Strategic, Privacy and Security
Considerations for Adoption of Cloud and
Emerging Technologies in the Caribbean
May 27, 2014
Prepared for Ministers and Senior Officials from the Caribbean and distinguished
participants and attendees of the Caribbean Telecommunications Union (CTU), the
Commonwealth Secretariat, the Organization of American States (OAS), and the
International Telecommunication Union (ITU) on the occasion of the Caribbean
Stakeholders’ Meeting: The Importance of ICTs and their Impact on Regional
Development, May 26-28, 2014 in Port of Spain, Trinidad.
For more information, please contact:
Frances Correia, Country Manager, Trinidad and Tobago, Microsoft Corporation,
Josemaria Valdepenas, National Technology Officer for Latin America and the
Caribbean, Microsoft Corporation, [email protected]
Roberto Arbelaez, Chief Security Advisor for the Americas and the Caribbean, Microsoft
Corporation, [email protected]
Marie-Michelle Strah, National Cloud Enterprise Architect and WW Enterprise
Information Management Lead, Microsoft Corporation, [email protected]
Zohra Tejani, Senior Attorney, Legal Affairs Director, Worldwide Public Sector, Microsoft
Corporation, [email protected]
Miguel Sciancalepore, Attorney, Digital Crimes Unit Regional Lead, Microsoft
Corporation, [email protected]
This paper is for informational purposes only. Because Microsoft must respond to
changing market conditions, the information contained in this document is subject to
change; it should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information presented after the date of
publication. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY,
AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable laws is
the responsibility of the user. Subject to the foregoing, the content of this document is
licensed to you as follows:
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs
3.0 United States License.
Strategic, Privacy and Security Considerations for Adoption of Cloud and
Emerging Technologies in the Caribbean
Table of Contents
Section 1:
Emerging Technologies and Cloud for eGovernment: Strategic Considerations 4
National Cloud and eGovernment ………………………………………………………………… 4
Considerations for Cloud Computing …………………………………………………………… 5
Section 2:
Key Considerations when Partnering with Private Sector Cloud Service Providers: A Brief
Overview …………………………………………………………………………………………………......... 8
Security at the Core ………………………………………………………………………………………. 8
Data Privacy and Security ……………………………………………………………………………….. 8
A Note about Security and Privacy Certifications ……………………………………………. 9
Regulatory Compliance and Policies……………………………………………………………….. 9
Section 3:
Private Sector Role in Fighting Cybercrime……………………………………………………… 11
Tools and Technologies Developed by Microsoft to help Governments fight
Cybercrime……………………………………………………………………………………………………… 12
Section 1: Emerging Technologies and Cloud for eGovernment : Strategic Considerations
1. Introduction
Governments around the world can benefit greatly from advances in cloud computing
and emerging technologies to deliver government and citizen services, drive innovation
and knowledge transfer from private sector, increase transparency and accountability,
accelerate economic development and transformation and ensure data privacy and
security. In addition, Federal, state, and local governments and non-government
organizations (NGO) are adopting Open Data initiatives powered by the cloud to extract
insight and support better decision-making, ultimately transforming how agencies work,
engage citizens, and provide eGovernment services.
2. National Cloud and eGovernment
National Cloud is aggregate cloud computing for multiple public sector entities within a
country and helps governments save money, deliver more effective services, and
compete more effectively in the global economy. Governments at all levels–local,
regional, and national–recognize the new opportunities that cloud computing offers for
creating an agile and flexible IT infrastructure that supports their services. For today’s
government leaders and CIOs, the cloud presents an opportunity to rethink the role IT
plays in accomplishing strategy.
Enable Governments to Save Money: National Clouds help reduce delivery costs
while also increasing hardware utilization and staff efficiency. By consolidating
existing resources and pooling together hardware, facilities, operations, and
electricity, governments can use computing resources on a schedule and likely at a
lower overall cost.
Improve Government Service Delivery: National Clouds enable end-to-end
solutions with common user experiences while also offering the ability to grow
dynamically to fit changing governmental needs. Offer applications and services that
support government innovation and enable cost-effective cloud-designed
applications that can dynamically scale to meet demand.
Help Governments Transform to Be More Effective and Globally Competitive:
National Clouds empower governments to get precisely the services and capabilities
they need by moving to the cloud when and how they want. Data and applications
can be available on-premises, through the private and/or public cloud, enabling
agencies to configure to the combination most compatible with their needs.
