Cloud Readiness Pilot Assessment Report June 2016 Cloud Readiness Toolkit Country Report Table of Contents 0 Disclaimer..................................................................................................................................... 5 1 Introduction ................................................................................................................................. 5 1.1 Contents ........................................................................................................................... 7 1.1.1 What is Cloud Computing? ............................................................................................ 7 1.1.2 Findings and Recommendations .................................................................................... 7 1.1.3 Assumptions................................................................................................................... 7 1.1.4 Public Cloud Vendor Comparison .................................................................................. 7 2 What is Cloud Computing? .......................................................................................................... 7 2.1 Essential Characteristics........................................................................................................ 8 2.1.1 Resource Pooling ........................................................................................................... 8 2.1.2 On-Demand Self-Service ................................................................................................ 9 2.1.3 Rapid Elasticity ............................................................................................................... 9 2.1.4 Broad Network Access ................................................................................................. 10 2.1.5 Measured Service ........................................................................................................ 10 2.2 Service Models .................................................................................................................... 11 2.2.1 Infrastructure as a Service (IaaS) ................................................................................. 11 2.2.2 Platform as a Service (PaaS)......................................................................................... 11 2.2.3 Software as a Service (SaaS) ........................................................................................ 12 2.3 Deployment Models............................................................................................................ 13 2.3.1 Private Cloud ................................................................................................................ 14 2.3.2 Public Cloud ................................................................................................................. 14 2.3.3 Community Cloud ........................................................................................................ 15 2.3.4 Hybrid Cloud ................................................................................................................ 16 2.3.5 Overview ...................................................................................................................... 17 2.4 Benefits ............................................................................................................................... 18 2.4.1 Faster Development of Applications ........................................................................... 18 2.4.2 Cost Saving ................................................................................................................... 18 2.4.3 Improve Operations (Agility and Scalability) ............................................................... 18 2.4.4 Disaster Recovery and High Availability ...................................................................... 18 2.4.5 Modernization.............................................................................................................. 19 2.4.6 Technological Advantage or Competition ................................................................... 19 This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 2 of 82 Cloud Readiness Toolkit Country Report 2.4.7 Security ........................................................................................................................ 19 2.5 Risks..................................................................................................................................... 19 2.5.1 Cost - No economies of scale ....................................................................................... 19 2.5.2 Vendor Lock-In ............................................................................................................. 19 2.5.3 Infrastructure ............................................................................................................... 20 2.6 Migrating Applications ........................................................................................................ 20 2.6.1 Structure ...................................................................................................................... 20 2.6.2 Dependency ................................................................................................................. 20 2.6.3 Connectivity ................................................................................................................. 20 2.6.4 Reliability...................................................................................................................... 20 2.7 Virtualization ....................................................................................................................... 21 2.7.1 Overview ...................................................................................................................... 21 2.7.2 Sizing ............................................................................................................................ 22 2.8 Conclusions ......................................................................................................................... 22 3 Cloud Readiness Toolkit ............................................................................................................. 23 3.1 Country Assessment ........................................................................................................... 23 3.1.1 Methodology................................................................................................................ 24 3.2 Application and Infrastructure Assessment........................................................................ 25 3.2.1 Methodology................................................................................................................ 26 4 Findings and Recommendations ................................................................................................ 27 4.1 Pilot #1 – Serbia .................................................................................................................. 28 4.1.1 Summary ...................................................................................................................... 28 4.1.2 Key Findings ................................................................................................................. 29 4.1.3 Deployment Model Recommendation ........................................................................ 30 4.1.4 Gaps ............................................................................................................................. 30 4.1.5 Next Steps .................................................................................................................... 32 4.2 Pilot #2 – Philippines ........................................................................................................... 37 4.2.1 Summary ...................................................................................................................... 37 4.2.2 Key Findings ................................................................................................................. 38 4.2.3 Deployment Model Recommendation ........................................................................ 40 4.2.4 Gaps ............................................................................................................................. 41 4.2.5 Next Steps .................................................................................................................... 42 4.3 Pilot #3 – Zambia................................................................................................................. 48 This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 3 of 82 Cloud Readiness Toolkit Country Report 4.3.1 Summary ...................................................................................................................... 48 4.3.2 Key Findings ................................................................................................................. 48 4.3.3 Deployment Model Recommendation ........................................................................ 49 4.3.4 Gaps ............................................................................................................................. 50 4.3.5 Next Steps .................................................................................................................... 53 4.4 Overview of Findings........................................................................................................... 58 4.4.1 Similarities .................................................................................................................... 60 4.4.2 Differences ................................................................................................................... 62 4.4.3 Recommendations ....................................................................................................... 63 4.4.3 Lessons Learned ........................................................................................................... 65 5 Assumptions ............................................................................................................................... 67 6 Public Cloud Vendor Comparison .............................................................................................. 67 7 Glossary ...................................................................................................................................... 74 8 Assessment References ............................................................................................................. 76 9 Report References ..................................................................................................................... 76 10 Participants and Reviewers ...................................................................................................... 77 10.1 Serbia ................................................................................................................................ 77 10.2 Philippines ......................................................................................................................... 78 10.3 Zambia............................................................................................................................... 79 10.4 Toolkit Reviewers .............................................................................................................. 80 10.4 Report Reviewers .............................................................................................................. 81 This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 4 of 82 Cloud Readiness Toolkit Country Report 0 Disclaimer The Toolkit is a diagnostic and planning tool intended to provide recommendations for action based on existing good practice. It does not constitute technical or legal advice and no inference should be drawn as to the completeness, adequacy, accuracy or suitability of the underlying assessment or recommendations. Without limitation to the immunities and privileges of the Bank under its Articles of Agreement and other applicable laws, the Bank shall not be liable for any loss, cost, damage or liability of any kind as a result of this Toolkit or its use. 1 Introduction More and more governments are looking to move to a cloud platform. Cloud platforms, when correctly implemented, can potentially provide greater: - flexibility in terms of allocating and managing resources (both computing and personnel) - standardization of the overall enterprise architecture, thus simplifying maintenance and future application development - opportunities for organizations within governments to share data and applications - opportunities for governments to build up technical skills that can help a country be technology competitive on the international stage Cloud computing has the ability to level the technological playing field and enable countries with limited infrastructure and digitization to leap frog countries that have a traditional, and less flexible infrastructure and a large number of large, legacy applications. While having a cloud platform makes it easier to implement major goals of governments, such as eGovernance, it is fundamentally a more flexible, on-demand approach to allocating computing resources. Cloud computing can be a great enabler, but it does not replace needed strategic initiatives or overcome existing processes and regulations. Cloud computing is a fast paced, and quickly evolving area of computing. As such, it can be daunting for governments to implement a true cloud platform, especially as there may be specific and unique concerns around areas such as data security when using cloud technologies. The World Bank Cloud Readiness Toolkit was used as the input for this report. The toolkit is comprised of two assessments, a country assessment and an application and infrastructure assessment. Each assessment is comprised of a series of questions. The toolkit is designed to provide a baseline for a country. This baseline shows how ready a government is to implement a cloud platform, and provides tailored recommendations based on the gaps identified from completing the assessments. All questions are geared towards the government and the public sector. As such, the toolkit does not assess cloud providers or skills available in the private sector. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 5 of 82 Cloud Readiness Toolkit Country Report The country assessment questions cover the following categories: Category Purpose General Determine the true level of interest in migrating to the cloud and also the primary benefit that the government hopes to realize. Resources Determine if the government has the key skills already available or easily accessible prior to starting a cloud migration. Security Determine what kind of security is required, including rules around data retention and security clearances. Perception of security may also impact public adoption of applications meant for use by the citizens of a country. Regulations Determine whether there are regulations in place that would prevent the migration of some or all government applications to a public cloud or discourage the creation of local cloud providers. Governance of Information Determine whether existing IT processes and procedures have been and Communications adapted to a cloud environment. If applications cannot effectively Technology (ICT) Systems utilize a cloud environment, the government will not fully realize the potential benefits. Data Determine how secure a government's data is now and whether there are regulations in place that would prevent the migration of some or all government data to a public cloud and what the overall quality of the data currently is. Infrastructure Determine whether migrating to the cloud may be too much of a burden on the existing infrastructure. The application and infrastructure assessment questions cover the following categories: Category Description This section covers questions that are not covered in the other categories, such as General which department owns the application. This section covers questions that help determine what kind of cloud computing Architecture resources would be needed and how they can be optimized. This category also determines whether the application would benefit from the cloud architecture. Operation This section covers how the application is currently being used and what the potential Optimization boundaries for future growth are based on the current infrastructure. This section covers data security, for example any sensitive data (classified data or Security information that can be used to identify individuals) or encryption requirements. The questions are weighted and scored to produce recommendations that offer a conversation starter on the current readiness to implement cloud computing. The questions and weights within the assessment documents can later be updated dynamically to reflect changes in policy or circumstances, which will update the scores and corresponding recommendations. These recommendations are only guidelines, and do not replace detailed assessments and planning that will be needed for a successful cloud migration. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 6 of 82 Cloud Readiness Toolkit Country Report 1.1 Contents The below sections can be found in this report. 1.1.1 What is Cloud Computing? This report contains a high level overview of cloud. Cloud computing is still a relatively new concept and one that is rapidly evolving to meet ever changing technological demands and needs. 1.1.2 Findings and Recommendations The World Bank Cloud Readiness Toolkit was piloted in three countries in order to test the toolkit as thoroughly as possible, and then refine the toolkit based on lessons learned. The findings from all three pilots as well as lessons learned are found in this section. Findings include a recommended deployment model and high level roadmap. 1.1.3 Assumptions This section briefly discusses the assumptions that were incorporated into the toolkit 1.1.4 Public Cloud Vendor Comparison Vendor selection can be one of the most challenging parts of migrating to the cloud. The number of vendors and their various attributes can be overwhelming. In addition, vendors frequently do not provide the same metrics and attributes making comparisons even more challenging. This section compares two of the largest public cloud vendors in terms of size, global reach, and variety of offerings. This section is intended to provide a guideline for vendor comparisons that governments may undertake. This report will not: - Replace an in depth assessment or business case - Provide steps for building a private data center or selecting a public cloud provider - Provide estimates for migrating to the cloud - Provide guidance on budgeting for migrating to the cloud - Recommend a specific cloud provider - Assess cloud providers - Assess skills and offerings available in the private sector - Recommend a service model 2 What is Cloud Computing? According to the National Institution of Standards and Technology, cloud computing is a model for enabling ever present, convenient, on-demand network access to a shared pool of configurable computing resources (i.e., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 7 of 82 Cloud Readiness Toolkit Country Report provider interaction (U.S. Department of Commerce, 2011). In other words, cloud computing can also be referred to as on-demand computing. It is a way for users to get continual access to shared computing resources, such as servers, storage, and sometimes services, as needed. 2.1 Essential Characteristics There are five essential characteristics that define the cloud, as shown in the schematic below. 