in cloud computing investments by 2024.
In specific, the cloud computing policy is to achieve the following objectives by 2024:
1. enabling environment for private sector to increase cloud computing infrastructure investments by
35%;
2. clear direction and programs that ensure attainment of 30% increase in cloud adoption and
migration by public sector and SMEs that provide service for the government; and
3
3. enabling and competitive business environment for Nigerian cloud service providers (CPS) and/or
cloud service consulting (CSC) to operate efficiently and profitably in the cloud market place.
The cloud computing policy provides key facts that support the need for cloud adoption by PIs and
those SMEs that provide IT-enabled services to the government. These facts are hinged on the need for
efficiency and real time access to computing resources required by the government to provide highly
accessible and quality services to the populace.
1.5 Making Cloud Computing Deployment and Service Models Choices The Cloud Computing Policy recognizes three internationally well-known cloud deployment and
service models each. Public Institutions and SMEs that are willing to adopt cloud computing would
need to make strategic choices for deployment models and services that meet their business objectives
and computing requirements. The following will help PIs and SMEs make these strategic decisions.
The Policy recognizes three deployment models and they are categorized as follows in figure 1.0 based
on the level of data sensitivity.
Figure 1.0:Categories of Cloud Deployment Model
The service models are described as presented in figure 2.0.
Private Cloud
Public Cloud
Hybrid Cloud
Sensitive Data (National Information Security Data) and mission critical applications
Public or Non-Sensitive or Non-Confidential Data and Non mission critical applications
Combination of Sensitive and Non-sensitive Data with mix of mission and non-mission critical application
Deployment Model Level of Data Sensitivity
4
Figure 2.0: Cloud Computing Service Model as recognized by Nigeria Cloud Computing Policy.
Source: Ray Rafaels Table 1.0 presents the risk and responsibility that PIs and SMEs must note before making a service
model choice. It also prescribes the level of Information Technology (IT) expertise required to
implement each service model and the category of PIs that should opt for it. In addition, it also make
recommendation for PIs based on the level of data generated (either sensitive or otherwise) and the level
of their control on computing resources on the choice of a cloud service model.
PIs are categorized into the following three levels of expertise:
1. High IT Expertise
2. High to Moderate IT Expertise
3. Less IT Expertise
Table 1.0: A Guide for Choosing Cloud Computing Service Model
Delivery Type Risk and responsibility Prescription for PIs or SMEs
5
IaaS
Cloud consumer builds the application
without worrying about the infrastructure
requirements.
The security responsibility is equally
divided between the cloud service
provider and the cloud consumer.
In this model, the risk is segregated and
layered. It is also a shared risk model.
Data
IaaS option is suitable for PIs who generate
sensitive data (especially citizens’ data), use
or keep other PIs’ data.
Control
No control over IT infrastructure (networking,
servers, virtualization) but have control over
operating systems, storage and deployed
applications. A bit of control over of select
networking components (e.g. host firewalls).
Level of IT Expertise:
High
PaaS
The cloud consumer brings the
application expertise along with licenses,
data, and resources, and consumes the
platform shell.
This model is used by consumers who
either lack infrastructure skills or want
to save on high capital expenditure
(capex)
The security responsibility starts to tilt
more towards the cloud provider.
However, the service provider bears
higher risk than consumer as the
provider supports more layers.
Similar to IaaS, this is a shared risk
model,
Data
PaaS option is suitable for PIs who use or
keep other PIs’ data. They can also generate
data (either sensitive or not) but not as much
as in the case of IaaS.
They build software applications in-house
(either through their personnel or outsourced).
Recommended for SMEs that build software
applications for the government
Control
PIs have control over the configurations of the
application development and hosting
environment and fair control over IT
platforms.
No control over IT infrastructure.
Level of IT Expertise
High to Moderate IT Expertise
SaaS Data
6
The cloud consumer does not have the
necessary skills, time, or resources to
setup an application ecosystem and
manage it.
No upfront capex requirement.
The security responsibility is mostly with
the cloud provider. The consumer is
mainly responsible for securing the
client-side vulnerabilities.
The service provider bears most risk.
SaaS option is suitable for PIs who does not
frequently generate data (either sensitive or
not) or use other PIs generated data. They are
more concern about their operational
efficiency.
Recommended for SMEs that provide cloud
service consulting and manage cloud
applications for PIs.
Control
No control over IT infrastructure and
platforms. Less control over application.
Level of IT Expertise
Less IT expertise
The business objectives and computing availability requirements by PIs and SMEs are broadly
categorized into Data Security and Service Availability. These are the major factors for choosing a
deployment model and the corresponding service model. The table 1.0 presents relationship between
the models. It guides PIs and SMEs to make choices that meet their computing requirements based on
data security and service availability.
Table 2.0: Cloud Service Model and Delivery Model Matrix
Service
Model
SaaS PaaS IaaS
Delivery
Model
Private Data security requirements
by consumers are low but
high level of service
availability requirements
expected from cloud
providers.
Vice versa between providers
& consumers
Data security requirements by
consumers are between high
and moderate with high to
moderate level of service
availability requirements
expected from cloud providers.
Vice versa between providers
& consumers
Data security requirements
by consumers are very high
and the level of service
availability requirements
expected from cloud
providers is high.
Vice versa between providers
& consumers
7
Public Data security requirements
by consumers are low and
level of service availability
requirements expected from
cloud providers are between
low and moderate.
Vice versa between providers
& consumers
Data security requirements by
consumers are moderate to
high and level of service
availability requirements
expected from cloud providers
are high to moderate.
Vice versa between providers
& consumers
Data security requirements
by consumers are moderate
and level of service
availability requirements
expected from cloud
providers is high.
Vice versa between providers
& consumers
Hybrid Data security requirements
by consumers are between
low to moderate and level of
service availability
requirements expected from
cloud providers are moderate
to high.
Data security requirements by
consumers are high to
moderate and the level of
service availability
requirements expected from
cloud providers are moderate
to high.
Data security requirements is
high to moderate and level of
service availability
requirements expected from
cloud providers are high.
8
CHAPTER TWO:
STRATEGIES FOR IMPLEMENTING CLOUD COMPUTING POLICY STATEMENTS
There are statements in the Cloud Computing Policy that require certain actions to be taken by NITDA,
PIs, CSPs, and other relevant stakeholders. Implementation of the actions will lead to actualization of
the Policy goal and objectives. The actions demand certain strategies for their implementation and the
strategies are further broken down into strategic initiatives.
Therefore, this chapter presents critical statements/issues in the Nigeria Cloud Computing Policy and
implementation strategy(ies) for each statement. Strategic initiatives are proposed to implement each
strategy. Each of the statement is presented as follows.