Example: Driving Open Data Initiative Because it makes services available over the
network, the cloud frees governments from standardizing on specific devices or servers.
That way, constituents can access services from any device, whether they’re on mobile
phones, tablets, laptops, or desktops. In its first move into the cloud, the UK’s Transport for
Greater Manchester hosted an open data platform to foster mobile app development—and
enable greater mobile device usage by its employees, citizens, and visitors.
3. Considerations for Cloud Computing
What’s challenging for a government agency is to sort through the universe of cloud
offerings and determine the right cloud solution and the right service provider for their
particular political and business requirements, ecosystem, and organizational culture.
Public clouds, managed in data centers by a provider, can be agile and budget-
friendly, providing scalability and cost benefits. Public clouds are often the most cost
effective and scaleable options. They offer a security-enhanced environment, but
may not be fully compliant with privacy regulations and may impose rigid limitations
on configurability. In a public cloud, the cloud provider keeps the environment
continuously up-to-date.
Private clouds, or those managed by a service provider (on-premises or hosted
by a third party), can provide better security features for the most sensitive and
private data.
While these are more customizable and offer the government more control, the
costs of the private cloud may be higher because the agency must also purchase
and manage the infrastructure.
When building a private cloud, the government or service provider needs to build
continuous process improvements into the design so the system can evolve from
the moment it goes into production.
A mix of private, service provider and public clouds in a hybrid cloud, can
provide an optimal mix of cost and control, but requires strategy, planning and an
enterprise architectural approach up front to drive value realization and alignment
with IT with political and economic goals of the country (i.e. not “infrastructure for
infrastructure’s sake”).
eGovernment and Planning for the Cloud
When deciding whether to deploy Iaas, PaaS or SaaS solutions in public, private, service
provider or hybrid clouds, there are several steps to take into consideration.
1. Establish the Business Case
a. Develop a national cloud strategy aligned to political and economic goals of
country
b. Assess cloud readiness of the country (ICT, power, legal and procurement
frameworks)
c. Examine TCO (total cost of ownership) of options presented below
2. Develop a National Information Strategy
a. Adopt Information architecture and Enterprise Information Management
approaches
b. Develop programs to determine data classification, sovereignty and locality
c. Implement rigorous identity and access management programs
3. Conduct an Application Portfolio Rationalization
a. Adopt Enterprise Portfolio Management approach to ALM and development
b. Adopt security standards in design for trustworthy computing
c. Use IA and EIM models to break through application and data silos and
introduce efficiencies
d. Leverage API economy and Open Data Initiatives to drive application
development
4. Map National Cloud Opportunities
a. Explore the market for national data centers and shared services
b. Explore the market for aggregation and cloud brokerage
c. Create demand and go to market strategies for customers to adopt national
cloud
d. Improve eGovernment services through national cloud use
5. Assess Human Resources Challenges
a. Use public procurement as a tool to support local IT sector and workforce
development
b. Develop strong public-private partnerships with strategic private sector
entities for strategy, implementation and support
6. Designing for Performance and Security: Hybrid Cloud Architectures
a. Steps 1-5 above are critical business and information architecture
components of national cloud
b. The research and analysis in steps 1-5 will clarify cloud transformation and
migration strategies as well as drive business requirements for hybrid cloud
architectures
c. Develop roadmap and governance framework
References:
United Nations. Department of Economic and Social Affairs. Guidelines on Government
Data for Citizen Engagement.
http://workspace.unpan.org/sites/Internet/Documents/Guidenlines%20on%20OGDCE%2
0May17%202013.pdf
United Nations Conference on Trade and Development. Information Economy Report
2013: The Cloud Economy and Developing Countries.
http://unctad.org/en/PublicationsLibrary/ier2013_en.pdf
Prepared by: Marie-Michelle Strah, PhD, National Cloud Enterprise Architect and WW
Enterprise Information Management Lead, Microsoft Corporation,
Section 2: Key Considerations when Partnering with Private Sector Cloud Service
Providers: A Brief Overview
Enterprise cloud services, from productivity software-as-a-service to workloads or apps
in cloud operating systems, can help governments serve their citizens more effectively
and cost-efficiently. However, the e-Government destination necessarily involves a
journey with check-points on security, data privacy and transparency, and regulatory
compliance. What are the key considerations for governments when partnering with
cloud service providers on this journey?