2.1.1 Resource Pooling The cloud provider pools all computing resources to serve multiple customers (U.S. Department of Commerce, 2011). These customers can be both external, in the case of a public cloud provider, who might be serving multiple organizations, or internal, in the case of a private data center which may be serving multiple departments. The pooled computing resources are assigned as and when needed, but released and reassigned for other purposes when not being used. Instead of the traditional approach of allocating a single server or amount of space to an application, computing resources are dynamically allocated as needed. This optimization of the infrastructure typically reduces overall infrastructure costs and limits risks such as server failure. However, the downside to resource pooling is that you have multiple users, groups, or organizations using the same computing resources. This concurrent use of shared computing resources by multiple users, also known as tenants, is referred to as multitenancy. As part of multitenancy, applications still need to be isolated from each other so that problems in one This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 8 of 82 Cloud Readiness Toolkit Country Report application do not affect others. In addition, access to one application does not mean access is provided to other applications using the same computing resources. 2.1.2 On-Demand Self-Service Cloud services are provided on request (U.S. Department of Commerce, 2011). Users can request computing resources, such as server time and network storage, as needed, automatically, without requiring human interaction with the service provider. This automation is generally considered more efficient and less error-prone than traditional provisioning processes where requests must be submitted and servers manually set up and configured. The downside is that individuals may request resources whenever they need them, but may not release them when they no longer need them. Automated tools can help with this as well. 2.1.3 Rapid Elasticity Computing resources can be elastically provisioned and released, in some cases automatically, enabling applications to scale rapidly in line with demand. The computing resources available for provisioning may be requested in any quantity at any time. This enables more effective utilization of the available infrastructure (U.S. Department of Commerce, 2011). To better understand this concept, it helps to understand what it means for an application to scale. An application can scale either vertically or horizontally. Vertically means the existing application instance is using more of a specific resource, horizontally means adding additional instances of an application or nodes. An example of scaling horizontally would be going from one web server to three and an example of scaling vertically would be going from 4 GB of memory to 16GB. Traditionally, computing resources have been allocated with additional contingency in case it is needed. Elasticity refers to the ability for a platform to be dynamic and adaptable as opposed to static. A cloud platform is elastic and can adapt to increasing and decreasing utilization by rapidly expanding and shrinking computing capacity for a given application or application service. In the diagram below the overall application infrastructure that is used is significantly less in the elastic, cloud based approach. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 9 of 82 Cloud Readiness Toolkit Country Report Traditional (Data Center) Approach Elastic (Cloud) Approach 2.1.4 Broad Network Access Computing resources are available over the network and accessed through standard devices such as computers or mobile phones (U.S. Department of Commerce, 2011). It is important to keep in mind how a cloud will be reached and what the network availability and bandwidth capacity is before choosing a particular cloud solution. 2.1.5 Measured Service Cloud systems automatically control and optimize resource use by tracking usage at a level appropriate to the type of service (i.e., storage, processing, network bandwidth, or active user accounts) (U.S. Department of Commerce, 2011). Payment for these services are based on this usage. This is also known as “pay per use”. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 10 of 82 Cloud Readiness Toolkit Country Report 2.2 Service Models There are three service models in cloud computing: (i) Infrastructure as a Service (IaaS), (ii) Platform as a Service (PaaS), and (iii) Software as a Service (SaaS). 2.2.1 Infrastructure as a Service (IaaS) Infrastructure as a Service provides the capability to request (or provision) processing, storage, network, and other fundamental computing resources; the requester is able to deploy and run operating systems and applications (U.S. Department of Commerce, 2011). The requester does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and limited or no control of the networking components (i.e. host firewalls). 2.2.2 Platform as a Service (PaaS) Platform as a Service provides the capability to deploy onto the cloud infrastructure, user- created or owned applications created using programming languages, libraries, services, and tools supported by the provider (U.S. Department of Commerce, 2011). The requester does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 11 of 82 Cloud Readiness Toolkit Country Report settings for the application-hosting environment. If an application currently resides on an unsupported operating system i.e. UNIX, the application will need to be updated to run on a supported operating system i.e. Linux or take advantage of an IaaS offering where any operating system can be installed. 2.2.3 Software as a Service (SaaS) Software as a Service provides the capability to use the provider’s applications running on a cloud infrastructure (U.S. Department of Commerce, 2011). The applications are accessible from various user devices through either an interface, such as a web browser (i.e., web-based email), or a program interface (i.e. Office 365). The requester does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage. Individual applications cannot be altered but there may be user configuration settings that can be adjusted. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 12 of 82 Cloud Readiness Toolkit Country Report 2.3 Deployment Models There are four deployment models to choose from when considering migrating to the cloud. To understand when to use a particular deployment model as the preferred choice, the models have been compared across five categories – Security, Reliability, Flexibility, Cost, and Vendor Lock-in (degree of difficulty to migrate to a different model if needed in the future). These comparisons are primarily for legacy applications. For each category there is a description and a general score. The score is in relation to the other models. The table below describes the scoring used in this section. Icon Meaning In comparison to other deployment models, this model is particularly  strong in this area. In comparison to other deployment models, this model is neutral or - average in this area. In comparison to other deployment models, this model is weak in this  area. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 13 of 82 Cloud Readiness Toolkit Country Report 2.3.1 Private Cloud A private cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple users (i.e. departments). It may be owned, managed, and operated by the organization, a third party, or some combination, and it may exist on or off the premises. Category Description Benefit? Private clouds are typically more secure than alternatives as the Security servers are controlled and no other organization has access to  them (Pham, 2011). Depending upon the infrastructure within a country, a private cloud, especially if there is a direct line connecting the cloud to the government buildings, may be more reliable than alternatives. Reliability For example, if the Internet is frequently slow or unavailable  during the day during times of high traffic, then making the internet the primary method of reaching key applications may impact day to day business activities. A private cloud can be geared towards a particular government’s Flexibility needs. It can be built based on the specific requirements that an  agency or department needs. Higher setup costs, as all hardware (servers, storage, etc.) must be repurposed or purchased. In addition, all future server Cost maintenance would be performed by the government or third  party vendor. Once an application is virtualized, it is much easier to move from platform to platform. However, a specific virtualization software Vendor Lock-in must be selected when creating a private cloud. This will create a - certain amount of lock-in to a specific vendor, but not significantly more or less than any other cloud option. 2.3.2 Public Cloud A public cloud infrastructure is provisioned for use by any organization that wishes to pay for computing resources (U.S. Department of Commerce, 2011). It may be owned, managed, and operated by a business or outside organization. The infrastructure exists on the premises of the cloud provider rather than the users. For the purposes of this toolkit, there is also a deployment model called local public cloud. This term applies to a local public cloud provider whose premises are within the country’s borders. This may be the only option if a government has strict laws or policies around the storage and transport of data. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 14 of 82 Cloud Readiness Toolkit Country Report Category Description Public Local Public For governments in particular, there is a risk of having classified or sensitive data located outside the country’s borders. There is Security also the risk of an external threat (cyber-attack). However, -  there is also the benefit that cloud providers typically have more skilled employees to dedicate to cloud security. Depending upon the infrastructure within a country, a local Reliability public or public cloud may be more unreliable than alternatives. - - Local public or public cloud providers may limit the operating systems or databases that they provide. This may require that Flexibility applications be upgraded to a more recent version of some - - components before being migrated. Minimal setup and maintenance costs as hardware does not Cost have to be purchased or maintained by the government. There   will; however, still be licensing fees. While there are companies that specialize in enabling users to move from one cloud platform to another, it does require effort. In addition, once the government gets rid of hardware or Vendor Lock-in requests more capacity than they currently have purchased, it is   difficult to move all applications back to government data centers without investing time and money. Thus, going with a public cloud provider results in a certain level of vendor lock-in. 2.3.3 Community Cloud The community cloud is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (i.e., mission, security requirements, policy, and compliance considerations) (U.S. Department of Commerce, 2011). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. Community clouds are frequently used by government or educational institutions that consist of a number of different entities (i.e. departments or colleges). Community cloud is a form of private cloud with multiple tenants where all of the tenants are part of the same parent organization. For the purposes of this toolkit, if multiple departments or ministries decide to utilize the same private cloud then private cloud and community cloud are equivalent. For example, if both the Ministry of Finance and the Ministry of Defense want to use the same private cloud, but the Ministry of Defense does not want employees from the Ministry of Finance to have access to the defense data, then you have a private cloud with two tenants. This is now a community cloud. The addition of another tenant does impact the security and flexibility of the offering in relation to a private cloud that is dedicated to a single tenant. A private cloud with multiple tenants must be able to offer the technical architectures both need. For example, if the Ministry of Finance has primarily .Net applications running on Windows servers and the Ministry of Defense has primarily Java applications running on Red This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 15 of 82 Cloud Readiness Toolkit Country Report Hat Linux, the private cloud must now offer both platforms. In addition, appropriate security needs to be in place to ensure that access is restricted to the appropriate individuals. This is especially true if any database consolidation takes place. Category Description Benefit? Typically all the organizations sharing a community cloud have similar types of data and restrictions. It also enables the Security organizations to combine their skilled employees. However, the - more individuals with access to the cloud from other agencies or departments, the greater the risk of an external attack. Depending upon the infrastructure within a country and who Reliability owns the community cloud a direct line connecting the cloud to  the government buildings, may be more reliable than alternatives. A community cloud can be geared towards a particular group’s needs. However, if a large amount of variety is seen in terms of Flexibility architecture and technologies across the community, some limits - and standardization may be required. Cost is greatly dependent upon whether the community cloud is owned by a member of the community or a third party. Also, if a Cost large amount of effort is required to standardize the platform and  applications across the organizations the upfront cost will be higher. Whether owned by one of the members of the community or a Vendor third party, any time you standardize options across a group you Lock-in have a certain amount of vendor lock-in, but not significantly - more or less than any other cloud option. 2.3.4 Hybrid Cloud A hybrid cloud infrastructure consists of two or more distinct cloud infrastructures (private, community, or public) that remain separate, but are bound together by standardized or proprietary technology which enables data and application portability (U.S. Department of Commerce, 2011). A hybrid cloud is almost always a combination of public and private and is the combination considered in this section. The most common scenario is a predominantly private cloud that “borrows” computing resources from a public cloud when it experiences spikes in data. One example is taxes. Most people submit their taxes within a one month period of time. During the rest of the year there is minimal use of those tax applications. Revenue agencies must have enough computing resources to handle the peak demand before taxes are due. In a hybrid environment, that additional demand is handled by public cloud computing resources. This enables the agency to not have to maintain all those additional computing resources on a day to day basis. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 16 of 82 Cloud Readiness Toolkit Country Report Category Description Benefit? A hybrid approach can combine the strengths of both models, Security allowing the government to keep data under tighter control, but  still get some of the benefits of the public cloud. Depending upon the infrastructure within a country, a private cloud, especially if there is a direct line connecting the cloud to Reliability the government buildings, may be more reliable than alternatives.  Since the public cloud is only used when needed, infrastructure issues will be minimized. If applications are also using public cloud computing resources, they typically must be compatible with the public cloud. Since public cloud providers may limit the operating systems or Flexibility databases that they provide, a hybrid approach may require that - applications be upgraded to a more recent version of some components before being able to use the public cloud. Future setup and maintenance costs will be lower than with a purely private cloud approach, since excess capacity will be freed up. Rather than keep computing resources on hand to deal with peak demand, that additional demand will now spill over to the Cost public cloud enabling temporary increases in capacity (Savvas, - 2014). However, setting up the hybrid cloud requires expertise in integration and standardization, which can be expensive in the beginning. Private clouds still require virtualization software. Moving applications from one software to another is difficult and can be Vendor Lock-in costly so the government could be "locked-in" to the vendor of  whatever software is chosen. Changing the public provider once a hybrid solution is setup can also be challenging. 2.3.5 Overview All four deployment models have different attributes making them better fits for some organizations than others. Category Private Public Local Public Community Hybrid Security  -  -  Reliability  - -   Flexibility  - - - - Cost     - Vendor Lock-in -   -  This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 17 of 82 Cloud Readiness Toolkit Country Report It should be noted that not all organizations should move to the cloud. Before selecting a deployment model, an organization first needs to consider the benefits and risks of moving to the cloud in the first place. 2.4 Benefits Cloud computing has opened up new possibilities and enables numerous potential benefits, including significant cost savings, faster innovation, and greater flexibility. The following are the common benefits gained from cloud system implementation. 2.4.1 Faster Development of Applications Cloud computing allows applications to be created and implemented faster. For many governments and organizations it can take weeks, if not longer, to order new servers, set them up, and then build a new application. A cloud system would enable computing resources to be available within hours instead of weeks (Rodier, 2011). 2.4.2 Cost Saving Infrastructure is expensive to purchase, to operate and to maintain. Cloud services are typically pay as you go, or “on-demand”, which allows end-users to utilize computing resources as needed. It maximizes the utilization of computing resources and reduces the operation and maintenance costs especially during non-peak times. Cost savings are impacted by current IT expenditure, current hardware life cycles, and which deployment model is chosen. 2.4.3 Improve Operations (Agility and Scalability) Limited computing resources can prevent applications from running as quickly as they could or from running at all if the resources are needed for other applications. For example, a government has a processor intensive census program that runs once every ten years and runs on the same server as an application that shows who is eligible to vote. It may not be possible to generate a list of voters and process the census results at the same time. The cloud can help by automatically supplying additional computing resources during heavy system use. Growth can also exceed a system’s capabilities. Perhaps in the past most citizens went to their local government office to apply for benefits or get a driver’s license, but with the growth of mobile phones, they can now reach these applications online. This sudden spike of usage may require more processing power than was originally planned for or purchased. Without the cloud, such a spike of usage might cause the system to crash or become inaccessible. With the cloud, additional computing resources are added as needed and removed when no longer required. (Microsoft, 2011) 2.4.4 Disaster Recovery and High Availability Many public cloud service providers have data centers located in multiple locations. This provides a failover location in the event that the primary location becomes unavailable due to a security event, natural disaster, or human error. This capability keeps the government operating seamlessly. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 18 of 82 Cloud Readiness Toolkit Country Report 2.4.5 Modernization Many governments have servers with a variety of software components on them. There may be multiple versions of Linux or Windows operating systems, the same for different versions of databases, or even programming languages. Moving to the cloud typically gives governments the opportunity to standardize their technology architecture across the government or across a department. This increases the ease of maintenance and the ability to add additional features and functionality to applications going forward. 2.4.6 Technological Advantage or Competition Governments have a mandate to provide services to their citizens. As part of pursuing this mandate, government may consider implementing a cloud strategy. Alternatively, a government may consider implementing a cloud strategy in order to gain or maintain a perceived technical advantage. This advantage could be in either the public or private sector. A government may work to build demand or skills in the area of cloud computing in order to encourage the development of certain skills or products in the private sector. 2.4.7 Security Major public cloud service providers have their own security protections against internal and external threats. They also support top-line security protocols commonly used. While anything you put on a public server is at higher risk than a computer not connected to an external network, public cloud service providers have security expertise, operation expertise, and are typically up to date on the latest security technologies. Private clouds have a certain level of security, especially if they are directly connected to the users they serve rather than accessed via the Internet. However, organizations using private clouds generally have a smaller skilled security team than a public cloud provider would. 2.5 Risks 2.5.1 Cost - No economies of scale There are economies of scale that come from owning an entire data center. Adding one more server is cheaper than the first one was. In the cloud, every CPU and GB needed will cost the same, whether you use 200 or 200 million. Savings are greatest if there are large spikes in usage that cause storage or servers to sit idle when not in use. In the cloud, you only need to pay for those additional computing resources when used. This can also make it more challenging to predict monthly costs. Sudden increase in usage of an application can result in a sudden jump in costs. 2.5.2 Vendor Lock-In Whether the decision is to build a private cloud or go to a public cloud, there will be a certain amount of vendor lock-in. The degree of lock-in varies, particularly when it comes to deciding to move out of a public cloud. Once you exceed existing computing resources, it is much harder This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 19 of 82 Cloud Readiness Toolkit Country Report to leave the cloud. This should be considered if you think you might need to make changes in the future due to data or other concerns. 2.5.3 Infrastructure If the network infrastructure is unreliable or is already highly utilized then moving to the cloud may be too much of a burden on the existing infrastructure. It could cause applications to crash or be inaccessible. In such situations the network infrastructure must either be upgraded before considering a move to a public or hybrid cloud or, alternative, a private cloud on a dedicated line should be considered. 2.6 Migrating Applications An important step in planning for a cloud implementation is deciding which applications to move. Not all applications should be moved to the cloud. There are many attributes that are considered in the application assessment, but some of the most important categories to consider are structure, dependency, connectivity, and reliability. 2.6.1 Structure A large, single-tiered legacy application typically isn't a good fit for the cloud. In a single-tier application the user interface, business logic, and data storage are all located on the same machine. While these applications are typically the easiest to design, they are also the least scalable. Efficiencies are gained when an application is scalable and the load can be spread over several instances. This also helps with disaster recovery as it enables a failure in one part of the system to be mitigated without affecting other parts of the system. 2.6.2 Dependency Applications that depend on specific hardware—such as a particular chip set or an external device such as a fingerprint reader—might not be a good fit for the cloud, unless those dependencies are specifically addressed. Similarly, if an application depends on an operating system or set of libraries that cannot be used in the cloud, or cannot be virtualized, that application should not be moved to the cloud. 2.6.3 Connectivity Applications that interface with or use computing resources that will not be reachable from the cloud, including other applications or storage, are typically poor candidates for migration. For example, if tax data cannot be moved to the cloud, you might not move an application that accesses the tax data frequently throughout the day. In some situations, these issues can be resolved with a custom network setup, but how well this works depends on the chosen cloud environment. 2.6.4 Reliability Applications by their nature are not perfect, but the more reliable an application is, the longer it can run before encountering a problem. Applications that are known to be unreliable should be This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 20 of 82 Cloud Readiness Toolkit Country Report reviewed as a possible candidate for rewriting or replacing, since known functionality issues may become worse when migrating an application to a new platform. Trying to migrate an unreliable application may not only increase the effort required to perform the migration, but also fail to achieve the benefits of moving to the cloud. 2.7 Virtualization 2.7.1 Overview Cloud computing is built upon the ability to virtualize applications, regardless of the deployment model selected. Understanding virtualization is key to understanding how pricing works in the cloud. A high level knowledge of this area will enable the creation of more accurate estimates and thus better, and more cost effective, utilization of cloud computing resources. It will also assist with the building of a business case around implementing a cloud computing system. When researching cloud providers and other various cloud service offerings there will be frequent references to virtual central processing units (vCPUs) and virtual cores (vCores). These components differ from their physical counterparts in a manner that is not always very straight forward. NOTE: Amazon Web Services (AWS) uses the term vCPU whereas Azure uses vCore. Conceptually, they are the same. The main goal when virtualizing a server is to be able to run multiple applications on the same server. Each application has its own space, or virtual machine, on the server. One way to look at this is to think of a physical server as a house. Each room is a virtual machine and each member of the family, or application, gets their own room. The software that enables the creation of these rooms is called a hypervisor. A hypervisor is a piece of software, hardware, or firmware that creates and runs virtual machines. The hypervisor can either be installed directly on the server or on top of the operating system running on the server. The following diagram shows how three applications running on a virtualized server might look, depending on where the hypervisor is installed. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 21 of 82 Cloud Readiness Toolkit Country Report Once a hypervisor is installed, either on the host operating system or directly on the server then the hypervisor manages the physical computing resources (i.e. CPU, memory, etc.) and allocates computing resources to create virtual machines instances upon user request. The guest operating system is installed on the virtual machine instance. Applications can then be installed on the guest operating system and accessed by users. An increasingly common practice is to take virtualization to the next level and build containers that can easily be moved from server to server. Instead of rooms, the server now has multiple houses and each house can be picked up as a single unit and moved somewhere else as needed. The following diagram shows how container-based virtualization is delivered from a physical server. Unlike traditional virtual machines, containers do not have a guest operating system installed, but it does require that the physical server have a host operating system. The container itself contains the application in addition to all the components needed for that application and uses the host operating system. This means there is less wasted computing making for a more efficient system, and is also easier to move when needed. 2.7.2 Sizing When taking applications that currently reside on a physical server and moving them to a virtual machine, it can be challenging to determine how much of various computing resources (i.e. storage, memory, CPUs, etc.) to assign to the application. The recommended approach is to determine what your peak utilization of your current resources over a period of time (ideally 12 months). If that is not possible, then request the same cloud computing resources as the current physical server and monitor the application for the next 12 months to determine utilization, and refine any budget estimates. Based on computing resource usage, the computing resources can be scaled either up or down. 2.8 Conclusions Increasingly, citizens expect that they can complete tasks online rather than going into an office and waiting in line. In addition, the amount of digital data is growing across the globe and is This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 22 of 82 Cloud Readiness Toolkit Country Report expected to continue to do so. The ability to take advantage of this data and use it to help improve efficiencies within the government and provide better services to citizens is driving many governments to consider cloud platforms. Cloud has the possibility to enable government employees to work from anywhere and citizens to get access to information from their phones or homes. It can enable governments to quickly deploy applications and new functionality. While cloud has the power to connect, it also comes with risks. Moving data outside of secure locations opens it up for attack. This can be especially true if a limited number of employees with skills in security has led to the development of applications that are particularly vulnerable. Legacy applications that were not originally designed for the cloud may have to be updated, a potentially time consuming undertaking. It should also be noted, that while much focus is placed on the potential cost savings of cloud, much of those savings are difficult to quantify. Many benefits of cloud enable governments to avoid costs in the future. For example, the implementation of a scalable infrastructure can reduce future capacity costs, and faster development of applications reduces development costs. However, these costs do not reduce the current IT budget, and are sometimes overlooked (Neville Cannon, 2015). The preferred deployment model and path to implementation will be different for every country, and possibly even differ by departments or ministries within the same country. It may be that an agriculture application can move to the public cloud, but a finance application should consider a private cloud. Then the government must decide if everyone should use the same solution or if there should be multiple solutions. A Cloud Readiness Assessment will provide insight into the current state of a country, and will help provide insight into where a country is now, and what recommendations there are for the future. 3 Cloud Readiness Toolkit Many countries that are interested in implementing a cloud platform are either uncertain where to start or are focused on building a national data center, or equivalent; however, a government may not be ready to leverage the cloud, even if they have one available. In order to assist governments with this gap, the World Bank Cloud Readiness Assessment Toolkit provides a series of questions that determines where a country is in terms of overall readiness, what deployment model they may wish to pursue based on their current regulatory environment, and recommendations on how they can better position their government to take advantage of cloud computing. Once a government is ready to implement a cloud platform, the application and infrastructure assessment can be used to build out a roadmap both at the department/ministry level and the application level. 3.1 Country Assessment The country assessment is a questionnaire used to assess the government’s overall cloud readiness. By answering the questions around regulation, security, infrastructure, etc. the This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 23 of 82 Cloud Readiness Toolkit Country Report assessment identifies gaps in a country’s policies, regulations, or current IT infrastru cture that would impact a migration to the cloud or prevent a country from fully realizing the potential of such a migration. Research on government cloud migrations show that countries frequently do not see the full expected savings or benefits when migrating to the cloud due to gaps in readiness. 3.1.1 Methodology The country assessment is broken down into seven key categories. Each category has a different purpose. Together the entire questionnaire is used to identify key gaps and provide recommendations and a roadmap for the government to consider. Category Purpose General Determine the true level of interest in migrating to the cloud and also the primary benefit that the government hopes to realize. Resources Determine if the government has the key skills already available or easily accessible prior to starting a cloud migration. Security Determine what kind of security is required, including rules around data retention and security clearances. Perception of security may also impact public adoption of applications meant for use by the citizens of a country. Regulations Determine whether there are regulations in place that would prevent the migration of some or all government applications to a public cloud or discourage the creation of local cloud providers. Governance of Information Determine whether existing IT processes and procedures have been and Communications adapted to a cloud environment. If applications cannot effectively Technology (ICT) Systems utilize a cloud environment, the government will not fully realize the potential benefits. Data Determine how secure a government's data is now and whether there are regulations in place that would prevent the migration of some or all government data to a public cloud and what the overall quality of the data currently is. Infrastructure Determine whether migrating to the cloud may be too much of a burden on the existing infrastructure. Each question within a category has its own weight. This weight is based on the impact the answer has on the overall readiness for cloud. Each category sums up to 100%. The answer given for a question determines the value allocated to the overall readiness score and to which cloud deployment model would be the closest fit. The overall readiness score shows where on the path to readiness the country is and aligns with the type of recommendations. A country that falls into a "Ready" category shows that they are on the right path to implement cloud, whereas a score that is in the “Needs Additional Preparation” range, means that a country needs to make some changes before moving forward with a cloud implementation. Within the document, on the assessment tab, every category is shown, along with the weight assigned to each category. Some categories are weighted more heavily than others based on This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 24 of 82 Cloud Readiness Toolkit Country Report the impact that category has on overall cloud readiness. For example, Governance of ICT Systems was weighted more because of the impact on the realization of long term benefits of cloud. The category weights are default values based on established methodology and experience, but can be updated to reflect the particular needs and situation of a specific country. For many questions, an answer of unknown is an option. However, this option should be selected as infrequently as possible. Unknowns typically result in an average score. Having a large number of unknowns might lead to a score that is higher than it should be, thus hiding a lack of readiness or other areas of weakness. Such a score would thus decrease the overall value of the resulting recommendations. The more complete the questionnaire, the more accurate the recommendations and the final score. 3.2 Application and Infrastructure Assessment The application and infrastructure assessment is a questionnaire used to assess the government’s overall application landscape. By answering the questions for each application being considered for a migration to the cloud, and any servers associated with those applications, the assessment helps determine the fitness, effort and recommended deployment type. Fitness Effort Deployment Model • Fitness is defined as being a • Effort is defined as the • A recommendation of Public, good candidate for cloud amount of work and energy Local Public, Private, or Hybrid required to migrate to the is provided for each application • For example, an application cloud that is not going to be retired for years is a better fit than an • For example, an application application that is going to be that does not follow any coding retired within the next six standards would require more months effort than one that does. • Fitness is assessed on the • There is no direct relation following scale: Very Low, Low, between effort and fitness or Moderate, High, Very High readiness • Effort is assessed on the following scale: Very Low, Low, Moderate, High, Very High This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 25 of 82 Cloud Readiness Toolkit Country Report 3.2.1 Methodology While the questions are separated into two groups - application and infrastructure, the questions within each group are split into four categories – General, Operation Optimization, Modernization, and Security. These categories are reflective of the migration drivers that are identified in the country assessment. Category Description This section covers questions that help determine what kind of cloud computing resources would be needed and how they can be optimized. Architecture This category also determines whether the application would benefit from the cloud architecture. This section covers questions that are not covered in the other General categories, such as which department owns the application. This section covers how the application is currently being used and what Operation Optimization the potential boundaries for future growth are based on the current infrastructure. This section covers data security, for example any sensitive data Security (classified data or information that can be used to identify individuals) or encryption requirements. Each question has been allocated its own weight based on the level of importance and impact on the ‘fitness’ and ‘effort required’ for a cloud migration. Each category sums up to 100% (total 500%) and the default weight of each category has been set based on the key driver determined during the country assessment. Driver Faster Improve Disaster Technological General Cost Development Operations Recovery Category Modernization Advantage or Security Interest Savings of (Agility & and High Competition Applications Scalability) Availability General 25% 35% 30% 30% 15% 25% 20% 20% Architecture 25% 30% 20% 10% 20% 15% 20% 15% Operation 25% 20% 30% 40% 35% 35% 35% 25% Optimization Security 25% 15% 20% 20% 30% 25% 25% 40% Total 100% 100% 100% 100% 100% 100% 100% 100% The category weights can be adjusted to meet a specific country’s needs. Each application is assigned a fitness score, and effort score, and a platform recommendation. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 26 of 82 Cloud Readiness Toolkit Country Report Fitness is weighted as per the following criteria: Category Description Based on the answer, there should not be any issues or risks in migrating this Very High application to the cloud. Based on the answer, there may be minor issues or risks in migrating to the cloud, High but there are likely known resolutions. Based on the answer, there may be issues or risks in migrating to the cloud, and Moderate workarounds may need to be identified. Based on the answer, there may be significant issues or risks in migrating to the Low cloud, and workarounds will need to be identified. Based on the answer, there may be significant issues or risks in migrating to the Very Low cloud, and there may be no possible workarounds. Effort is weighted as per the following criteria: Category Description Very Low Migration is likely to be as simple as copying binaries. Minimal effort required. Simple configuration level changes may be required. No source code or functional Low changes are required. The application may require source code and configuration changes, but they will Moderate be changes expected by individuals familiar with migrating to the cloud. No functional changes will be required. The application will require either significant source code and configuration changes or an upgrade to a different operating system, middleware component, or High database in order to be compatible with the cloud. In addition, analysis of the code through the use of a tool may be required in order to identify the necessary changes. No functional changes will be required. The application will require significant changes including, but not limited to, an upgrade to a different operating system, middleware component, or database in Very High order to be compatible with the cloud or a re-architecting of the application to enable utilization of the cloud architecture. 4 Findings and Recommendations As part of the Toolkit development, three countries were selected to pilot the methodology and questionnaires – Serbia, the Philippines, and Zambia. These countries were identified and selected based on local government interest, geography, and differences across a variety of country level statistics, as outlined below. The goal of the pilots was to test the toolkit as thoroughly as possible, and then make refinements based on lessons learned. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 27 of 82 Cloud Readiness Toolkit Country Report Serbia Philippines Zambia Population 7.13 Million 99.14 Million 15.72 Million Upper Middle Lower Middle Lower Middle Country Classification Income Income Income $4,126 to $12,745 $1,046 to $4,125 $1,046 to $4,125 Overall Unemployment Rate 17.90% 5.80% 13.30% Inflation Rate 1.50% 0.90% 22.90% % Population below Poverty Line 24.60% 25.20% 60.50% Digital Adoption Index 0.61 0.43 0.33 Internet Access at Home 66% 18% 13% Information Government – Digital Identification 0.83 0.03 0.58 Statistics Government – Core Administrative Systems 0.73 0.77 0.63 Government – Online Public Services 0.39 0.48 0.14 4.1 Pilot #1 – Serbia 4.1.1 Summary This report is meant to be a conversation starter, and provide Serbia with a high level overview of the assessment findings in addition to recommendations on migrating to a cloud platform. The assessment documents are point in time and can be updated dynamically to reflect changes in direction and regulation. For example, if regulations around where data can be stored are put in place, the corresponding assessment questions can up updated to generate revised recommendations and scores. This will enable the toolkit to be utilized throughout the process of selecting a deployment model, implementing the model, and digitizing key e- Government services. This report does not replace a detailed, or in-depth, assessment which should be conducted prior to implementing a cloud platform. In Serbia, answers were obtained for all but two questions, one of which was marked as unknown. This enabled a more reliable recommendation. Overall Cloud Readiness Metric Very Ready >80% Ready 65%-80% Need Additional Preparation 45-64% <- Serbia is here Need Underlying Infrastructure 25-44% Not Ready <25% This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 28 of 82 Cloud Readiness Toolkit Country Report The overall cloud readiness assessment shows that Serbia is a good candidate for cloud. However, Serbia needs to make sure that a solid technology and infrastructure foundation is in place before moving forward on the path to cloud. At this time, given the uncertainty government officials expressed around where data can be hosted the assessment recommends that Serbia pursue a private cloud option which aligns with Serbia’s allocation of budget to start construction of a national data center in 2016. 4.1.2 Key Findings Serbia’s overall readiness score is 59%. This puts Serbia towards the higher end of “Need Additional Preparation”. Cloud, especially a push towards more e-Services, is considered an important government initiative both at the highest levels of government and by the citizens. In fact, cloud is even being discussed as part of the upcoming election. However, there are still some intermediary steps that Serbia needs to take in order to lay the groundwork for a successful cloud implementation. Serbia has started taking steps in areas – such as defining regulations, but there are still gaps in terms of implementation and moving towards greater interoperability across ministries. A high risk area identified was that Serbia has no cabinet level ICT organization – in addition, individuals frequently were unable to identify who should be responsible for any sort of overall government ICT or cloud strategy. A contributing factor to this is the reorganization that took place when the current President took office, and many people are anticipating that the government may be reorganized after the upcoming election. In addition, while Serbia has made strides to put in place certain forward thinking regulations, much of that progress is driven not just by Serbia’s desire to move to the cloud, but as part of the country’s overall goal of joining the European Union. The European Union requires not only that specific regulations exist, but also encourages a certain amount of interoperability. For example, if the European Union approves a drug for usage across the EU, at some point the Ministry of Medicine and Medical Devices will need to be able to incorporate that into the appropriate government systems. One of the areas where ministries have started laying the groundwork, but still have further work to do is disaster recovery. Most ministries were quick to identify disaster recovery as a reason to adopt the cloud and stated that they had disaster recovery capability, but then noted that the capability was either within the same building or very close to the original site (i.e. next door). In 2014 a flood did significant damage, raising this as a significant issue. In addition, disaster plans, when they existed, had not been tested. While a cloud implementation might be successful at this stage, in order to get the most out of the cloud in the long term, Serbia should focus on implementing a government wide cloud strategy and drive adoption of this strategy as it encourages ministries to move to the new platform it is building. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 29 of 82 Cloud Readiness Toolkit Country Report 4.1.3 Deployment Model Recommendation Private Public Local Public Overall Hybrid Cloud Cloud Cloud Cloud Readiness Readiness Readiness Readiness Readiness Readiness Score 59% 70% 66% 0% 0% The cloud readiness assessment recommends that Serbia should consider pursuing a private cloud. However, this recommendation was driven by key findings that eliminated public cloud as an option due to restrictions on where data can be stored. The majority of the responses said that data, sensitive or non-sensitive data, could not leave the country nor reside on public servers. In addition, one other element that drove the deployment model recommendation was a discussion with the major local cloud provider. During the discussion it was determined that no disaster recovery was available for the local provider’s cloud offerings. As such, a local public service provider does not exist as a possible alternative for the government at this time. Serbia may wish to review whether all applications and types of data needs to have the same level of security and protection. That may open up the possibility of public cloud for some subset of data and applications. Also, Serbia should make sure that any private cloud can meet the security needs of all ministries. 4.1.4 Gaps There are key individuals within the government acting as advocates for cloud and working to get funding in order to build a national data center to provide the basis for a government cloud. This is a key step in the right direction; however, without also focusing on some of the gaps, such as resources, governance, and interoperability; Serbia will only see part of the benefits that they could get from a true cloud implementation. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 30 of 82 Cloud Readiness Toolkit Country Report 4.1.4.1 Resources Serbia has limited local resources in either the public or private sector with skills in cloud migration or security. Turnover is high and skilled IT resources frequently leave the country to pursue other opportunities. In addition, there are no programs currently offered within the government that would help build these skills. Most training is done through external vendors as part of contracts to implement new tools or systems. In order to address this gap, it is recommended that Serbia review their retention policies to see if they might be able to reduce turnover within the IT sector. In addition, Serbia might consider working with Universities or vendors to develop cloud training to use internally. 4.1.4.2 E-Payment There were some conflicting responses as to whether e-payment was feasible, but the general consensus was that it was not currently feasible. Some of the barriers seen were around engaging credit card companies and addressing how fees would be paid. Given Serbia’s goal of digitizing more and more services, it is recommended that Serbia address the existing gaps in implementing an e-payment service and roll out this capability across the government. 4.1.4.3 Data Location Most individuals, when asked, said that data should not leave the country; however, when asked if there were restrictions preventing data from leaving the country responded no rules exist. In addition, it was noted that as part of joining the European Union, Serbia will have to pass regulations allowing data to be stored within other European Union countries. In light of the EU regulations, Serbia should review their current data policies and determine if they should be revised or if gaps exist. If gaps are identified, then it is recommended that rules be formalized to address any gaps and that the government work to increase awareness of any existing or future rules around data storage. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 31 of 82 Cloud Readiness Toolkit Country Report 4.1.4.4 Governance Serbia’s lowest score was in the area of governance. There are three key re commendations for Serbia in this area. 4.1.4.4.1 CIO Serbia has no CIO or equivalent cabinet level IT position. This was called out by almost all groups interviewed. Without this there is no designated organization both authorized and responsible for creating and driving a cloud strategy. It is recommended that Serbia create a CIO or equivalent position after the next election. 4.1.4.4.2 Cloud Strategy Once a CIO or equivalent position has been created, it is recommended that that individual should develop a cloud strategy. The strategy should then be distributed to all the ministries in order to provide direction to future ministry level initiatives. 4.1.4.4.3 Governance of ICT Another critical gap on the path to cloud is in the area of general governance of ICT. Serbia simply does not have certain ICT processes, such as disaster recovery. Serbia also has no technical architecture standards. Implementing technical architecture guidelines would help provide a standard set of technologies being used across ministries. This will make it easier to determine what needs to be supported on the new platform and to migrate applications once it is time to do so. In addition, for those processes that Serbia does have, such as development life cycle and application documentation, the processes have not yet been updated to include cloud. It is important to make sure that these processes are updated and enforced prior to starting a migration to the cloud. This is key to Serbia getting the greatest benefit out of a cloud platform. 4.1.5 Next Steps 4.1.5.1 Policy Roadmap Various responses to the questions on the country assessment are associated with a recommendation. Each recommendation has an associated phase, type, and estimated duration. These are used to construct a detailed roadmap. How the roadmap will look will vary based on each country’s priorities and needs. However, a sample roadmap has been constructed for Serbia based on the recommendations produced for this report. The recommendations are also outlined in the table following the roadmap. The Digital Development Partnership (DDP) category that most closely aligns to the recommendation has also been noted in both the roadmap and the accompanying table. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 32 of 82 Cloud Readiness Toolkit Country Report The recommendations and roadmap have been split into three phases. Phase one (walk) focuses on the regulatory and technical infrastructure that needs to be defined before moving to the cloud. This would include defining policies and regulations around data, hosting, encryption, and technical standards. These items should be completed prior to moving onto phase two. Phase two (run) focuses on defining the next level of policies and regulations, such as evaluating where hard copies of documents are truly needed, what the technical architecture should look like, data validation rules, as well as implementing the policies and regulations created in phase one. These policies and regulations will help standardize the overall environment. A standard environment will make it easier and cheaper to move applications to the cloud. In addition, during this phase, ministries should start to build interfaces to enable the sharing of data across applications. This will simplify data collection and governance. Phase three (fly) focuses on implementing a true cloud platform. Starting with converting existing manual processes into digital, cloud-based processes and consolidating data centers into the government cloud. A key to a successful implementation of a cloud platform is getting buy-in from various ministries. Encouraging ministries to use the data center as a disaster recovery site might encourage buy-in. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 33 of 82 Cloud Readiness Toolkit Country Report 4.1.5.2 Policy Recommendation Table The following table outlines the recommendations, as seen in the country assessment. Recommendation Category Phase Recommendation Duration Type - Develop skills for managing third party Digital Innovation Administrative Walk 6 Months - 1 Year vendors or contractors - Work with universities and/or vendors to Digital Innovation Administrative Walk 6 Months - 1 Year create cloud courses for government use - Formalize guidelines around where data can Digital Government Data Walk be stored, taking in to consideration cloud 6 Months technologies - Establish laws or regulations around the retention of digital data once a server is no Digital Government Data Walk 6 Months longer in use (i.e. a contract has concluded, or a server is being retired) - Define coding standards (i.e. best practices) Digital Government Governance Walk 6 Months to be followed across the government - Define disaster recovery requirements (i.e. frequency of testing procedures, Digital Government Governance Walk 6 Months international standards, location and general requirements) - Consolidate strategies into one overall, Digital Innovation High-Level Strategy Walk 6 Months government-wide cloud strategy - Work with individuals currently using cloud Digital Innovation High-Level Strategy Walk to start standardizing decisions around when 6 Months to use cloud and then expand that approach - Work with the cabinet in order to get Digital Innovation High-Level Strategy Walk support for adopting a cloud strategy at the 6 Months highest level - Create a CIO or equivalent cabinet level ICT Digital Innovation High-Level Strategy Walk 6 Months - 1 Year position in an official capacity - Identify lawyers with knowledge of cybersecurity and ICT that can work with, or Digital Innovation High-Level Strategy Walk 3 Months for, the government to provide guidance on policy, laws, and regulations - Establish and implement general security requirements and regulations for digital Digital Government Security Walk hosting and cloud service providers (i.e. 6 Months encryption, data retention, access and ownership, etc.) - Consider moving IT support for government Digital Innovation Administrative Run 6 Months - 1 Year to a centralized model - Review IT retention rates in the area of cloud security - Determine if steps to mitigate turnover can Digital Innovation Administrative Run be implemented 6 Months - 1 Year - Establish training for new employees and standards for documentation to enable knowledge transfer - Implement data governance across the Digital Government Data Run 18 Months + government - Update data retention policies to include Digital Government Data Run 6 Months cloud based applications - Confirm data governance standards are well documented and distributed - Review existing applications to validate that Digital Government Data Run data will be captured according to the 6 Months - 1 Year guidelines - Ensure that newly developed applications conform with the guidelines This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 34 of 82 Cloud Readiness Toolkit Country Report Recommendation Category Phase Recommendation Duration Type - Confirm data validation standards are well documented and distributed - Ensure that newly developed applications Digital Government Data Run 6 Months - 1 Year conform with the guidelines - Review existing applications to confirm that data validation is implemented - Build interfaces to other department, Digital Government Data Run institutions, and ministries to access needed 18 Months + applications and data. - Enforce application documentation Digital Government Governance Run standards by not moving any applications 6 Months that do not follow the standards to the cloud - Adapt the government's life cycle for the Digital Government Governance Run 6 Months cloud - Define and adopt technical architecture standards (i.e. enterprise standards around Digital Government Governance Run 6 Months application and web servers as well as coding languages) - Evaluate laws requiring hard copies of Digital Government Governance Run specific documents to determine if electronic 6 Months equivalence is feasible - Review whether exceptions for hiring foreign employees or contractors should be Digital Government Regulatory Run made if the resources are not available locally 3 Months - Work with local groups to make sure resources are available in the local workforce - Revise encryption standards and Digital Government Security Run requirements to follow international 6 Months guidelines - Work with local banks or other organizations to enable e-payment, even if in Digital Government Security Run 6 Months - 1 Year limited capacity, to enable the use of online services - Start investigating moving data to the cloud Digital Government Data Fly for ease of access across 6 Months - 1 Year departments/ministries - Ensure data is not siloed and should be Digital Government Data Fly 6 Months - 1 Year maintained by the primary owner - Automate existing paper based processes in Digital Innovation High-Level Strategy Fly 18 Months + a manner architected for the cloud - Automate existing paper based processes in Digital Innovation High-Level Strategy Fly 18 Months + a manner architected for the cloud - Validate that applications conform to Access Technical Fly existing standards as part of the migration to 6 Months the cloud - Consider migrating to the cloud as an Access Technical Fly 18 Months + opportunity to consolidate data centers 4.1.5.3 Application Roadmap The Medicines and Medical Devices Agency of Serbia supplied information for six of their applications, the Ministry of Public Administration and Self-Government and the Environmental Protection Agency each supplied information for one application. No other application information was provided. This is a living document and can be updated with additional information. This additional information can be used to provide more guidance, analysis, and refined results. Based on the responses from the three Serbian agencies to the assessment, the recommendation for 7 of the 8 applications aligns with the overall country recommendation - private cloud. For one application the recommendation is local public. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 35 of 82 Cloud Readiness Toolkit Country Report The value map helps show which applications are the closest fit and will take the least amount of effort to migrate. None of the Medicines and Medical Agency of Ministry of Public Administration and Self-Government applications are a strong fit for cloud, but the strongest candidate to start with is EDMS. NRIZ Reporting, the Environmental Protection Agency application, would require the most effort to migrate to the cloud. Due to the level of effort, the Environmental Protection Agency may wish to review NRIZ in further depth to see if it should be replaced, retired, rewritten, or migrated to the cloud. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 36 of 82 Cloud Readiness Toolkit Country Report When starting to plan the roadmap to migrate applications to the cloud, there are numerous attributes that need to be taken into account, including, but not limited to: - Criticality of the system - Sensitivity of the data - Interfaces - Application dependencies The below decision tree may help in the creation of an application migration roadmap. 4.2 Pilot #2 – Philippines 4.2.1 Summary This report is meant to be a conversation starter, and provide the Philippines with a high level overview of the assessment findings in addition to recommendations on migrating to a cloud platform. The assessment documents are point in time and can be updated dynamically to reflect changes in direction and regulation. For example, if regulations around where data can be stored are put in place, the corresponding assessment questions can up updated to generate revised recommendations and scores. This will enable the toolkit to be utilized throughout the process of selecting a deployment model, implementing the model, and digitizing key e- Government services. This report does not replace a full, in-depth assessment which should be conducted prior to implementing a cloud platform. In the Philippines, answers were obtained for all questions in the country assessment, enabling a more reliable recommendation. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 37 of 82 Cloud Readiness Toolkit Country Report Overall Cloud Readiness Metric Very Ready >80% Ready 65%-80% Need Additional Preparation 45-64% <- Philippines is here Need Underlying Infrastructure 25-44% Not Ready <25% The overall cloud readiness assessment shows that the Philippines is ready to consider implementing a cloud strategy but requires additional preparation before moving forward. At this time, there are concerns around where the data can be hosted, but there are no regulations that outlined the government’s official stance on the matter. As a result, the assessment recommends that the Philippines pursue a private or hybrid cloud option. 4.2.2 Key Findings The Philippine’s overall score is 56%. This puts the Philippines towards the middle of “Need Additional Preparation”. There is a clear interest from the government in cloud computing and efforts are underway to implement and standardize a government cloud (G-cloud). However, the Philippines need to make sure that a solid technology and infrastructure foundation is in place before moving forward on the path to cloud. This technology and infrastructure foundation needs to be implemented in a controlled, step by step approach, or it will not be sustainable. In order to achieve this controlled, step by step approach, the Philippines need to work towards creating an official chief information officer (CIO) or cabinet-level position for ICT. It is noteworthy that at the time of the pilot, there was legislation pending Presidential approval to establish an ICT Department. However, with major elections being held in the next 6 months, the legislation’s future is uncertain. The Philippines does have the Information and Communications Technology Office (ICTO) as a de facto CIO which falls under the Department of Science and Technology, but they are not officially recognized as the Department of ICT (or equivalent). Through this department, the Philippines are currently developing an overall ICT strategy. The focus of this strategy is primarily internally driven to improve operations (agility and scalability) and infrastructure which includes an e-Government master plan and a G-cloud. This government cloud, located within a centralized data center, would be used to provide cloud services for individual departments and government agencies, and is currently in the process of being scaled. The Department of Budget Management (DBM) has placed a purchasing hold on hardware for individual ministries and agencies which was done to encourage the use of the G-cloud operated by ICTO and DOST and, long term, prompt the consolidation and retirement of individual data centers. However, there is no official regulator, or enforcement agency, for the creation of these ICT policies and plans but the DBM does have limited enforcement capabilities through budget appropriations which makes policy adoption difficult. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 38 of 82 Cloud Readiness Toolkit Country Report Despite the existence of the G-cloud, concerns over capacity, performance, and reliability hinder adoption by departments. Currently, the G-cloud does not have the capacity for a migration of a department’s data center. The current infrastructure is 200 virtual machines (VMs) and they plan to increase the number of VMs to 1,000 by July/August 2016. However, the team received conflicting answers regarding how long it takes to procure a server, which will impact the G-Cloud’s ability to scale. ICTO informed the team that it takes 1-6 months to procure a server while other projects and departments stated that it could take 6 months to a year. The team found that the current procurement process sometimes requires additional procedures and can be tedious. In addition, the G-cloud does not provide service level agreements (SLAs) or a disaster recovery center. It is important to note that drafting a disaster recovery plan is in process but is not planned to be operational for at least a few years. In addition, the limited public sector employees with the relevant skills or experience in cloud services (i.e. cloud modernization, cloud migration and cloud security) further complicates the decision to migrate. This is in part due to the Philippine government facing high turnover rates, which governments as a whole often face. Most resources in cloud migration had less than 18 months of experience while cloud security resources had less than 6 months experience. In both of these fields, the Philippine government saw approximately a yearly turnover rate of 25-50%. This problem had been compounded by the fact that ICTO’s original resources came from telecommunications and were not aligned skill wise with the mandate ICTO was given. In terms of future resource development, the University of Philippines has virtualization courses, but no cloud-related courses available. Most of these cloud skills are self-taught through job experience or external vendors and non-governmental trainings. There is a large number of skilled resources, especially in the area of cloud migration, available in the general workforce, although retaining those skills within the government has been challenging. The availability of resources with a strong background in cloud security is less certain. Several responses indicated this was a missing skillset in both the private and public sectors. As a result of the limitations with G-cloud, departments have taken this as an opportunity to implement their own approach. The assessment found this to be an area of concern as there are limited governance and policies in place for departments to use as guidelines. This has security ramifications as most departments have gone with a combination of Microsoft Azure services and open source products such as Gmail and Google Apps instead of using the G-cloud in attempts to save costs or circumvent the hardware purchasing freeze. In doing so, the departments are open to security and privacy issues. For example, there are no government level encryption standards or any laws or regulations related to digital data hosting. The Philippines needs to determine whether G-cloud will be able to meet the needs of the government and what those needs are. As part of making this determination, key performance indicators need to be identified that can be applied to the G-cloud so that success or failure can be quantified and measured. The decision to guide all department and government agencies towards a centralized platform that is not ready yet has resulted in departments moving in one of three directions – putting projects on hold pending official direction, moving to a different This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 39 of 82 Cloud Readiness Toolkit Country Report cloud provider (typically a public cloud provider) despite no clear guidance on security and regulatory rules, or applying pressure on the G-cloud which isn’t operational. In this sense, the Philippines has started to “run” prior to “walking”. 4.2.3 Deployment Model Recommendation The cloud readiness assessment recommends that the Philippines pursue a private or hybrid cloud. This recommendation is a result of the common response around storing data on public servers. Most people said classified data or PII (personally identifiable information) could not reside on a public server which eliminates the public cloud option. Private Public Local Public Overall Hybrid Cloud Cloud Cloud Cloud Readiness Readiness Readiness Readiness Readiness Readiness Score 56% 65% 63% 0% 0% However, there are several key decisions that are outstanding and will influence the deployment model. 1. Currently, there are no government-wide standards for several key areas, such as encryption requirements or data hosting standards. When these standards are implemented, will public providers be a viable option and be able to support these requirements? 2. Departments and agencies are hesitant to host classified, confidential, or personally identifiable information on public servers which ruled out the public cloud. However, there are no regulations around data hosting (i.e. geographic local, multi-tenancy, public servers, etc.) enabling departments to decide individually. Would the implementation of data hosting and overlapping ICT regulations add any restrictions to which cloud provider can be chosen? 3. There are limited individuals with cloud skills such as security and migration in the public sector. Would taking advantage of a public cloud provider help mitigate risk, help supplement the existing workforce, or raise security concerns? 4. At a high level, there is a government preference towards local companies over international. If this preference extends to services, are there local cloud providers that meet the government’s needs? 5. Do all applications and types of data need to have the same level of security and protection? If not, such a decision may open up the possibility of public cloud for some subset of data and applications. 6. Can a private cloud meet the security needs of all departments? If not, what is the alternative? 7. Would a public cloud provider want to work with the government? There are institutional issues which make working with the government unfavorable for private companies that need to be addressed. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 40 of 82 Cloud Readiness Toolkit Country Report 4.2.4 Gaps Even if the G-cloud was operational and able to meet the service level agreements and capacity requirements of the various departments, there needs to be clear and defined ICT governance and security policies and regulations. Without this, there is no basis upon which to build a cloud strategy. In addition, there was a mindset that “there is no rule preventing us from doing this” which enable departments to implement their own cloud strategy. As a result, the Philippines has significant gaps in security and ICT governance that need to be addressed. 4.2.4.1 Security There are certain security measures in place such as requiring public sector employees to undergo a clearance process and implement user access and authorization management. However, there are several additional steps required for a secure environment. The assessment shows that there are no government encryption requirements. This would include encryption on data at rest, data in transit or general encryption standards for either a cloud provider or internal hosting. In addition, there are security concerns around using a cloud provider as there are no laws or regulations around data hosting or cloud providers, and no standards around how or when cloud providers are required to discard data. The assessment recommends that this security foundation is built prior to cloud adoption. 4.2.4.2 Governance of ICT In addition to the security concerns, there is a lack of governance within ICT systems. The assessment found that there are no standards around applications (i.e. documentation, coding standards, development lifecycle, or technical architecture) or disaster recovery. For application related governance, this raises two concerns. First, when moving applications to a new environment such as the cloud, it will be more difficult to migrate an application that does not have documentation that is uniform across the government. In addition, this This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 41 of 82 Cloud Readiness Toolkit Country Report documentation would help with the creation of new applications, and standardize the government’s application and infrastructure inventory. It is strongly recommended that the Philippines define these standards prior to a cloud implementation through an officially recognized cabinet level ICT office. This office would be responsible with the ICT vision and strategy for the county as well as routinely revising the government-level standards. 4.2.5 Next Steps The toolkit provides preliminary policy recommendations and action plans for future steps, but does not replace a full, in-depth assessment of the country’s existing regulations, applications and infrastructure. An ICT policy and vision should be created as well as updated as required. This should not be a static list of recommendations. The Philippines’ strategy should be consistently reviewed to ensure the policies align with international ICT best practices. 4.2.5.1 Policy Roadmap Various responses to the questions on the country assessment are associated with a recommendation. Each recommendation has an associated phase, type, and estimated duration. These are used to construct a detailed roadmap. How the roadmap will look will vary based on each country’s priorities and needs. However, a sample roadmap has been constructed for the Philippines based on the recommendations produced for this report. The recommendations are also outlined in the table following the roadmap. The Digital Development Partnership (DDP) category that most closely aligns to the recommendation has also been noted in both the roadmap and the accompanying table. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 42 of 82 Cloud Readiness Toolkit Country Report The recommendations and roadmap have been split into three phases. Phase one (walk) focuses the regulatory and technical infrastructure standards that need to be defined before moving to the cloud. This would include defining policies and regulations around data, hosting, encryption, and technical standards. In addition, to these standards, an official, cabinet level ICT office should work on defining the government’s ICT vision and strategy. These items should be completed prior to moving onto phase two. Phase two (run) focuses on the implementation of the policies and regulations created in phase one. These policies and regulations will help standardize the Philippine’s environment. This standardization can be used to help standardize the offerings provided by the ICTO G-cloud. This would encourage usage, as well as provide guidelines for departments who choose not to use G-cloud as the security and privacy requirements will be clearly defined. Phase three (fly) focuses on improving services and offerings. The G-cloud will enable departments to provision resources as needed. The G-cloud also provides the government the opportunity to investigate implementing some Software as a Service (SaaS) offerings within the government. For example, there are several software packages, such as email or ERP, which could potentially be provided as a service to other departments. In addition, the Philippines could utilize the G-cloud to turn existing paper based processes into true cloud based offerings. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 43 of 82 Cloud Readiness Toolkit Country Report 4.2.5.2 Policy Recommendation Table The following table outlines the recommendations, as seen in the country assessment. Recommendation Category Phase Recommendation Duration Type - Assess applications for which there are no employees with 6 Months - Digital Innovation Administrative Walk a high degree of familiarity with the application architecture 1 Year or code to determine if the applications need to be replaced - Formalize guidelines around where data can be stored, Digital Government Data Walk 6 Months taking in to consideration cloud technologies 18 Months Digital Government Data Walk - Adopt a data governance approach across the government + - Define data ownership (i.e. who owns it, where is the 6 Months - Digital Government Data Walk master copy, who all should have access, etc.) 1 Year - Establish laws or regulations around the retention of Digital Government Data Walk digital data once a server is no longer in use (i.e. a contract 6 Months has concluded, or a server is being retired) - Define government-wide application documentation Digital Government Governance Walk 6 Months standards - Define coding standards (i.e. best practices) to be Enabling Environment Governance Walk 6 Months followed across the government - Define disaster recovery requirements (i.e. frequency of Enabling Environment Governance Walk testing procedures, international standards, location and 6 Months general requirements) - Work with individuals currently using cloud to start Digital Innovation High-Level Strategy Walk standardizing decisions around when to use cloud and then 6 Months expand that approach - Work with the cabinet in order to get support for adopting Digital Innovation High-Level Strategy Walk 6 Months a cloud strategy at the highest level - Create a CIO or equivalent cabinet level ICT position in an 6 Months - Digital Innovation High-Level Strategy Walk official capacity 1 Year - Define encryption standards and requirements (i.e. should Enabling Environment Security Walk 6 Months sensitive data at rest be encrypted) - Establish and implement general security requirements and regulations for digital hosting and cloud service Enabling Environment Security Walk 6 Months providers (i.e. encryption, data retention, access and ownership, etc.) - Consider moving IT support for government to a 6 Months - Digital Innovation Administrative Run centralized model 1 Year - Review IT retention rates in the area of cloud migration - Determine if steps to mitigate turnover can be 6 Months - Digital Innovation Administrative Run implemented 1 Year - Establish training for new employees and standards for documentation to enable knowledge transfer - Review IT retention rates in the area of cloud security - Determine if steps to mitigate turnover can be 6 Months - Digital Innovation Administrative Run implemented 1 Year - Establish training for new employees and standards for documentation to enable knowledge transfer - Update data retention policies to include cloud based Digital Government Data Run 6 Months applications - Confirm data validation standards are well documented and distributed - Ensure that newly developed applications conform with 6 Months - Digital Government Data Run the guidelines 1 Year - Review existing applications to confirm that data validation is implemented Digital Government Data Run - Create a policy on multi-tenancy 6 Months - Build interfaces to other department, institutions, and 18 Months Digital Government Data Run ministries to access needed applications and data. + - Define and adopt technical architecture standards (i.e. Enabling Environment Governance Run enterprise standards around application and web servers as 6 Months well as coding languages) This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 44 of 82 Cloud Readiness Toolkit Country Report Recommendation Category Phase Recommendation Duration Type - Define government-wide life cycle development standards Enabling Environment Governance Run and ensure they align with international standards, 6 Months especially those that relate to cloud - Evaluate laws requiring hard copies of specific documents Enabling Environment Governance Run 6 Months to determine if electronic equivalence is feasible - Enable government applications to use electronic 18 Months Enabling Environment Regulatory Run signatures to increase security of data transfer as well as the + confidence of the public and end users - Identify an agency (or regulator) who will be tasked with Enabling Environment Regulatory Run 3 Months the enforcement of privacy and related laws and regulations - Review whether exceptions for hiring foreign employees or contractors should be made if the resources are not Enabling Environment Regulatory Run available locally 3 Months - Work with local groups to make sure resources are available in the local workforce - Work with local banks or other organizations to enable e- 6 Months - Enabling Environment Security Run payment, even if in limited capacity, to enable the use of 1 Year online services - Automate existing paper based processes in a manner 18 Months Digital Innovation High-Level Strategy Fly architected for the cloud + - Automate existing paper based processes in a manner 18 Months Digital Innovation High-Level Strategy Fly architected for the cloud + 4.2.5.3 Application Roadmap The departments of Advanced Science and Technology Institute, Construction Industry Authority, Department of Science and Technology and the Environmental Management Bureau each provided data for one application. The Department of Budget and Management provided data for 14 applications and the Department of Interior and Local Government provided information for five applications. No other application information was provided. This is a living document and can be updated with additional information. This additional information can be used to provide more guidance, analysis, and refined results. Based on the assessment responses from the six departments, the recommendation aligns with the overall country recommendation – the majority of the applications are a best fit for private cloud. For the two applications that are not aligned with the overall country recommendation, one application is a best fit for local public cloud and the other is a best fit for hybrid cloud. Hybrid cloud does not differ significantly from the country recommendation. The country assessment found hybrid cloud and private cloud to be only two points apart, a statistically insignificant difference. In addition, local public may be feasible depending on decisions made at the government level. For example, if the government decides to allow this option for certain types of data and applications, this Department of Budget and Management application may be a good candidate. It should be noted that the assessments for the applications in the Construction Industry Agency was only 70% complete and the infrastructure data for the Department of Interior and Local Government and the Environment Management Bureau applications was not provided. As a result, the recommendation for these applications may change if additional data is provided. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 45 of 82 Cloud Readiness Toolkit Country Report The value map helps show which applications are the closest fit and will take the least amount of effort to migrate. As the graphic shows, the ERP application for the Advanced Science and Technology Institute and the CLiRS application for the Construction Industry Agency are the two closest fits for cloud. The Department of Budget and Management and the Environment Management Bureau may want to consider alternatives such as replacing the applications rather than migrate the Document Management System (Department of Budget and Management) and the Permit Processing (Environment Management Bureau) applications to the cloud. The Philippines needs to provide direction to the various departments, either through lifting the hardware freeze or providing guidance on whether a public cloud can be leveraged. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 46 of 82 Cloud Readiness Toolkit Country Report When starting to plan the roadmap to migrate applications to the cloud, there are numerous attributes that need to be taken into account, including, but not limited to: - Criticality of the system - Sensitivity of the data - Interfaces - Application dependencies The below decision tree may help in the creation of an application migration roadmap. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 47 of 82 Cloud Readiness Toolkit Country Report 4.3 Pilot #3 – Zambia 4.3.1 Summary This report is meant to be a conversation starter, and provide Zambia with a high level overview of the assessment findings in addition to recommendations on migrating to a cloud platform. The assessment documents are point in time and can be updated dynamically to reflect changes in direction and regulation. For example, if regulations around where data can be stored are put in place, the corresponding assessment questions can up updated to generate revised recommendations and scores. This will enable the toolkit to be utilized throughout the process of selecting a deployment model, implementing the model, and digitizing key e- Government services. This report does not replace a full, in-depth assessment which should be conducted prior to implementing a cloud platform. In Zambia, answers were obtained for all but three questions in the country assessment, enabling a more reliable recommendation. Overall Cloud Readiness Metric Very Ready >80% Ready 65%-80% Need Additional Preparation 45-64% Need Underlying Infrastructure 25-44% <- Zambia is here Not Ready <25% The overall cloud readiness assessment shows that Zambia needs to put in place their underlying infrastructure before moving forward. At this time, given concerns around where data can be hosted the assessment recommends that Zambia pursue a private cloud option, a path that is aligned with Zambia’s recent request to the World Bank for assistance to implement several key ICT initiatives. 4.3.2 Key Findings Zambia’s overall readiness score is 41%. This puts Zambia at the upper end of “Need Underlying Infrastructure”. There is strong interest from the highest levels of the government in implementing the “Smart Zambia” vision as outlined by the President. Cloud computing is seen, by the government, as a driver of this overall initiative. While interest within the government is high, there are many key components that are not yet in place. Zambia is taking the steps to make sure that those pieces are in place as they move forward, thus setting themselves up for success if they continue on this path and if they can get support and buy-in from other ministries and departments. A challenge in this area will be enlisting the cooperation of relevant inter- and intra-government officials. Zambia has an official, cabinet level ICT organization, the Center of Excellence for E-Governance and ICT. All CIOs in other ministries report to the Center of Excellence, and major ICT initiatives This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 48 of 82 Cloud Readiness Toolkit Country Report must be coordinated with this department. This mandate was further supported by a memorandum from the President’s office encouraging the “coordination and harmonisation of information systems” that noted that all ICT personnel fall under the Center of Excellence and ICT procurement contracts need to be undertaken in consultation with the Center of Excellence. In addition, when we interviewed other departments, they almost unanimously identified the Center of Excellence as the organization responsible for driving ICT policy and direction going forward. This puts Zambia in an excellent position to implement policies and regulations uniformly and from the top down. Multiple ministries had not only created a disaster recovery plan, but had partially tested them by bringing up applications and switching users over to them. In addition, most disaster recovery sites were a significant distance away, as opposed to being within the same or a neighboring building. However, Zambia also has some key infrastructure concerns that are not captured within the scope of the cloud assessment, but could impact Zambia’s ability to move forward with a migration to the cloud. 99% of Zambia’s electricity comes from hydro, but Zambia has been in a drought since 2014. Thus, even though they have the grid and the capacity, they cannot produce enough electricity to provide power to everyone on the grid. While this may be a reason to bring servers that need to run 24/7 into one data center, a lack of power complicates access and availability. Zambia has no clear coordination around the laying of fiber optic cables. This has led to different companies laying cable in the same spot and a lack of a coordinated effort to reach many of the rural areas of Zambia. Lastly, the cost of transmitting data outside the country is much higher than the cost of transmitting data within the country. However, most usage is cross-border, which means that lines leaving the country are on average utilized at 60-70% of total capacity. Also, less than 20% of government buildings within the capital city of Lusaka are connected to the internet. This provides an opportunity to create an exclusive, government owned and operated network that connects to a central data center; however, such an initiative would be time intensive and expensive. These infrastructure concerns are foremost on the government’s mind and are a key component of the request to the World Bank for ICT funding. While Zambia has significant preparatory work to do before they are ready to implement a cloud strategy, they are approaching the problem in a step by step manner that may put them in a better position in the long run than many countries that appear to be further ahead on the path to cloud at this point in time. 4.3.3 Deployment Model Recommendation The cloud readiness assessment recommends that Zambia pursue a private cloud. However, this recommendation was driven by key assessment findings; primarily concerns around data leaving the country, which eliminated public cloud as an option. However, at least two groups were looking into public cloud as an option, so the government should review the current barriers for public cloud computing and formalize the preferred approach. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 49 of 82 Cloud Readiness Toolkit Country Report Private Public Local Public Overall Hybrid Cloud Cloud Cloud Cloud Readiness Readiness Readiness Readiness Readiness Readiness Score 41% 53% 0% 0% 0% The most important part of selecting a cloud approach is determining where data can be stored. This question has multiple parts. Can data be stored on a public server? Can government data and applications reside on the same server as non-government data and applications (multitenancy)? Can data leave the country? If so, all countries or just some? Does this rule apply to all data, or just a subset of data, perhaps non-sensitive data? All of these questions need to be formalized so that every ministry handles their data in the same way. In Zambia, there was general consensus that data, especially sensitive data, could not leave the country and it could not reside on public servers. Data could reside in data centers owned and operated by third parties, but when questioned further, most situations appeared to describe colocation, where the server was owned or exclusively used by the government, regardless of where it resided. This finding drove the recommendation that Zambia pursue a private cloud as a public cloud provider would use public servers that may also be used by non-government organizations. In addition, a non-local public cloud provider would necessitate the storing of data outside of Zambia. Zambia may wish to review whether all applications and types of data needs to have the same level of security and protection. That may open up the possibility of public cloud for some subset of data and applications. Also, Zambia should make sure that any private cloud can meet the security needs of all ministries. It is recommended that the Electronic Communication Transactions Act (ECTA) be revisited and revised, if necessary, to reflect current needs in data transmission and storage from a regulatory standpoint - this will improve the overall desirability and propensity for adopting cloud technologies. Any changes in regards to data storage might change the cloud deployment recommendation, and the assessment should be retaken. 4.3.4 Gaps When discussing cloud with various ministries and organizations, there was strong interest in what was meant by cloud and what benefits the assessment team thought Zambia might see from implementing cloud; however, there was also a distinct hesitancy. Individuals would mention that the underlying infrastructure was not ready. To address this, the government has requested funding from the World Bank for various projects, and also mentioned plans to construct a data center that would be the location for the future government cloud. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 50 of 82 Cloud Readiness Toolkit Country Report 4.3.4.1 Resources Zambia has limited to no local resources in either the public or private sector with skills in cloud migration or security. In addition, there are no programs currently offered at the local Universities that would bridge this gap in the future. When meeting with the University of Zambia, it was mentioned that while there is an IT Security degree, there is no cloud component to that course of study due to lack of teachers with the skill set to cover the material. In order to address this gap, it is recommended that Zambia work to incorporate cloud into existing IT curriculum. There are multiple ways this could be approached, including, but not limited to, sending faculty to cloud training or working with private companies to get guest lecturers to cover cloud topics. 4.3.4.2 Security There are several areas within security that Zambia needs to focus on; specifically security clearances and e-payment. 4.3.4.2.1 General From a general security standpoint, Zambia does not require public sector employees to undergo any sort of security clearance. In addition, Zambia has no encryption requirements at the government level, although two of the ministries we talked to required that sensitive data be encrypted in transit. As Zambia moves to digitize more and more processes and data, and enable citizens to use the internet to request government services it will be critical that basic security rules be standardized and enforced across the government. It is strongly recommended that Zambia institute security clearances for all individuals with access to sensitive data and that they review their encryption requirements. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 51 of 82 Cloud Readiness Toolkit Country Report 4.3.4.2.2 E-Payment and PKI Zambia enables e-payment, but only for taxes. The agreements with the banks and other components of the e-payment system are specific to the Zambia Revenue Authority (ZRA). In addition, the ZRA is currently using the digital certificates supplied by the banks. Given Zambia’s goal of providing 140 government services electronically, it is recommended that the Center of Excellence formalize both an e-payment and digital signature process that can be used across the government and make it available to all ministries. 4.3.4.3 Data Location While most individuals, when asked, said that data should not leave the country, most people were uncertain as to whether or not any actual regulations restricted where data could be stored. Some ministries said no such restrictions existed and others said that ZICTA, the regulatory agency, mandated that sensitive data not leave Zambia. To address this gap, it is recommended that if restrictions are in place, then awareness of them should be increased, and if restrictions are not in place, then they should be formalized and the various ministries and impacted companies made aware of any restrictions In addition, it should be noted that despite the strong response we got when specifically asking if data could leave the country, the vast majority of ministries are in fact using non-government email addresses, such as Yahoo or Google. This means that data is potentially being sent and stored on email servers located outside of the country. In light of this discrepancy, it is strongly recommended that Zambia review this situation and finalize their overall approach. It is also recommended that Zambia consider migrating to a common email platform across the government. 4.3.4.4 Governance 3.5.4.4.1 Cloud Strategy While one of Zambia’s key strengths is that they have a Center of Excellence to coordinate and align ICT activities across the government, they do not yet have an overall cloud strategy. It is recommended that they develop a cloud strategy that can be implemented across the government and provide direction to future ministry level initiatives. 