The Department of Information and Communications Technology (DICT) in Philippines has announced the adoption of ‘cloud-first’ approach for the Philippine government. Government departments and agencies will have to consider cloud computing solutions as a primary part of their infrastructure planning and procurement. DICT is the primary governemnt agency in charge of driving the national ICT development agenda.This is an important step towards creating an efficient ICT-enabled government.
The Department Circular (dated 18 January 2017) is applicable to all Departments, Bureaus, Offices, and other Agencies of the National Government, including Constitutional Commissions, Congress, the Judiciary, Office of the Ombudsman, State Universities and Colleges, Government-Owned or -Controlled Corporations and Local Government Units. It also covers private entities that will participate as accredited cloud service providers (CSPs).
Government agencies will have to move to cloud computing as the preferred ICT deployment strategy for internal administrative use and external delivery of government online services. The only allowed exceptions are if the agency can show that an alternative ICT deployment strategy meets special requirements of a government agency or when it can be shown that an alternative ICT deployment strategy has lower Total Cost of Ownership (TCO) perspective and demonstrates at least the same level of security assurance that a cloud computing deployment offers.
The stated objectives are to reduce costs, increase employee productivity and improve citizen online services. This is expected to be achieved through improved inter-agency collaboration, faster deployment of services, enhancing resiliency and security, tighter control over budgets and reduction in spending on legacy infrastructure.
The circular lists five essential characteristics of cloud computing: 1) On-demand self-service (ability to unilaterally provision computing capabilities), 2) Broad Network Access (capabilities available over the network accessible on mobile phones, tablets, laptops and workstations), 3) Resource Pooling (computing resources pooled to serve multiple consumers using a multi-tenant model, with dynamic assignment of physical and virtual resources based on demand), 4) Rapid Elasticity (Elastic provisioning of capabilities to enable rapid inward or outward scaling) and 5) Measured Service (automatic control and optimisation of resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service).
Types of deployment and role of GovCloud
DICT is looking at 5 deployment models, namely, Private (exclusive use by a single organization), Virtual Private (a virtual private cloud environment off premise with strong isolation and may provide dedicated infrastructure), Community (exclusive use by a specific community of users from agencies or organizations that have shared concerns), Public (open use) and Hybrid (two or more distinct cloud infrastructures that remain unique entities, but are bound together by standardized or proprietary technology.)
Philippines also has a Government Cloud (GovCloud), a public service cloud infrastructure provisioned by the DICT for use by government agencies.The GovCloud infrastructure was set up in 2013 by DOST-ICT (Department of Science and Technology-ICT) Office as part of the Integrated Government Philippines (iGovPhil) Project to provide cloud infrastructure access to government agencies. It is a hybrid deployment of on-premise resources controlled and provisioned by DICT along with resources from accredited CSPs.
According to the Circular, as the public sector adopts the cloud first policy, GovCloud will continue to support agencies efforts to adopt cloud solutions according to their requirements.
DICT will develop a list of accredited cloud service providers. The combination of on-premise resources from the DICT, with the resource from accredited CSPs will serve as the new version of GovCloud.
DICT recommends a 3 step process to migrate to the cloud.
Security classification and responsibilities
Protecting data is one of the primary concerns for government agencies moving to the cloud. The new document data classifies data into three tiers and makes cloud deployment recommendations accordingly:
Tier 1: Non-sensitive or Unclassified Data, which can be stored on accredited public cloud or the Philippine GovCloud
Tier 2: Restricted or Sensitive Data, which can be stored on accredited public cloud or the Philippine GovCloud, with encryption requirements
Tier 3: Confidential or above-Sensitive Data, which may require private (on premise) cloud deployment with specific encryption requirements.
Accredited CSPs in the GovCloud will meet international security standards, will be certified appropriately and they will abide by all relevant Philippine laws and industry standards.
Security responsibilities will be shared between the contracting agency and the cloud service provider. The contracting agency will be responsible for selecting and implementing security controls for any workloads that it operates in the cloud. The cloud service provider will be responsible for ensuring that the services used by the contracting agency are highly secure and resilient and remain available on-demand.
Government institutions will retain full control and ownership over their data, with identity and access controls available from the CSP to restrict access to customer infrastructure and data. The Circular mentions that CSPs should not require a long-term contract or exclusivity.
Read the DICT Department Circular here.