2.1 Procurement Traditional purchasing practices and contract terms may hinder the scalable, cost-effective, and
innovative nature of cloud computing. Procurement is a central issue in the development of cloud
computing. Nigerian procurement law supports a yearly procurement contract whereas cloud service
contracts are structured on a “pay as you go” basis. To ensure cloud adoption growth, this challenge
must be addressed appropriately. The following strategies and their strategic initiatives will be adopted.
Strategy 1.0
Development of cloud procurement regulation.
Strategic Initiatives
The following strategic
1. BPP and NITDA, in consultation with relevant stakeholders, will develop Cloud Procurement
Regulation.
2. BPP and NITDA will monitor and ensure compliance to the provision of the regulation
Strategy 2.0
Establishment of Digital Marketplace
Strategic Initiatives
1. Design and develop Nigerian Cloud Digital Marketplace.
2. NITDA, in collaboration with relevant stakeholders, will set up governance structure, business
models and operational plan for Nigerian Cloud Digital Marketplace.
2.2 Data Classification
PIs are going to have vastly different types of information and the information will contain varying
levels of sensitivity. The Nigeria Cloud Computing Policy proposed data classification as presented in
Figure 2.0. A detailed explanation is available in the Policy.
9
Figure 3.0 Information security levels
For proper implementation of this data classification by PIs and SMEs that provide service for
government, the following strategy shall be taken into consideration.
Strategy 3.0
Development of a cloud data classification guide. This will assist cloud stakeholders to classify cloud
data.
Strategic Initiatives
1. NITDA, in consultation with relevant stakeholders, will provide a data classification guide
based on data classification framework in the Policy and other parameters. The guide will be put
on the Nigerian Cloud Digital Marketplace.
NOTE: The table 3.0 provides template for cloud stakeholder to properly classify their cloud data. Table 3.0: Template for calculating data security and sensitivity.
Classification Criteria Min. - Max. Score Max. Score
Critical National Data/Information
(Including National Security Info)
=3 (Mandatory) 3
Data containing Personally Identifiable
Persons
=3 (Mandatory) 3
High level =3, Medium Level = 2 and
Low Level = 1
Transactional Data with certain level of
Business/operational Information
Between 1 and 3 3
10
Limited =1, Serious = 2 and Severe or
Catastrophic = 3
Confidentiality Between 1 and 3 3
Integrity Between 1 and 3 3
Availability Between 1 and 3 3
Total Score
2.3 International Dimensions of Cloud Computing
Strategy 4.0
Development of a balanced data localization and cross-border data flow guidelines
Strategic Initiatives
1. NITDA will develop cross-border data flow guidelines for efficiency purposes.
2. Provide CSPs’ identification framework based on cross-border data flow guidelines
2.4 Service Level Agreement and Consumer Protection
The quality and reliability of services become important as PIs and SMEs migrate to the cloud. It is
important to ensure the right of consumers and service takers are protected in the cloud space.
Strategy 5.0
Develop an SLA Template for Cloud engagement
Strategic Initiatives
a. NITDA will collaborate with relevant cloud stakeholders to develop SLA template for Cloud
engagement
b. NITDA will make the SLA template available on the digital marketplace
Strategy 6.0
Stakeholders’ collaboration for the protection of consumers’ rights.
Strategic Initiatives
1. NITDA will engage and partner with Federal Competition and Consumer Protection
Commission (FCCPC) and other relevant stakeholders to ensure monitoring, compliance and
enforcement with the provisions of consumer protection in the Cloud Computing Policy.
2.4 Information Security
The goal of information security in the cloud environment is to protect the confidentiality, integrity and
availability of government data. Therefore, in order to ensure information security, cloud service
providers must put measure in place to ensure data confidentiality, integrity and availability.
Strategy 7.0
Development of a National Cloud Computing Security Guidelines
11
Strategic Initiatives
1. NITDA, in collaboration with relevant stakeholders, will develop national cloud computing data
security guidelines.
2.5 Cloud Interoperability
The Nigeria Cloud Policy will enable rapid adoption and the growth of cloud computing. Many CSPs
will operate in the space and consumers of cloud services might want to port from one CSP to another.
The following strategy will be adopted to manage interoperability requirements in addition to adoption
of Nigeria e-Government Interoperability Framework (Ne-GIF) and ISO/IEC 17203:2011 as specified
in the Nigeria Cloud Computing Policy.
Strategy 8.0 Development of Nigeria cloud interoperability guidelines Strategic Initiatives
1. NITDA, in collaboration with relevant stakeholders, will develop Nigeria cloud
interoperability guidelines. The guide will provide direction for cloud consumers to navigate
cloud interoperability requirements. It will consider important areas of interoperability as
prerequisite requirements for choosing a CSP and ensuring cloud interoperability.
See consideration for interoperability requirements in Appendix A3.0 as focus areas of the guidelines
2. NITDA will make Nigeria cloud interoperability requirements available on digital
marketplace
2.7 Migration to The Cloud Moving to the cloud requires orchestrated migration plan to mitigate risks that are involved. The
following strategy will be implemented to ensure PIs and SMEs migrate to the cloud successfully.
Strategy 9.0
Develop cloud migration guide for PIs and SMEs
Strategic Initiatives
1. NITDA, in collaboration with relevant stakeholders, will develop cloud migration guide. The
guide will serve as a template to be followed by PIs and SMEs while migrating to the cloud. The
cloud migration guide will consider important steps for cloud migration. In the meantime,
consumers are advised to be guided by the following migration steps or requirements.
12
See consideration for Cloud Computing migration steps and requirements in Appendix A4.0 as focus
areas of the guidelines
2. NITDA will publish the cloud migration guide on digital marketplace portal.
3. NITDA will monitor cloud migration through the IT project clearance committee and other
monitoring mechanisms.
2.8 Workforce and Skills
Cloud adoption means complete change in the way information technologies are acquired and deployed
by PIs and SMEs. Also, the change cuts across organisation processes and people. The people are going
to play a major role in the adoption process and they are the main drivers. If the people with the right
skills are not involved or participated in the cloud adoption processes, the objectives of the exercise
might be defeated. Effective cloud adoption by PIs will depend on developing talent and acquiring
professional IT credentials. The strategy for building the right skills among the public sector workforce
and SMEs is highlighted as follows.
Strategy 10.0
Facilitate the development of special skills for cloud computing in the public sector and among targeted
SMEs.
Strategic Initiatives
1. Partnership with private sector (training outfits) and development partners to build cloud
capacity of PI personnel and SMEs
See Appendix 5.0 for focus areas of cloud computing capacity
2. Partnership with strategic organisations such as (SMEDAN etc.) to build cloud adoption skills
and capacity for targeted SMEs.