4.3.4.4.2 Governance of ICT Another critical gap on the path to cloud is in the area of general governance of ICT. Zambia does not have certain ICT processes in place. Cloud platforms do not support all applications. Having guidelines and processes in place for application development will make it easier to determine what needs to be supported on the new platform and to migrate those applications once it is time to do so. As Zambia works to put processes and guidelines in place, it needs to make sure that they are sufficient for the groups with the strictest requirements. If necessary, exceptions can be granted to those groups for which such strict requirements would be too burdensome. However, the reverse situation, where regulations are too lax for some groups, may mean that the cloud platform, when it becomes available, will not meet the needs of This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 52 of 82 Cloud Readiness Toolkit Country Report everyone. It is recommended that Zambia formalize the following processes at the government level: - Interoperability and interconnectivity between ministries - Technical architecture - Disaster recovery - Application documentation The first two are particularly crucial to getting the greatest benefit out of a cloud platform over time. 4.3.5 Next Steps 4.3.5.1 Policy Roadmap Various responses to the questions on the country assessment are associated with a recommendation. Each recommendation has an associated phase, type, and estimated duration. These are used to construct a detailed roadmap. How the roadmap will look will vary based on each country’s priorities and needs. However, a sample roadmap has been constructed for Zambia based on the recommendations produced for this report. The recommendations are also outlined in the table following the roadmap. The Digital Development Partnership (DDP) category that most closely aligns to the recommendation has also been noted in both the roadmap and the accompanying table. The recommendations and roadmap have been split into three phases. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 53 of 82 Cloud Readiness Toolkit Country Report Phase one (walk) focuses the regulatory and technical infrastructure needs to be defined before moving to the cloud. This would include defining policies and regulations around data, hosting, encryption, and technical standards. These items should be completed prior to moving onto phase two. Phase two (run) focuses on defining the next level of policies and regulations, such as multitenancy and technical architecture, as well as implementing the policies and regulations created in phase one. These policies and regulations will help standardize the overall environment. A standard environment will make it easier and cheaper to move applications to the cloud. In addition, during this phase, ministries should start to build interfaces to enable the sharing of data across applications. This will simplify data collection and governance. Phase three (fly) focuses on implementing a true cloud platform. Starting with converting existing manual processes into digital, cloud-based processes and consolidating data centers into the government cloud. 4.3.5.2 Policy Recommendation Table The following table outlines the recommendations, as seen in the country assessment. Recommendation Category Phase Recommendation Duration Type - Work with universities and/or vendors to create available and 6 Months - 1 Digital Innovation Administrative Walk affordable cloud migration courses Year - Work with universities and/or vendors to create cloud courses 6 Months - 1 Digital Innovation Administrative Walk for government use Year - Work with universities and/or vendors to create available and 6 Months - 1 Digital Innovation Administrative Walk affordable cloud security courses Year - Work with universities and/or vendors to create cloud security 6 Months - 1 Digital Innovation Administrative Walk courses for government use Year Digital - Formalize guidelines around where data can be stored, taking in Data Walk 6 Months Government to consideration cloud technologies Digital - Define data ownership (i.e. who owns it, where is the master 6 Months - 1 Data Walk Government copy, who all should have access, etc.) Year - Establish laws or regulations around the retention of digital data Digital Data Walk once a server is no longer in use (i.e. a contract has concluded, or 6 Months Government a server is being retired) Enabling Governance Walk - Define government-wide application documentation standards 6 Months Environment Enabling - Define coding standards (i.e. best practices) to be followed Governance Walk 6 Months Environment across the government - Define disaster recovery requirements (i.e. frequency of testing Enabling Governance Walk procedures, international standards, location and general 6 Months Environment requirements) Digital Innovation High-Level Strategy Walk - Define an overall government-wide cloud strategy 6 Months - Work with individuals currently using cloud to start Digital Innovation High-Level Strategy Walk standardizing decisions around when to use cloud and then 6 Months expand that approach - Formalize cloud responsibilities as part of specific roles within 6 Months - 1 Digital Innovation High-Level Strategy Walk the government Year Enabling - Define encryption standards and requirements (i.e. should Security Walk 6 Months Environment sensitive data at rest be encrypted) This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 54 of 82 Cloud Readiness Toolkit Country Report Recommendation Category Phase Recommendation Duration Type - Establish and implement general security requirements and Enabling Security Walk regulations for digital hosting and cloud service providers (i.e. 6 Months Environment encryption, data retention, access and ownership, etc.) - Consider moving IT support for government to a centralized 6 Months - 1 Digital Innovation Administrative Run model Year Digital Data Run - Implement data governance across the government 18 Months + Government Digital - Update data retention policies to include cloud based Data Run 6 Months Government applications Digital Data Run - Create a policy on multi-tenancy 6 Months Government - Confirm data governance standards are well documented and distributed Digital - Review existing applications to validate that data will be 6 Months - 1 Data Run Government captured according to the guidelines Year - Ensure that newly developed applications conform with the guidelines - Confirm data validation standards are well documented and distributed Digital - Ensure that newly developed applications conform with the 6 Months - 1 Data Run Government guidelines Year - Review existing applications to confirm that data validation is implemented Digital - Create procedures and build interfaces to other department, Data Run 18 Months + Government institutions, and ministries to access needed applications and data - Define and adopt technical architecture standards (i.e. Enabling Governance Run enterprise standards around application and web servers as well 6 Months Environment as coding languages) - Define government-wide life cycle development standards and Enabling Governance Run ensure they align with international standards, especially those 6 Months Environment that relate to cloud Enabling - Evaluate laws requiring hard copies of specific documents to Governance Run 6 Months Environment determine if electronic equivalence is feasible - Enable government applications to use electronic signatures to Enabling Regulatory Run increase security of data transfer as well as the confidence of the 18 Months + Environment public and end users Enabling - Identify an agency (or regulator) who will be tasked with the Regulatory Run 3 Months Environment enforcement of privacy and related laws and regulations - Create laws that require an organization or agency to notify an Enabling Regulatory Run individual when their data has been compromised in the event of 6 Months Environment a security incident Enabling 6 Months - 1 Regulatory Run - Create a process for issuing and tracking digital certificates Environment Year Enabling - Implement security checks for individuals working with sensitive 6 Months - 1 Security Run Environment systems or data Year Enabling 6 Months - 1 Security Run - Work to implement a broader e-payment system Environment Year Digital - Start investigating moving data to the cloud for ease of access 6 Months - 1 Data Fly Government across departments/ministries Year - Automate existing paper based processes in a manner Digital Innovation High-Level Strategy Fly 18 Months + architected for the cloud - Automate existing paper based processes in a manner Digital Innovation High-Level Strategy Fly 18 Months + architected for the cloud - Consider migrating to the cloud as an opportunity to consolidate Access Technical Fly 18 Months + data centers This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 55 of 82 Cloud Readiness Toolkit Country Report 4.3.5.3 Application Roadmap Zamtel, the government owned infrastructure/telecommunication service provider, supplied information for 15 of their applications. No other application information was provided. This is a living document and can be updated with additional information. This additional information can be used to provide more guidance, analysis, and refined results. Based on Zamtel’s responses to the assessment, the majority of the applications are a fit for public; however, there are several applications that are a fit for private. In the case of those applications that are a fit for public, it is not a viable option at this time unless there are changes to the current data location rules and regulations and a local public cloud provider who has disaster recovery located with Zambia. The value map helps show which applications are the closest fit and will take the least amount of effort to migrate. For example, Zamtel’s service catalogue application, called Intranet, requires the least amount of effort and is the closest fit. After that, there are several applications that are a reasonably good fit for cloud, but will require additional effort to migrate. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 56 of 82 Cloud Readiness Toolkit Country Report When starting to plan the roadmap to migrate applications to the cloud, there are numerous attributes that need to be taken into account, including, but not limited to: - Criticality of the system - Sensitivity of the data - Interfaces - Application dependencies The below decision tree may help in the creation of an application migration roadmap. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 57 of 82 Cloud Readiness Toolkit Country Report 4.4 Overview of Findings The three countries that participated in the pilot sound very different on paper: - Serbia is just starting to build a central data center and many ministries have their own small data centers - The Philippines already has multiple national data centers; however, they handle only a fraction of the government’s overall ICT operations - Zambia has less than 20% of their government buildings connected to the internet and are just beginning to centralize all ICT activities under the aegis of the data center of the Center of Excellence for E-Government and ICT (COEEGICT) But, the final scores actually find the three countries to be within about 20 points of one another. This is a significant gap, but not as great as might be expected. This is mostly due to the fact that the assessment helps identify gaps that exist in the overall infrastructure and governance framework that could cause future problems. Each country has unique gaps but also similarities such as a large number of paper processes, limited number of available skilled resources, and a major upcoming election. This can be seen in the following SWOT analysis. Serbia Philippines Zambia - Overall the furthest on the - Have a Centre of Excellence path towards cloud and e-Governance that can - Organizational culture - Already have at least three drive cloud implementation lends itself towards adopting national data centers and adoption Strengths and implementing a single - In the process of building a - Organizational culture approach government network lends itself towards adopting - Good infrastructure and and implementing a single high level of Internet access approach at home for citizens This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 58 of 82 Cloud Readiness Toolkit Country Report Serbia Philippines Zambia - No official CIO or equivalent cabinet level IT - No CIO or equivalent position, thus hindering the cabinet level IT position, thus - No clear regulations on ability of the government to hindering the ability of the where data can be stored drive cloud implementation government to drive cloud both geographically and in or adoption implementation or adoption terms of public verses - No clear regulations on - No clear regulations on government owned servers. where data can be stored Weaknesses where data can be stored This currently limits Zambia both geographically and in both geographically and in to a private cloud terms of public verses terms of public verses deployment model. government owned servers. government owned servers. - No security clearances are Some departments are This currently limits Serbia to required to work on sensitive making these decisions at the a private cloud deployment data department level model. independent of government direction. - Cloud is seen as a key initiative by both citizens and - Department of Budget and government officials Management is enforcing ICTO - ICT in general is seen as - Serbia is pursuing joining policies through budgets a key initiative by the EU and many of the - Working with Azure to enable government officials regulations they are looking that as an alternative cloud Opportunities - Large number of paper to implement are also part of offering based processes that that process - Large number of paper based could be automated and - Large number of paper processes that could be architected for cloud based processes that could automated and architected for be automated and cloud architected for cloud - Current ICTO team does not have the skill set to build a cloud - Lack of stable power offering grid - Current data center does not - Limited access to have the capacity or the - Skilled resources frequently Internet at home capability to meet the needs of leave the country to pursue - Unmanaged Threats the various government other opportunities infrastructure growth (no agencies - Upcoming elections one is coordinating the - Individuals are utilizing laying of fiber optic alternatives that may not meet cables) the security needs of the - Upcoming elections government (i.e. Google email) - Upcoming elections It should be noted that this report simply recommends next steps for addressing the identified gaps. In addition to implementing these steps, an in-depth assessment based on the findings and conversations generated from the toolkit should be undertaken. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 59 of 82 Cloud Readiness Toolkit Country Report Serbia Philippines Zambia General 75% 84% 83% Resources 44% 61% 33% Cloud Migration 38% 58% 33% Cloud Security 40% 63% 29% Training 65% 65% 40% Security 60% 35% 28% General 50% 25% 8% Data 67% 42% 42% Regulations 83% 77% 81% General 83% 58% 83% Cybercrime 67% 97% 93% Data Protection 100% 83% 67% Governance of ICT Systems 35% 20% 0% Data 66% 70% 50% Location 67% 81% 52% Retention and Validation 64% 36% 44% Infrastructure 69% 77% 51% Capacity 84% 90% 76% Network 80% 86% 42% End User 32% 44% 44% Overall Cloud Readiness Score 59% 56% 41% 4.4.1 Similarities Despite the difference in scores, there were some similarities seen in all three countries. 4.4.1.1 Defining Cloud One of the similarities seen across the pilot countries was that most countries interpreted any sort of online application or national data center as meaning that they had cloud. While this is in fact a step towards having a cloud environment, true cloud also has the ability for groups to This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 60 of 82 Cloud Readiness Toolkit Country Report request computing resources on demand and be able to handle elastic demand. Neither attribute had been considered by any of the countries where the toolkit was piloted. 4.4.1.2 Elections The most unexpected similarity was that all three countries will be having a major election within the next six months. In all cases, this has led to a certain amount of uncertainty. In two of the three countries, Serbia and the Philippines, there is legislation pending that would impact cloud adoption, but they only expect the legislation to be signed if there is a change in administration. 4.4.1.3 Lack of Governance In two countries the creation of a cabinet level CIO or similar ICT position is likely to be determined by the election. The one country that did have a cabinet level CIO position had only created it within the last three months, and has not had much chance to influence policy at a government level. This lack of high level leadership from a Government ICT Champion and direction has likely contributed to the fact that in all three countries, Governance of ICT was the lowest score. Security and information rules were either not very clear, relatively unknown, or did not exist at all. As a result departments were wary of making changes. 4.4.1.4 Resources Skilled resources were lacking in both the public and private sector in all three countries and turnover amongst those resources with cloud skills was high. In the case of Serbia, when resources gained skills in the public sector through experience they would frequently leave for the private sector. The private sector told us that turnover was equally high in the private sector with individuals leaving the country to pursue other opportunities. In the Philippines resources also frequently left the public sector to take jobs in the private sector, although they were not as likely to leave the country. Although the Philippines did have a bill pending that would increase wages to 80% of market rate. In Zambia, there was a lack of individuals with the skills and limited opportunities for individuals to gain the skills on their own. When talking with the University it was mentioned that cloud components had not been added to any of the IT courses due to a lack of faculty who could teach it. In none of the three countries was there any sort of formal training to build up the skills within the public sector or a plan to decrease turnover of skilled IT resources. 3.6.1.5 Paper Processes All three countries had a large number of paper processes. In some cases, such as Serbia and the Philippines, there were legal requirements that some documents exist in paper form, in the case of Zambia some ministries had simply not digitized. For example, the Zambian national ID program exists only on paper. This provides excellent opportunities for all three countries to be able to increase efficiencies and improve usability of services by digitizing the processes and creating interfaces between ministries, agencies, and departments that all need access to the same data. No additional work to update or modernize applications is necessary if the new applications are created specifically for use in a cloud environment. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 61 of 82 Cloud Readiness Toolkit Country Report 4.4.1.6 Driver The opportunity to modernize and optimize tie in with what all three countries listed as their key drivers. In the case of Serbia, they selected “modernization”, in the case of the Philippines and Zambia they selected “increased agility”. All three mentioned cost savings as a secondary driver. However, while the driver for all three countries is similar, the underlying focus came across as very different in the interviews. In the case of Serbia, the key underlying desire is to automate existing government services. In the case of the Philippines the focus was purely internal, services for citizens were never mentioned unless prompted and no services had been specifically identified for automation. In the case of Zambia there is a strong drive to digitize. In addition, Zambia has identified 140 processes as candidates for automation long term. 4.4.2 Differences These differences seen in focus and leadership, along with organizational differences in approaches to rules and regulations had a direct impact on some of the other key differences seen across the countries. 