Security at the Core: Global cloud service providers have a massive footprint of
millions of servers which translates into cost efficiencies in buying hardware, deploying
hardware and even negotiating electric rates. These cloud providers can justify
enormous investments in security because the costs are spread over many servers and
data centers in a way that most customers could not justify if they were establishing
their own data center for a few thousand users.
Physical Security. Cloud service providers should offer leading perimeter security at
data centers, environment controls, multi-factor authentication, extensive
monitoring, 24x7 onsite security staff, and days of backup power.
Restricted data access and use. Access to government user data should be
restricted by the cloud service provider. Government user data should be accessed
only when necessary to support the government’s use of the cloud services. Strong
authentication, including the use of multi-factor authentication, helps limit access to
authorized personnel only. Access should be revoked as soon as it is no longer
needed.
Data encryption. The provider should provide data encryption at rest and in transit
between the government user and the provider, with a roadmap for encryption
enhancements.
Incident response. Provider should have a global, 24x7 incident response service
that works to mitigate the effects of attacks and malicious activity. The incident
response team follows established procedures for incident management,
communication, and recovery, and uses discoverable and predictable interfaces
internally and to Government users.
Data Privacy and Transparency
Privacy prioritized. Governments should expect cloud services to be designed for
privacy. For example, are the enterprise cloud services segregated from consumer
cloud services? The provider’s business model (e.g., online advertising) can also
reveal the provider’s priorities. Government users should demand clear contractual
commitments and limitations about how the cloud service provider will use its
customers’ data. For example, the cloud service provider should not use customer
data or derive information from it for any advertising or similar commercial
purposes.
Data ownership, portability, and deletion. Governments should insist on
contractual commitments that confirm the government’s ownership of its data.
Governments should be able to access its data at any time without the assistance of
the cloud service provider. Contract commitments should also include clear
timeframes for when the customer can extract its data and when the provider will
delete the customer data upon the expiration or termination of the cloud services
contract.
Transparency. Private cloud services providers must be transparent and indicate to
governments where their data will be stored and whether they will use
subcontractors to process that data. To the extent possible, cloud services providers
should attempt to redirect law enforcement requests for data to the customer.
Reports on such law enforcement requests should be made available
A note about security and privacy certifications: Key third party and government
certifications to look for are listed below. Cloud services providers should be willing to
share third-party verification results.
• ISO 27001 is a broad international information security standard.
• ISO 27018 will soon be an international data privacy standard.
• Service Organization Control (SOC) reporting framework for SOC 1 Type 2 relates
to the design and operating effectiveness of a service provider’s controls.
• UK G-Cloud Security Accreditation: UK Federal Government cloud security
program
• FEDRAMP/FISMA: US Federal Government cloud security requirements
• Validation by European Union data protection authorities (DPAs) and the
European Commission that contractual commitments meet European Union
(EU) privacy law’s rigorous standards.
Regulatory Compliance and Policies
Existing regulations. Regulations covering special segments of data, such as
healthcare data or financial services information, can pose special compliance challenges
when moving regulated data to the public cloud. However, a trusted private sector
partner can help an agency remain compliant. Examples: See the case studies of the
Goodbody, the largest stock broker in Ireland, and the Government of the US Virgin
Islands.
Policy considerations for new regulations. Proposed laws and regulations (or
updates to existing ones) that impact cloud services should strike the right balance.
Two key areas of focus:
Data must be allowed to flow freely. Consistency and predictability of
regulations across countries can help protect data in the cloud while
facilitating private sector operations as data travels across numerous national
borders.
Security from unauthorized access. Prioritizing a safe cloud can help
encourage adoption of cost-effective cloud services.
Cloud services provided by the private sector can be a cost-effective, efficient way to
achieve e-Government goals. However, the right considerations must be made along
the way. Whether developing a procurement tender for cloud services or whether
developing regulations that will govern data in the cloud, it is important to understand
how the private sector can serve as trusted partners for governments in the key areas of
security, data privacy and transparency, and regulatory compliance.
