DICT Releases Circular on Cloud Policy, Adopts “Cloud First” Approach
In a circular dated 18 January 2017, the Department of Information and Communications Technology (‘DICT’) prescribed the policy on the government’s policy use of cloud computing technology. The policy is meant to reduce costs, increase employee productivity, and develop excellent citizen online services. The circular covers all departments, bureaus, offices, and agencies of the national government and GOCCs and LGU.
Under the circular, ‘cloud computing’ is defined as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources. It recognises that cloud computing has brought new and more efficient means of managing government information technology resources. As such, it adopts the ‘cloud first approach’ and mandates government departments and agencies to consider cloud computing solutions as a primary part of their info-structure planning and procurement. Moreover, it adopts the same as the preferred ICT deployment strategy for administrative use and delivery of government online services. Nevertheless, this preference has an exception: when it can be shown that an alternative ICT deployment strategy meets special requirements of a government agency and an alternative is more cost effective from a total cost of ownership perspective and demonstrates at least the same level of security assurance that a cloud computing deployment offers.
The Philippines currently has an initial Government Cloud (‘GovCloud’) infrastructure that was set up in 2013. The DOST-ICT Office did so as part of the Integrated Government Philippines (‘iGovPhil’) Project that aims to provide cloud infrastructure access to government agencies. In order to expand and fulfil the cloud service requirements in the public sector, the DICT will be developing a list of accredited cloud service providers.
The department is looking at five deployment models, namely: Private (exclusive use by a single organization), Virtual Private (a virtual private cloud environment off premise with strong isolation and may provide dedicated infrastructure), Community (exclusive use by a specific community of users from agencies or organizations that have shared concerns), Public (open use) and Hybrid (two or more distinct cloud infrastructures that remain unique entities, but are bound together by standardized or proprietary technology.)
With regard to security, government data is classified into three tiers, each with distinct access and storage requirements: Non-sensitive or Unclassified Data (stored on accredited public cloud or the Philippine GovCloud); Restricted or Sensitive Data (stored on accredited public cloud or the Philippine GovCloud, with encryption requirements); and Confidential or above-Sensitive Data (requires private cloud deployment with specific encryption requirements). Data security would be a shared of the contracting agency and the cloud service provider. Government institutions will retain full control and ownership over their data, with identity and access controls available from the providers to restrict access to customer infrastructure and data.
Lastly, the circular states that the accreditation process for cloud service providers will be provided by the DICT including the baseline security assurance requirements needed before being listed on GovCloud.