2.9 Vendor Lock-in & Data Withdrawal Circumstance might warrant PIs or SMEs to migrate from one CSP to another or using multiple CSPs
to accomplish business objectives. Also, data sovereignty and localization regulation requirements
might warrant PIs and SMEs that provide service to the public sector move government data and their
hosting platforms to the shore of the country at any time. Therefore, PIs and SMEs should avoid vendor
lock-in and ensure data withdrawal is possible any time it is mandatory. The following strategy will be
adopted to avoid vendor lock-in and ensure data withdrawal is seamless.
13
Strategy 11.0
Develop vendor lock-in avoidance guide
Strategic Initiatives
1. NITDA will provide a cloud vendor lock-in avoidance guide.
See Appendix 6.0 on focus areas of vendor lock-in avoidance guide
2.10 Cloud Registration and Certification To guarantee trust, build confidence of cloud consumers and ensure there is sanity in the cloud
computing space, NITDA will register and certify indigenous CSPs having met certain standards. A
certified Indigenous CSPs will be the beneficiaries of “Nigeria Cloud First Policy”. NITDA will adopt
the following strategies to implement CSPs registration and certification.
Strategy 12.0
Registration of Indigenous CSPs
Strategic Initiatives
1. NITDA will establish registration process for CSPs
2. Registration of Indigenous CSPs.
Strategy 13.0
Develop National Cloud Certification Criteria based on international standards and best practices
Strategic Initiatives
1. NITDA will develop National Cloud Certification Criteria
See Appendix 7.0 for the focus areas of certification criteria
2. NITDA will publish the Cloud Certification Criteria on Nigerian Cloud Digital Marketplace.
3. NITDA will certify Indigenous CSPs based on the Certification Criteria
2.11 Cloud Audit and Reporting The Nigeria Cloud Computing Policy requires a CSP to provide satisfactory audit reports or respond to
audit requests by NITDA or other statutory bodies. The following strategies will be adopted to
implement the cloud audit and reporting requirements.
Strategy 14.0
Establish cloud system audit and reporting process.
14
Strategic Initiatives
1. Audit and reporting process. NITDA will establish audit and reporting process for Indigenous
CSPs.
2. Annual voluntary report: NITDA shall request CSPs to provide voluntary annual audit report.
See Appendix 8.0 for assessment metrics that would form part of the CSPs reporting template
15
CHAPTER THREE:
NIGERIA CLOUD COMPUTING GOVERNANCE
3.1 National Cloud Governance
In order to ensure coordination of cloud computing project and procurement within and across PI and
SMEs that provide IT-enabled services to the government, it is important to institutionalize a
governance structure that helps to govern cloud implementation from planning, architecture to
deployment, that allows seamless switching from one CSP to another and unclouding in the case of a
need in a more sustainable manner. Cloud services need to be adopted as an integral part of the
organization’s existing operating model. The absence of governance structure that establishes standards
and provides clear direction and consistency in managing cloud services can undermine cloud benefits
and then create unforeseen risks (security, privacy and financial), complexity rather than
interoperability and simplicity.
The proposed national cloud computing governance establishes structure upon which the goal and
objectives of Nigeria Cloud Computing Policy would be achieved. It is a structure that governs
implement strategic initiatives established by the “Cloud Computing Implementation Strategy”. Figure
4.0 presents the proposed national computing governance at the Federal level.
16
Figure 4.0: National Cloud Computing Governance
3.2 Public Institution Cloud Computing Governance Aside the national governance, each FPI or SME that provides IT-enabled service to the government is
expected to develop its cloud governance structure internally in order to ensure IT acquisition and
deployment aligns with the national goal and its business objectives.
Adopting cloud creates shift in the responsibilities of IT/ICT departments- shift from technicality to
contract negotiation, establishing key performance indicators to vendor management. This shift in
responsibilities contributes to IT department’s changing role from operators of technology to governors
Presidency
Promoting National Vision for Cloud Computing (Leadership)
FMC
supervising policy implementation and
promoting investment
Budget & National Planning
Putting cloud computing as part of National IT deployment plan
NITDA -Coordinating implementation across
FPIs; Clearing cloud projects by FPIs; regulating cloud computing space;
facilitating strategic partnerships and investments and carrying out cloud
computing assessment
Federal Competition and Consumer Protection Commission (FCCPC)
Promote cloud competitive market and consumer protection
Bureau of Public Procurement (BPP)
Provide cloud procurement regulation with support for
cloud purchasing models
FPIs and SMEs
Implement cloud computing projects
CPSs
Providing Cloud Service to FPIs &
SMEs
17
of systems and processes. And it requires establishing a cloud governance model that everyone must
follow.
Cloud governance model will enable IT and the business to collaborate in defining the right strategy for
configuration, migration, management and disposition of cloud services. It defines roles and
responsibilities and holds PIs to account for IT investment decisions and resource management for
cloud computing adoption. The cloud governance will manage unnecessary complexity and cost
increase that can arise from uncoordinated procurement of cloud services. It enables IT/ICT department
and the business to collaborate in defining the right strategy for configuration, migration, management
and disposition of cloud services.
However, IT personnel will need to acquire new skills as they transition from operators and tacticians
to vendor managers and governors. These skills, as itemized in the section on workforce and skills,
include understanding not only contractual obligations and service management, but also new and
emerging technologies and processes that may help to better manage cloud services.
Governance structure in each PI and SME will need to span the three pillars of people, process and
technology and encompass the entire cloud life cycle, from identification and configuration to
migration, management and decommission.
NOTE: PIs and SMEs are advised to follow and be guided by this governance model while deploying
and migrating to the Cloud. All the cloud life cycle should be planned and governed by the cloud
governance domain putting in mind the people, process and technology.
18
Figure 5.0: Organisational Cloud Computing Governance Model
See Appendix 9.0 for the explanation on the cloud computing governance model for PIs and SMEs
19
CHAPTER FOUR:
IMPLEMENTATION PLAN The first implementation road map to achieve the goal of the Nigeria Cloud Computing Policy spans a
period of five (5) years (between 2019 and 2024) and is divided into short, medium and long term
respectively. Table 4.0, 5.0, 6.0
Table 4.0:Strategy Implementation road map (Short-term)
S/n Strategy Strategic Initiatives Major Action by
Implementation Timeline (2019-2021)