Reference: Facilitando the Cloud: Data Protection Regulation as a Driver of National
Competitiveness for Latin America, Horacio E. Gutierrez & Daniel Korn, Inter-American
Law Review, February 12, 2014. http://inter-american-law-
review.law.miami.edu/facilitando-cloud-data-protection-regulation-driver-national-
competitiveness-latin-america/
Prepared by: Zohra Tejani, Senior Attorney, Legal Affairs Director, Worldwide Public
Sector, Microsoft Corporaton, [email protected]
Section 3: The Growing Threat of Cybercrime: Overview
The private sector has an important role in helping the public sector fight the
threat of cybercrime. How does Microsoft collaborate?
The private sector has a key role in particular in the fight against Cybercrime. In
particular a technology company such as Microsoft has an interest in securing a safe
internet for its customers and consumers.
While there are multiple types of cybercrime, Microsoft focuses on three main areas
where Microsoft has an opportunity to make a direct impact to create a safe digital
world.
Malware Disruption
IP crimes including piracy
Protecting consumers focusing on vulnerable populations: Child Protection
Malware Disruption
Malware is capable of all kinds of evil activities that can do an untold amount of damage
without warning, like stealing confidential information as well as large sums of money.
Malware undermines the trust in the internet and technology. Microsoft helps protect
customers and consumers from malware and to raise the cost of doing business for the
criminals. Microsoft plays offense and collaborates with law enforcement to do botnet
takedowns.
Vulnerable Populations: Child Protection
One focus of Microsoft is addressing the issue of technology-facilitated child sexual
exploitation, particularly the exchange of child pornography. Microsoft works closely
with governments, expert NGOs, researchers, industry, law enforcement and others on
new and important ways to combat these threats to better protect children from further
harm.
IP Crimes including Piracy
Organizations that employ unlicensed software (non-genuine or illegal software) are
subjected to important legal and security risks. Such security risks range from the
possibility of getting infected by malicious software code (Virus, Trojans, Worms,
Spyware, etc.), to data loss, identity theft, corruption of your internal network and
permanent harm to your IT systems, compromising the organization information.
Microsoft Collaboration
Microsoft collaborates with governments though its Microsoft Digital Crimes Unit, which
is an international legal and technical team. Microsoft has cybercrime experts across the
areas of malicious software crimes, IP crimes, and technology-facilitated child
exploitation. The team is comprised of more than 100 attorneys, investigators, business
professionals, and forensic analysts.
Since February 2010, for example Microsoft has disrupted eight botnets tied to criminal
organizations committing consumer, financial and advertising fraud.
Tools and Technologies Developed by Microsoft to help Governments fight
Cybercrime
Cyberforensics: Cyberforensics is a new investigative capability built on state-of-
the-art technology which enables the detection of large-scale cybercrime, such as
online fraud and identity theft, perpetrated by criminals located thousands of miles
away.
CTIP (Cyber Threat Intelligence Program): As part of each of Microsoft’s botnet
takedown operations, it works with Internet Service Providers (ISPs) and Computer
Emergency Response Teams (CERTS) to rescue and clean computers from the
control of the botnets.
For instance, when Microsoft seizes the command and control infrastructure
of a botnet, it severs the connection between the cybercriminals running a
botnet and the computers they infected with that botnet’s malware.
These infected computers continue to try to check into the botnet command
for instructions until they are cleaned of the malware. Every day Microsoft’s
system receives hundreds of millions of attempted check ins from computers
infected with malware such as Conficker, Waledac, Rustock, Kelihos, Zeus,
Nitol, Bamital, Citadel and ZeroAccess.
PhotoDNA: In 2009, Microsoft, in cooperation with digital imaging expert Dr. Hany
Farid of Dartmouth College, created a technology called PhotoDNA to the National
Center for Missing and Exploited Children (NCMEC) to help address the distribution
of graphic child pornography online. PhotoDNA has begun to change the way child
exploitation is fought by empowering online service providers to find, report and
eliminate images that would previously have gone undetected, and by helping law
enforcement investigate reported cases more quickly and more efficiently.
SitePrint: A tool to map out online organized crime networks selling illicit products
online, incorporating a unique web site fingerprinting technology. This technology
has been used to dismantle international organized crime network (OCNs).
Prepared by: Miguel Sciancalepore, Attorney, Digital Crimes Unit Regional Lead,
Microsoft Corporation, [email protected]