1.0 Strategy 1.0. Development of cloud procurement regulation.
1. BPP and NITDA, in consultation with relevant stakeholders, will develop Cloud Procurement Regulation.
2. BPP and NITDA will monitor and ensure compliance to the provision of the regulation
BPP & NITDA
2019
2.0 Strategy 3.0 Development of a data classification guide
1. Provision of data classification guide based on data classification framework in the Policy and other parameters.
NITDA 2019
3.0 Strategy 4.0 Development of a balanced data localization and cross-border data flow guidelines
1. NITDA will develop cross-border data flow guidelines.
2. Provide CSPs’ identification framework based on cross-border data flow guidelines
NITDA 2019
4.0 Strategy 5.0 Develop an SLA Template for Cloud engagement
1. Development SLA template for Cloud engagement
NITDA 2019-2021
5.0 Strategy 7.0 Development of a National Cloud Computing Security Guidelines
1. Development of national cloud computing data security guidelines.
NITDA & ONSA
2020-2021
6.0 Strategy 9.0 Develop cloud migration guide for PIs and SMEs
1. Development of cloud migration guide
NITDA 2020
7.0 Strategy 12.0 Registration of Indigenous CSPs
1. Establishment of registration process
2. Registration of Indigenous CSPs
NITDA 2020-2021
8.0 Strategy 13.0 Develop National Cloud Certification Criteria based on international standards and best practices
1. Development of National Certification Criteria
2. Certification of Indigenous CSPs
NITDA 2021
Table 5.0: Strategy Implementation road map (Medium-term)
20
S/n Strategy Strategic Initiatives Major Action by
Implementation Timeline (2022-2023)
1.0 Strategy 11.0 Develop vendor lock-in avoidance guide
1. Development of vendor lock-in avoidance guide
NITDA
2.0 Strategy 2.0. Establishment of Digital Marketplace
1. Design and development of Nigerian Cloud Digital Marketplace.
2. Setting up of governance structure, business models and operational plan for Nigerian Cloud Digital Marketplace.
3. Publication of cloud migration guide on Nigerian digital marketplace portal
4. Publication of Cloud Certification Criteria on Nigeria Cloud Digital Marketplace
5. Publication of cloud SLA on Nigeria Cloud Digital Marketplace
NITDA 2022
3.0 Strategy 14.0 Establish cloud system audit and reporting process.
1. Establishment of audit and reporting process for Indigenous CSPs
2. Request for CSPs annual voluntary report
NITDA 2022-2023
4.0 Strategy 10.0 Facilitate the development of special skills for cloud computing in the public sector and among targeted SMEs
1. Partnership with private sector (training outfits) and development partners to build cloud capacity of PI personnel and SMEs
2. Partnership with strategic organisations such as (SMEDAN etc.) to build cloud adoption skills and capacity for targeted SMEs.
NITDA & CPS NITDA & SMEDAN
2022-2023
Table 6.0: Strategy Implementation road map (Long-term)
S/n Strategy Strategic Initiatives Responsibility Implementation Timeline (2024)
1.0 Strategy 8.0 Development of Nigeria cloud interoperability requirements
1. Develop Cloud interoperability guidelines
2. Publish the cloud interoperability requirements on digital marketplace
NITDA 2023
2.0 Strategy 6.0 Stakeholders’ collaboration for the protection of consumers’ rights.
1. Monitoring, compliance and enforcement with the provisions of consumer protection in the Policy
NITDA & FCCPC
2020-2024
21
3.0 Strategy 9.0 Develop cloud migration guide for PIs and SMEs
1. Monitoring of cloud migration by PIs through NITDA’s IT clearance committee
NITDA 2019-2024
Table 7.0: Specialized Strategies
S/n Strategy Strategic Initiatives Responsibility Implementation Timeline (2019-2024)
1.0 Cloud Computing Readiness Assessment
1. Conduct cloud computing readiness assessment across all sectors of the economy
NITDA 2019-2020
2.0 Promotion of Cloud Migration
1. Monitor and enforce compliance with Cloud First value proposition by FPIs and SMEs
2. Extension cloud computing adoption programs to sub-national PIs
3. Provision of cloud migration technical assistance to FPIs through NITDA IT clearance committee
NITDA 2019-2024
3.0 Cloud Computing Code of Conduct
1. Development of Indigenous Cloud Computing Code of Conduct
CSPs & NITDA
2022-2024
4.0 Promotion of Investment in Cloud Computing Systems in Nigeria
1. Provision of incentives to Indigenous CSPs
2. Encourage and creation of enabling environment for Cloud Computing investments
NITDA, CSPs, BPP
2020-2024
5.0 Monitor, comply and Enforce
1. Continuous monitoring, compliance and enforcement of the provision of the Nigeria Cloud Computing Policy and compliance framework
NITDA, BPP & FCCPC
2019-2024
22
CHAPTER FIVE:
NIGERIA CLOUD COMPUTING POLICY COMPLIANCE AND ENFORCEMENT FRAMEWORK
5.1 Compliance Framework
The Nigeria Cloud Computing Policy states the following:
1. The CSP shall maintain the utmost integrity to protect the data and meet the security
requirements set forth by NITDA; and
2. Data shall not be stored, shared, processed, or modified by CSP in any way that compromises
the integrity of the data.
Therefore, NITDA shall ensure compliance and enforce the above statements through the following
compliance and enforcement framework.
1. NITDA shall identify and register all CSPs operating in Nigeria through registration process and
guidelines.
2. NITDA shall certify CSPs operating in Nigeria based on the NITDA Cloud Certification Criteria
to be provided on Nigerian Cloud Digital Marketplace.
3. NITDA will develop and maintain database of all CSPs and their services on the digital marketplace
platform.
4. CSPs shall be required to submit report to NITDA annually or as it may be requested
5. Where applicable, PIs and SMEs shall ensure compliance to the provision of the Cloud Computing
Policy and/or compliance framework
6. NITDA shall, in the next 3 years shall ensure implementation of the strategies and strategic
initiatives in this document
7. NITDA shall employ the following compliance tools:
Self-Reporting: NITDA will provide templates and technology platform for self-reporting or filings
by CSPs.
In the absence of technology platform, CSPs or any other entity shall submit physical copy of the report
to NITDA in the following manner:
I. The report shall be addressed to the Director General of NITDA.
II. The Director General shall direct the department responsible for regulation, monitoring and
enforcement to handle the report.
III. The report shall clearly specify the following:
a. The full name of the entity;
b. Title of the report
A soft copy of the report, as indicated above, can be submitted to NITDA’s official email:
23
Verification: Where necessary, NITDA shall verify audit information submitted by CSPs and PIs to
ensure its accuracy, veracity and validity.
Monitoring: NITDA shall institute a systematic, continual or periodic, active or passive observation of
CSPs and PIs’ cloud systems to ensure compliance with general rules and processes laid down.
Audit: Where necessary, NITDA shall investigate or examine records, processes and procedures of
CSPs and PIs to ensure they are in compliance with the requirements of the policy and/or compliance
framework. This will be based on NITDA’s established cloud system audit and reporting process
8. If there is any breach of the provision of the policy and compliance framework, NITDA shall
enforce it through the following enforcement process or framework:
Figure 6.0:Enforcement framework
Surveillance: Where necessary, NITDA shall institute specific and deliberate monitoring exercise to
identify breach with the policy and/or compliance framework.
Complaint Filing: Where necessary, NITDA may wish to accept complaint filing by NITDA’s
personnel or any interested parties of non-compliance with the provisions of the Policy and/or
compliance framework. The complaints must meet the following requirements:
I. A complaint must be filed in writing, either on paper or electronically.
II. A complaint must name the person or entity that is the subject of the complaint and describe
the acts or omissions believed to be in violation of the applicable provision(s) of the policy
and framework.
Investigation: NITDA will investigate any complaint filed against a CSP or PI when a preliminary
review of the facts indicates a possible violation of the provision(s) of the cloud policy and/or
24
compliance framework. In the case of third party filing, NITDA shall investigate any complaint filed
by third parties and may also do so based on a special audit or “spot check”.
Administrative Sanctions: Where NITDA has ascertained that a CSP is in breach of any of the
provisions of the cloud policy and compliance framework, NITDA may issue and order for compliance.
NITDA may also issue other administrative orders to include::
I. Suspension of service pending further investigations;
II. Order for CPS in breach to appear before a panel to determine level of liability;
III. Issue public notice to warn the public to desist from patronizing or doing business with the
CPS; and
IV. Refer the CSP in breach to other Self-Regulatory Organization (SRO) for appropriate
sanctions
Criminal Sanction: Where NITDA has determined that a CPS is in breach of the cloud policy and
compliance framework; it may seek to sanction officers of the organization as provided for in Section
17(x) of NITDA Act 2007. NITDA shall seek a fiat of the Honorable Attorney General of the
Federation (HAGF) or may file a petition with any sanction authority in Nigeria. This may include; the
Economic and Financial Crimes Commission (EFCC), the Department of State Security (DSS), the
Nigerian Police Force (NPF), the Independent Corrupt Practices Commission (ICPC) or the Office of
National Security Adviser (ONSA) among others.
5.2 General Enforcement Process
Table 8.0:Cloud Computing General Enforcement
S/n Enforcement Activity Description of Action
1 Documentation of
Breach
1. At this stage it is required that a report, memo, petition or complaint is officially submitted to NITDA through the office of the Director General of NITDA.
2. The Document must be duly signed by an Officer of NITDA or the external complainant.
3. For external complaint; the document must be written and signed by an Individual either in personal capacity or a group (of persons or companies) or registered entity (registered with the CAC).
2 Request for Additional Information and Investigation
If it appears NITDA is not sufficiently briefed or may need further information to arrive at a conclusion of breach of the policy and/or compliance framework, the following procedure should be employed:
1. “Request for Additional Information" should be issued to either the complainant, the alleged violator or any other party
25
who maybe in a position to provide clarity on facts of the allegation of breach.
2. Invite relevant parties for an “Investigation Meeting” to elicit facts to established breach.
3. “Request for Investigation in partnership with law enforcement agencies.
3 Continuation or Termination of Enforcement Process
Where NITDA is satisfied that there is a prima facie evidence on a breach, the NITDA can:
1. Request for a response from the violator stating the allegations against them;
2. In the event NITDA finds the explanations of the alleged violator coherent and sufficient, NITDA will respond to the allegation and enforcement will be terminated
4 Notice of Enforcement Where NITDA is satisfied that a breach of the Cloud Computing Policy and/or compliance framework has occurred;
1. NITDA will then issue a “Notice for Enforcement”” citing the specific breach and demand mandatory compliance within a specific time frame from the date of the service of notice. (30 days or 60 days as the case of breach may demand).
2. NITDA may issue an administrative fine or penalty in line with extant regulation
5 Issuance of Public Notice (OPTIONAL)
NITDA may consider issuing a public statement warning the public and other agencies of Government of the dangers of dealing with a violator who has breached the provision(s) of the Cloud Computing Policy and/or compliance framework
6 Request for Sanction 1. Where a violator does not take steps to address breach or consult with NITDA as to what steps to be taken to remedy breach after the period stated in the "Notice for Enforcement"; or
2. Where the Regulation only provides for sanction of violator in accordance with Section 17x NITDA Act;
3. NITDA may file an official Petition or Notice for Sanction to the Office of the Attorney General of the Federation, citing stating the following:
i. Original complaint; ii. Enforcement process initiated by NITDA; and
iii. Implication of the action of the violator to the development of ICT in Nigeria.
iv. A copy of the notice should be copied to the Presidency and the Office of the Secretary of Government of the Federation (OSGF).
9. NITDA shall ensure PIs and SMEs put appropriate governance structure in place for
Cloud project implementation.
26
Appendix Appendix A1.0: Rational for “Cloud First” value proposition
1. Reduced Capital Cost: The reduction in capital cost can be achieved through initial cost of
acquiring and deploying IT infrastructure and other computing resources, hiring of technical
personnel, maintaining and managing resources as well as taking advantage of economy of scale
offer by the Cloud;
2. Efficiency: Efficiency is realized through real time and on-demand self-provisioning of
computing resources. Cloud computing offers public institutions and SMEs the needed agility for
responsive digital service delivery. NITDA has noticed epileptic nature of digital service delivery
in the country with respect to certain critical government services. Once traffic gets to the peak
for a particular digital service, citizens/government customers begin to experience delay in getting
the service. This would be greatly eradicated through strategic adoption of cloud computing;
3. Digital Service Innovation: Digital service innovation will be highly promoted through adoption
of cloud because of the edge gained as result of cloud efficiency;
4. Elasticity: Cloud has ability to provide customize computing services as needed. Computing
service can be shrunk or grown based on demand. This will help public institutions and SMEs pay
as use thus reducing waste of computing resources.
5. Information Security: Due to security requirements to protect data of businesses and certain
government operations, Cloud Service Providers (CPSs) are deploying the latest security
measures and controls on the cloud. CPSs have capabilities to offer the best security and
implement Business Continuity Plans than individual organisations with server rooms and data
centers.
Appendix A2.0: National Strategic Intent for Cloud Adoption
1. Responsive and efficient public service delivery and public sector digital transformation:
Government agencies will leverage cloud to provide responsive and efficient public service in a
transparent manner. This includes the ability to provide better healthcare, social amenities, justice,
public safety, and education services among others.
2. Local ICT industry development and growth, including SMEs: Cloud technologies will create a
competitive advantage in favour of small to medium enterprises (SMEs) that provide computing
service to the Government. By adopting cloud technology, SMEs hold immense potential for
generating employment opportunities, development of indigenous technology, diversification of
the economic and forward-integration with established sectors such as banking,
telecommunication, oil and gas among others.
27
3. Resources Savings: Migrating to the cloud can help streamline processes in many public
institutions in Nigeria. Systems are too dispersed among organisations, creating inherent
inefficiencies in the national public IT architecture. Instead of consolidating these services under
a central government platform, which may be too rigid to meet the needs of individual
organisations’ applications, contracting cloud services can both drive efficiencies and enhance the
customisation of IT service solutions. Also, cost savings will be expressed through:
4. Opportunities to better manage human resources: Qualified IT professionals are a scarce
resource in Nigeria and around the world. Using those resources to handle routine issues like
server maintenance, patching, and other low-level support activities is wasteful of their training,
experience, and talent. By moving these process-oriented tasks to cloud service providers, public
institutions can invest in their human resources to re-train them for value-adding skills and
activities, such as customised application development and innovative services.
Appendix A3.0: Cloud Computing Areas of Interoperability Guide Consumers and CSPs should be aware of the following areas of interoperability.
I. Data Portability;
II. Application Portability;
III. Platform Portability;
IV. Application Interoperability;
V. Platform Interoperability;
VI. Management Interoperability; and
VII. Publication & Acquisition Interoperability
In addition, the guide will also consider the following as prerequisite requirements for
choosing a CPS:
I. Standard user interfaces, APIs, protocols and data formats for SaaS;
II. Open cloud technologies for platform and application dependencies for PaaS;
III. Standard or widely accepted application packaging formats such as Open
Virtualization Format (OVF), Cloud Data Management Interface (CDMI) and
Docker for IaaS. Also, open and/or standard business interfaces and APIs will be
considered;
IV. The use of standard enterprise integration tools such as Cloud Management Platform
(CMP) to manage integration, interoperability and portability between multiple cloud
and on-premise services;
V. Support for standard security technologies;
VI. Service-oriented architecture (SOA) design principles; and
VII. Standard enterprise access management capabilities
28
Appendix A4.0 : Cloud Computing migration steps and requirements These steps or requirements are going to form part of the cloud migration guide:
Identification of what cloud services (SaaS, PaaS, and/or IaaS) and data will be provided and establish
from where the services will be provided.
I. Establishment of where the migration will occur.
a. In-house data center (on premise) – owned and operated by the organization.
b. External data center (off premise)– outsourced to a commercial cloud service provider.
II. Definition of what cloud deployment model will be used:
a. Public cloud – available for use by the general public and located on the premises of
the cloud service provider.
b. Private cloud – the cloud infrastructure is dedicated to a specific organization or
community of customers. The community might be from a community of
organizations that share common concerns (e.g., missions, security, policy,
compliance guidelines, etc.). It may be located on the premises of the customer or the
cloud service provider.
c. Hybrid cloud – a combination of two or more of the above cloud deployment models
– public, community, or private.
III. Development of migration/implementation approach
a. Conduct a Proof of Concept and define a set of requirements for implementation.
b. Implement in full or phases. That is implement all requirements at once or incremental
phases based on a cost vs benefits vs risk analysis to define the implementation
strategy. It is recommended that phased approach is used.
c. Phasing strategies may include the following:
i. Implement a set of requirements based on priorities that have an
immediate operational impact and are achievable in the specified time
ii. Migrate low risk capabilities first to learn lessons and refine plans for
future increments.
iii. Implement requirements in an evolutionary manner in which solutions
are implemented, evaluated, and improved on incrementally.
IV. Identify the framework to be used for the migration. The migration framework in the
Nigeria Cloud Computing Policy is recommended.
29
Figure 7.0:Cloud Migration Decision framework
V. Risk management/mitigation.
a. Identify actual and possible implementation risks that may adversely impact (or are
impacting) implementation, and lay out a mitigation strategy for them.
b. Consider risks at the cloud provider’s and cloud customer’s locations as well as the
transport (communications) network connecting them. Also, consider risks in
integrating new cloud technology with legacy systems, networks, infrastructure,
processes, etc.
c. Categorize risks by impact and likelihood to ensure that risks are addressed by priority.
d. Identify operational risks that may adversely impact the capability once it is
operational. These risks may be due to natural, technological, or human causes., and
may be universal or geographically dependent.
e. Risk Mitigation.
i. Develop risk mitigation strategies for both implementation and operational
risks.
ii. Determine testing requirements to ensure the new capabilities are operating
as planned/needed.
f. Determine the need for availability and reliability standards, which drive the following
considerations to minimize risks and provide resiliency (the ability to recover from
issues):
i. Need for redundancy of equipment and/or communications paths
(networks).
ii. A continuity of operation plan (COOP) or disaster recovery (DR) plan
and possibly an alternative site in case of long term or catastrophic failure.
30
g. Track these risks in a documented Risk Registry that identifies the risks,
priorities, mitigation strategies, responsibilities, dates for resolution, level of risk,
and status.
h. Consider a fall back plan to restore services to their original state in case of
implementation failure.
VI. Involve experts (acquisition and contract officers) early to help define the acquisition
and contract strategy.
a. Determine requirements for acquiring, upgrading, replacing, or eliminating
equipment, software, communications infrastructure, etc. A gap/redundancy
analysis can help with this.
b. Leverage open, vendor-neutral standards to provide open competition and avoid
becoming locked in to a specific vendor.
VII. Establish an approach to performance management/measurement
a. Define the expected/required Quality of Service (QoS) metrics in the form of:
i. Describe the expectations for how services will be delivered to the
customer (e.g., reliability, availability, and maintainability requirements;
incident response times; etc.) as itemized in the SLAs template.
ii. Operating Level Agreements (OLAs) describing the expectations for how
the service delivery organization will work with supporting
organizations.
b. Identify:
i. Specific performance metrics to be captured.
ii. Minimum acceptable threshold values and the targets values.
iii. How they will be captured (i.e., the tools to capture them, and how the
tool will need to be configured).
iv. How and when they will be reported.
VIII. Plan for and acquire the necessary financial and staffing resources to cover the initial
acquisition and implementations costs as well as life cycle sustaining costs.
a. Identified estimated funding required to cover:
i. Acquisition costs:
• Data center hardware (infrastructure, storage, services, etc.).
• Software (applications, licensing, etc.).
• Networking hardware (routers, switches, etc.).
• Transport costs.
• Support costs (logistics, training, manpower/personnel).
31
ii. Contract costs.
iii. Life cycle operations and sustainment costs:
• O&M costs.
• Manpower/personnel.
• Logistics.
• Training.
• Software acquisition or licensing fees.
• Life cycle replacement.
• Facility requirements (e.g., power, air conditioning, cabling, floor
space).
a. Identify new or changed staffing requirements to support the migration and
follow-on O&M. This should address both numbers and skill sets.
b. Ensure necessary funding and staffing are available in time. Cloud migration
budget should be submitted as early as possible to mitigate funding risk.
IX. Identify activities required to transition from the current “As Is” to the new “To Be”
cloud environment.
a. Establish a mechanism to identify and track completion of transition activities.
b. Review/update the relevant processes and governance.
c. Establish training requirements for new technologies, tools, processes,
governance, etc.
d. Establish/update staffing requirements if any changes.
e. Prepare facilities for new equipment or staff, and ensure the facilities can handle
any changes that impact the physical structure (e.g., power, air conditioning,
cabling, etc.)
f. Over-communicate transition events with supported and supporting
organizations.
g. At the time of transition, arrange for turnover of key materials such as passwords.
X. Identify and plan for security and privacy related activities
a. Define and implement appropriate security controls at both the cloud provider
and cloud consumer locations.
b. Identify cloud security standards, framework, and security/privacy best practices,
such as those developed by the Cloud Security Alliance.
c. Ensure certification, accreditation, or other operating authorization actions are
planned and scheduled, and necessary authorizations to migrate and operate are
in place on time.
32
Appendix 5.0: Focus Areas of cloud computing capacity
I. In-house cloud set up: The following areas of skills and competencies among others are needed
for PIs’ personnel that are to build internal cloud competencies
a. Concept of Virtualization
b. Cloud configuration and Management
c. Cloud Migration planning & implementation
d. Cloud Deployment within Multi-Cloud Environments
e. Cloud Security
f. Database Skills
g. Programming Skills
h. Linux Skills
i. DevOps
j. Quality Assurance
k. Information Security
II. Outsourced Cloud Service:
a. Cloud deployment and service delivery models: Decision on Public, Private and Hybrid
deployment models as well as IaaS, PaaS and SaaS service delivery models.
b. Business and financial skills
c. Enterprise Architecture and Business Needs Analysis
d. Serverless Architecture
e. Cloud Migration planning & implementation
f. Project Management
g. Contract and Vendor Negotiation
h. Security and compliance
i. Data Integration and Analysis
Appendix 6.0: Focus areas of vendor lock-in avoidance guide The guide shall take into consideration the following:
I. Identify primary Cloud Vendor lock-in Risks
a. Data transfer risk
b. Application transfer risk
c. Infrastructure transfer risk
d. Human resource knowledge risk
II. Criteria for choosing CPS
33
a. The criteria should include the following:
b. Service Dependencies and Partnerships
c. Contracts, Commercials and SLAs
d. Reliability and Performance
e. Security and Compliance
f. Infrastructure Management
g. Migration Support, Vendor Lock in and Exit Planning
h. Certification and Standards (standard interface and APIs)
i. Technologies and Service Roadmap
Appendix 7.0: Focus areas of cloud computing certification criteria
I. set of requirements for virtualization, cloud architecture, operations, performance, security,
interoperability, data privacy, data portability, regulatory compliance and governance by
considering contents and recommendations from:
a. International cloud certification bodies (such as Cloud Security Alliance, Computing
Technology Industry Association, EuroCloud Start Audit among others) suitable for
CPS operating an IaaS, PaaS and/or SaaS cloud service models and also in the areas of
cloud security issues.
b. Industry standard cloud certification such as Certificate of Cloud Security Knowledge,
ISO/IEC 27001:2013, Code of practice for cloud privacy ISO/IEC 27018, Cloud
Certified Professional, CompTIA Cloud Essential among others;
c. Others include Cloud Industry Forum (CIF) Code of Practice, Controls and Assurance
in the Cloud: Using COBIT 5,
Appendix 8.0: CSPs Audit Report Metrics The evidence of the following assessment metrics will be required and form a template for CSPs audit
report:
I. Security of Cloud Resources
a. Physical Security
b. Hosting & Data Logic Security
c. Authentication & Authorization
d. Cloud users access approval processes
e. Review processes for super and regular users’ access and authorization to cloud
applications
f. Network connections & Data Transmission
34
II. Data protection policies, procedures and practices at both Cloud Service providers and
user organizations.
a. Type and sensitivity of Data sent to and potentially stored in the cloud
b. Compliance to data protection requirements (in line with Nigeria Data Protection
Regulation- NDPR)
c. Evidence of compliance with internationally recognized cloud best practices
d. CPS’ policies and procedures to protect data stored
e. CPS’ evidence of international Cloud certification
f. Level of access (create/read/update/delete) that the CPS’ personnel have to the data,
particularly on sensitive information and other cloud installed and configured
infrastructure, platforms and applications.
III. Risks related to the use of virtual operating system in a multi-tenant cloud.
a. Risk associated with virtualization and multi-tenant environment especially patched
and process for monitoring and patching of known vulnerabilities in hypervisor
technology
b. Assessment of multi CPSs collaboration
c. Protection of logs.
IV. Procedures related to incident management, problem management, change and access
management in context of use of Cloud services.
a. Operational process documentation: policy, procedures, roles and responsibilities.
b. Compliance to Service Level Agreement (SLA).
c. Appropriate use of monitoring tools and reports.
d. Compliance with business continuity plan
V. Comply with national regulatory requirements.
a. Compliance with country’s regulatory requirements such as Nigeria Data
Protection Regulation (NDPR), National Cybersecurity Policy (NCPS)
Appendix 9.0: Explanation of proposed cloud computing governance model for PIs and SMEs Identification: The identification cycle is a preparatory stage where the computing resources (network,
servers, operating systems, storage, database, programming language, applications, services etc.) to be
procured, acquired and deployed are planned, analysed and documented.
Configuration: The configuration stage involves selecting and configuring the computing resources in
alignment with the organization’s business objectives for cloud adoption both at on-premise and in the
35
cloud respectively. It also involves selecting CSP service options best suited to organization’s business
objectives.
Migration: This involves process of moving data, applications or other business elements from on-
premise to the Cloud Service Providers’ cloud computing environment as well as between CPSs cloud
computing environments. The strategy for cloud migration is prescribed in Migration to the Cloud
section.
Management: The management cycle involves exercise of administrative control over public, private
and hybrid cloud delivery models; IaaS, PaaS and SaaS cloud service models and as well as
management of multiple services across different CSPs. It is recommended that a standard Cloud
Management Tools is adopted. The management may include: self-service capabilities, workflow
automation, cloud analysis among others and it is best governed when there is formal Cloud Portfolio
Management (CPM) in place.
Decomposition: This is a process of decommissioning of cloud services or migrating from the cloud to
on-premise.
The following explains six domains that span the entire cloud lifecycle:
Procurement/Finance management. Adopting cloud require a shift from the traditional budgeting
system which is annual in the public sector. A new cloud procurement regulation should suffice for
cloud financial planning and management. It is recommended that PIs take advantage of the new
procurement regulation to be established by BPP.
NOTE: FPIs should consider appointing a cloud finance subject matter professional who
understands the total cost of ownership of cloud services, can track service consumption and can
provide cost transparency in line with the new cloud procurement regulation.
Cloud service provider management. It’s imperative for PIs/SMEs to have a properly integrated
business ecosystem that enables them have a single view of their cloud services. They are to understand
who is accountable for managing cloud services and establish a framework by which IT and the
business/mandate have a clear understanding of the performance metrics and contract requirements with
cloud vendors.
Cloud Portfolio management (CPM): Ability to manage cloud investments requires establishing a
formal framework for Cloud Portfolio Management (CPM). Cloud portfolio management provides a
means by which an organization can control and govern existing services, new services, and well as the
Cloud providers and the relationship with them. PIs/SMEs cloud portfolio should consider aligning
36
their organizational portfolio more broadly to determine additional opportunities and risks associated
with adding a cloud portfolio. Managing cloud portfolio requires:
2. Provider Relationship Management (PRM): Critical requirements for Cloud Portfolio
Management is to manage the provider relationships. FPIs and SMEs should learn how to develop
strategic relationships with key CSPs and proactively manage the relationship from a contractual
as well as from a technology transfer perspective. This is far more than mere vendor management
performed by the procurement professionals. PRM requires a closer and collaborative relationship
with key CSPs to facilitate advance previews of new services, R&D collaboration, early trials of
new services, as well as joint planning for service adoption.
3. Manage a Portfolio of Cloud Services: Another key requirement of cloud Portfolio Management
is managing many different Cloud services from all providers. All the services in the catalog must
be managed effectively, ensured they are adding value to the organisation strategic objectives.
Portfolio of cloud services requires the following among others:
4. Aggregate Services into a Catalog: as part of the portfolio management process, organisaton’s
available Cloud services must be aggregated into a single cloud catalog for easy management.
5. Manage service equivalent across CSPs: This is to provide redundancy for heavily-used and
mission critical services. This must done in strategic manner.
6. Compare cloud service performance across CSPs: Continually analyse and evaluate relative
service performance of CSPs.
Managing Cloud services using portfolio management best practices will help ensure the best Cloud
solutions and services are available with basis for Cloud pricing arbitrage. Specifically, cloud portfolio
approach will:
i. Streamline the management of multiple cloud resource pools, both public and private;
ii. Avoid lock-in to a particular cloud vendor;
iii. Gain visibility and governance of cloud usage across the enterprise;
iv. Maintain the security and reliability of critical systems in the cloud;
v. Measure cloud resource consumption and enforce budgets;
vi. Prevent waste and optimize spend levels; and
vii. Ensure that applications and data are in compliance with both internal policies and
regulations.
Integration/interoperability: The problem of interoperability or integration is caused by the fact that
each vendor's cloud environment supports one or more operating systems and databases, each cloud
contains hypervisors, processes, security, a storage model, a networking model, a cloud API, licensing
models and more. The governance structure by FPIs and SMEs should provide procedures that ensure
integration and interoperability from resource and technology perspectives.
37
Architecture: Cloud adoption should be reflected in the overall enterprise architecture of each FPI and
that of the country, that is, the Nigeria Government Enterprise Architecture (NGEA) framework. As
such, organizations need to clearly articulate the vision and goals of stakeholders through the cloud
enterprise architecture.
Operations: To sustain cloud service operations, FPIs and SMEs should establish desk office to address
and support cloud-specific issues for a better and seamless user experience. Clear organization and
assignment of authority will set the scope for the appropriate control, escalation and exception
management systems.
Definitions Small Medium and Enterprises (SMEs): refers to enterprises which have an annual turnover
not exceeding Five Hundred Thousand Naira (N500,000).
Public Institutions (PIs): means Ministries, Departments, Extra-Ministerial Departments and
Agencies of Government at Federal, State and Area Council levels.
Federal Public Institutions (FPIs): means Ministries, Departments, Extra-Ministerial
Departments and Agencies of Government at the Federal level.
Cloud Computing: refers to computing model for ubiquitous, convenient, on-demand and real
time network access pool of configurable and rapidly provisioned computing resources
(networks, servers, storage, applications and services among others) required by and available
to FPIs and SMEs to carry out their businesses and operations.
Cloud Service Providers (CSPs): refer to local and/or international cloud computing service
providers rendering service to FPIs and SMEs in Nigeria.
Cloud Stakeholders: Comprised of the PIs, FPIs, SMEs and CSPs
Cloud Migration: refers to the process of moving data, applications, hardware, software,
network infrastructure and/or other business elements and services to a cloud computing
environment.
38
Cloud Adoption: refers to the process or strategy that provides incentives for the public
institutions and SMEs to use the cloud computing for their computing requirements in way that
is efficient and sustainable.
Cloud First Policy: refers to the Federal Government of Nigeria’s strong commitment and
support for cloud computing service adoption, especially from a local cloud service providers,
as a first choice consideration while deploying and accessing computing resources in the public
sector and by the SMEs that provide computing services to the public sector.
In-house/On-premise: refers to computer systems that are located within the physical confines
of Federal Public Institutions and SMEs in Nigeria.
Vendor lock-in: refers to a situation in which FPI or SME using the cloud product or service
of a cloud service provider cannot easily transition to competitor’s cloud product or service.
Public Cloud: Cloud infrastructure provisioned for open use by the general public. It may be
owned, managed, and operated by a business, academic, or government organisation, or some
combination of them.
Private Cloud: Cloud infrastructure provisioned for exclusive use by a single organisation. It
is managed and operated by the organisation, a third party, or some combination of them. It
may be located on- or off-premises.
Hybrid Cloud: Cloud infrastructure which is a composition of two or more distinct private
and public cloud infrastructure, which remain unique entities but are bound together by
standardised or proprietary technology that enables data and application portability.
Infrastructure as a Service (IaaS): refers to a multi-tenant cloud service where consumer
does not manage or control the underlying cloud infrastructure, but has control over operating
systems, storage, deployed applications, and possibly limited control of select networking
components (such as host firewalls).
Platform as a Service (PaaS): refers to delivery service where consumer does not manage or
control the underlying cloud infrastructure including networking, servers, operating systems,
39
or storage, but has control over the deployed applications and possibly application hosting
environment configurations.
Software as a Service (SaaS): refers to delivery ,model where consumer does not manage or
control the underlying cloud infrastructure including network, servers, operating systems,
storage or individual application capabilities, with the possible exception of limited user-
specific application configuration settings
Cloud Data: Refers to data produced or commissioned by government, government controlled
entities or government service providers (e.g. SMEs) which is hosted in the cloud.
The Policy: refers to Nigeria Cloud Computing Policy.