4.4.2.1 Organizational Approach How people responded to questions was influenced by each government’s organizational approach. For example, in both Serbia and Zambia, when individuals were asked whether things could be done, such as whether data could be stored outside the country, answers defaulted to “no” if there was no official direction. Activities were viewed as restricted until the government determined the high level direction. In the Philippines the opposite was true, individuals assumed that no rule or regulation meant that there was no restriction. In addition, the Philippines took a more consensus approach, so even if a rule did exist, actual enforcement of rules was significantly more challenging as without a restriction in place, rules were followed at a department’s discretion. 4.4.2.2 Data Location and Privacy There was also a difference in organizational approach in how the countries addressed data location and privacy. In Serbia, concerns around data leaving the country seemed to be primarily centered on security and control. If it left the country, who might have access to it? The Philippines overall seemed indifferent to any concerns around privacy. In fact, one group said that if the data needed to be secured, it shouldn’t be digitized. In the case of Zambia, a lack of trust was strongly in evidence. Data stored outside of the country was at the mercy of another country and they strongly believed that any outside country would go through Zambia’s data. There was also a lack of trust between ministries, citizens, and the government that fed into this concern as well. This will make interoperability more challenging in Zambia versus Serbia or the Philippines. 4.4.2.3 Infrastructure Readiness The greatest difference between the three countries is in their existing infrastructure. Zambia, with the greatest infrastructure gap, has less than 20% of all government offices in the capital This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 62 of 82 Cloud Readiness Toolkit Country Report city of Lusaka connected to the internet. This is a gap they feel strongly about and are working to remedy, but it will take time. In Serbia, buildings are connected and a network is in place, so they are now working to build a data center to start centralizing resources. In the Philippines, they have a multitude of data centers. There are three central data centers as well as quite a few data centers in the basements of various departments. Even so, the Philippines lacks enough capacity to meet demand and all interviews led to the conclusion that without a change in the procurement process or other large change, the Philippines will struggle to meet the capacity demands of the ministries for the foreseeable future. 4.4.2.4 Digital Certificates and E-payment Security, particularly in the area of digital certificates and e-payment, was also an area where distinct differences in where the countries fell on the path to cloud were seen. Serbia and the Philippines are the furthest along. Serbia has the capability to issue and track digital certificates and Serbia also has existing applications that take advantage of the equivalency of e-signatures to written signatures. However, e-payment was a stumbling block. Ministries have faced challenges around implementing an e-payment system, although some forms of e-banking are currently accepted for some applications. The Philippines has issues close to 1,000 digital certificates and are in the process of testing the use of PKI in their archives and records management information system. In addition, the Philippines also had a partially, but not fully, implemented e-payment process. In contrast, in Zambia, there is no process defined for using digital certificates. The Zambia Revenue Authority (ZRA), the only group interviewed that had looked into digital certificates, were using the digital certificates produced by the banks. So far, the ZRA is also the only organization with the capability to pay online. This is mostly geared towards companies however as there are less than 600,000 registered tax payers in a country of 14 million. 4.4.2.4 Encryption Encryption is a good example of the overall differences seen in the processes implemented across the three countries. In the case of Serbia, there are encryption standards and they’ve been defined by a local mathematician. How well they have been implemented is unknown. In the Philippines there are no government level encryption standards, so implementation is ad- hoc. In Zambia encryption is also ad hoc. Amongst those organizations interviewed, only two ministries require sensitive data to be encrypted during transit and only the University was encrypting any data at rest. This discrepancy remained relatively consistent across standards ranging from encryption to application documentation standards and life cycle development. In all of the pilot countries, the standards that did exist had not been adapted for use in a cloud environment. 4.4.3 Recommendations There were several key recommendations for each category (administrative, high level strategy, data, security, etc.) and phase (walk, run, fly). Those key recommendations have been compiled into the following table. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 63 of 82 Cloud Readiness Toolkit Country Report Category Type Phase Serbia Philippines Zambia - Assess applications for which there are no employees with a - Work with universities - Work with universities high degree of familiarity with and/or vendors to create Walk and/or vendors to create cloud the application architecture or cloud courses for government courses for government use code to determine if the use applications need to be replaced - Consider moving IT support Administrative - Review IT retention rates in - Review IT retention rates in for government to a the area of cloud security the area of cloud migration centralized model - Determine if steps to - Determine if steps to Digital mitigate turnover can be mitigate turnover can be Innovation Run implemented implemented - Establish training for new - Establish training for new employees and standards for employees and standards for documentation to enable documentation to enable knowledge transfer knowledge transfer - Create a CIO or equivalent - Create a CIO or equivalent - Define an overall Walk cabinet level ICT position in an cabinet level ICT position in an government-wide cloud official capacity official capacity strategy High-Level Strategy - Start investigating moving - Automate existing paper - Automate existing paper data to the cloud for ease of Fly based processes in a manner based processes in a manner access across architected for the cloud architected for the cloud departments/ministries - Define disaster recovery - Define disaster recovery requirements (i.e. frequency of requirements (i.e. frequency - Define government-wide testing procedures, of testing procedures, Walk application documentation international standards, international standards, standards location and general location and general Governance requirements) requirements) - Evaluate laws requiring - Evaluate laws requiring hard - Evaluate laws requiring hard hard copies of specific copies of specific documents to copies of specific documents to Run documents to determine if determine if electronic determine if electronic electronic equivalence is equivalence is feasible equivalence is feasible feasible - Enable government - Enable government - Review whether exceptions applications to use electronic applications to use electronic for hiring foreign employees or signatures to increase security signatures to increase Enabling contractors should be made if of data transfer as well as the security of data transfer as Environment the resources are not available confidence of the public and well as the confidence of the Regulatory Run locally end users public and end users - Work with local groups to make sure resources are available in the local workforce - Establish and implement - Establish and implement - Establish and implement general security requirements general security requirements general security requirements and regulations for digital and regulations for digital and regulations for digital Security Walk hosting and cloud service hosting and cloud service hosting and cloud service providers (i.e. encryption, data providers (i.e. encryption, data providers (i.e. encryption, retention, access and retention, access and data retention, access and ownership, etc.) ownership, etc.) ownership, etc.) This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 64 of 82 Cloud Readiness Toolkit Country Report Category Type Phase Serbia Philippines Zambia - Work with local banks or - Work with local banks or other organizations to enable other organizations to enable - Implement security checks Run e-payment, even if in limited e-payment, even if in limited for individuals working with capacity, to enable the use of capacity, to enable the use of sensitive systems or data online services online services - Formalize guidelines around - Formalize guidelines around - Formalize guidelines around where data can be stored, where data can be stored, where data can be stored, Walk taking in to consideration taking in to consideration taking in to consideration cloud technologies cloud technologies cloud technologies - Build interfaces to other - Update data retention Digital department, institutions, and - Create a policy on multi- Data Run policies to include cloud Government ministries to access needed tenancy based applications applications and data. - Start investigating moving - Start investigating moving data to the cloud for ease of data to the cloud for ease of Fly access across access across departments/ministries departments/ministries - A stable, available network is a key pre-requisite for Prerequisite moving to a cloud Access Technical environment - Consider migrating to the - Consider migrating to the Fly cloud as an opportunity to cloud as an opportunity to consolidate data centers consolidate data centers 4.4.3 Lessons Learned 4.4.3.1 Overall Lessons Many valuable lessons were learned during the three pilots. The most important was that the application and infrastructure assessment is a valuable second step to the country assessment when using the toolkit, as the data needed may not initially be available. Once a country has decided they wish to pursue cloud, the application and infrastructure assessment can be used to identify which departments or ministries would be good candidates to start with, and which applications within those departments or ministries should be looked at first. Overall departments were reluctant to share application and infrastructure data outside of their country, but did see the value in the assessment and may incorporate it into future internal cloud strategic planning initiatives. The need to emphasize the reusability of the toolkit became apparent. Individuals in all three countries were very quick to note items that were soon to change. Emphasizing that the toolkit was a snap shot in time and could be updated as things changed, thus updating the score and recommendations, helped get more accurate answers during the interviews. The automated recommendations that are produced by the country assessment were refined during the presentation of the preliminary findings with the country pilot participants. Given the number of categories, the recommendations were aligned with phases (walk, run, fly). Putting recommendations into a more matrix format – broken down by both phase and category - helped give government officials a sense of how the recommendations in different categories worked in parallel to build a cloud platform. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 65 of 82 Cloud Readiness Toolkit Country Report Responses to questions were sometimes unexpected. Some questions had more gray areas within the answers than had been expected and some questions were simply interpreted completely differently from their original meaning. For example, the toolkit did not originally account for the fact that an e-payment system might be only partially implemented. In Zambia, questions around whether there were laws in place around which products could be used almost always immediately raised questions as to whether that included UN sanctions. This feedback was used to refine the wording and response options for questions throughout the questionnaire. Questions where multiple groups gave different answers were always reviewed. Was the difference in answers due to a difference in knowledge, understanding of the situation, or interpretation of the question? Any changes in wording when asking questions out loud were noted and later reviewed to see if the question itself needed to be reworded. This helped identify questions that required additional information or were not self-explanatory. In addition, new questions needed to be added based on some unexpected discoveries. For example, it was not anticipated that there might be laws mandating that some documents exist in paper form. The importance of an upcoming election on the current situation, a discovery made in Serbia, also had to be incorporated into the toolkit. 4.4.3.2 Serbia As Serbia was the first pilot country, some missed question areas were identified as well as some questions that were not needed. One example was around cost. There was no knowledge on how much was spent on ICT. The questions around cost were asked as well in Zambia and the Philippines to see if this gap was consistent and it was. The decision was then made to remove all questions around cost. It was also discovered in Serbia how important a cabinet level CIO position was to driving any sort of high level ICT strategy. Questions around such a position were added during this pilot. 4.4.3.3 Philippines In the Philippines, distinct differences were seen in how questions were answered. In Serbia, the default was to answer in regards to how things stood. Answers were always given in reference to the current state, although explanations might note pending or future changes. In the Philippines, where there seemed to be less differentiation between future and present tense, government officials would imply that things were in progress, but follow up questions in regards to a timeline would show that the activity had not yet been started. To address this some questions were reworded and additional emphasis was placed on the fact that the assessment was a snap shot in time. For example, originally questions around procurement did not focus on timing. Based on feedback that servers could not be procured in a timely manner, even for the organizations running the main data centers, questions were added. 4.4.3.4 Zambia In Zambia, the wording of new and existing questions from Serbia and the Philippines was tested and relatively few changes were required. The main lesson learned was around the This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 66 of 82 Cloud Readiness Toolkit Country Report questions for data location. Additional questions around infrastructure were added when interviews showed that just because a government building is connected to the network, it doesn’t mean the network will be available. 5 Assumptions When designing this toolkit certain standard assumptions were made. These same assumptions were made when translating the assessment results into the final findings and recommendations. The key assumptions are: - The individuals completing the questionnaires were relatively familiar with the areas covered and thus the questions are as complete and accurate as possible. - By completing this assessment, it is assumed that there is some interest in identifying and resolving any readiness gaps. - The government is already using computerized systems. - The country already has a basic Internet infrastructure, such as copper lines. - The country has a full time IT team. 6 Public Cloud Vendor Comparison If a government decides to go with a public cloud setup then the next step is to determine which vendor to select. Vendors usually have multiple offerings, and it can be challenging to compare vendors. Comparisons are typically further complicated by different vendors using different terminology and units. It is recommended that, even if deciding to pursue a private cloud, governments still assess public cloud vendors to determine a baseline of offerings and service level agreements that they may wish to provide. In order to assist with any future comparisons governments may undertake, a vendor comparison can be found in this section for reference. Azure and Amazon were chosen due to their breadth of services and geographic offerings. This report is not recommending one vendor over another, but only providing an example of a vendor assessment to provide guidance to governments on developing vendor requirements for their own vendor assessments. Price is a key factor, especially as it can differ per region. Unlike private clouds, public clouds are not fully customizable. Pricing can vary depending upon the components and services provided by the public cloud service provider and also how the government utilizes those computing resources. A rough baseline for public cloud pricing can be found in the tables in this section. At this time, there is no data center in Africa for Azure or Amazon, so it is recommended that African countries consider either using a data center on the European continent or a local cloud provider. If a local provider is selected, it is recommended the provider be assessed based on This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 67 of 82 Cloud Readiness Toolkit Country Report the general concepts and specific recommendations outlined in this report. Please be aware that actual pricing can vary based on utilization and contracting (i.e. predicted infrastructure usage, upfront payment, transaction volume, sizing, etc.). The tables in this section are a representative list of various options and pricing for Amazon and Azure at a specific point in time, it is not comprehensive and further investigation should be done before selecting a provider. January 29, 2016 Key Differences – Azure and Amazon Type Amazon Azure Advantage Amazon supports high availability Azure supports high availability within across data centers a data center Availability Amazon Services such as load balancing, virtual Services such as load balancing, virtual network, and auto-scaling spans the network, and auto-scaling spans the region region Supports load balancing based on IP Supports load balancing based on IP Balancing address (layer 4) and application address (layer 4) and application Load Tie performance (layer 7) and provides performance (layer 7) and provides metric-driven load balancing sophisticated load balancing policies Virtual Private Cloud (VPC) which Virtual supports Flow Logs which logs relevant VNet to VNet (virtual network) Amazon traffic for storage and analysis Network Direct Connect provides faster port Express Route has redundant ports by speed than Azure however Amazon Azure default charges extra for a redundant port Has auto scaling provisions, terminates Automatically replaces unhealthy Scaling instances based on configured policies, instance (service healing). Auto- Auto Tie and replaces unhealthy instances scaling also supports both time and automatically load-based scale up and scale down. Compute Virtual Machine is billed by the minute, EC2 is billed by the hour but is slightly more expensive on Tie average Allows requestor to choose the Storage input/output operation per second Has more predefined IOPS level Amazon (IOPS) Security Provides both server-side and client- Provides both server-side and client- Tie side encryption options side encryption options This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 68 of 82 Cloud Readiness Toolkit Country Report Map of Major Data Centers – Azure and Amazon Regional Amazon Azure Hong Kong, Hong Kong Tokyo, Japan Singapore, Singapore Beijing, China Saitama, Japan Singapore, Singapore Osaka, Japan Asia & Pacific Sydney, Australia Sydney, Australia India (Coming soon) Melbourne, Australia Ningxia, China (Coming Soon) Pune, India South Korea (Coming Soon) Chennai, India Mumbai, India Africa None None Ireland Dublin, Ireland Europe Frankfurt, Germany Amsterdam, Netherland Northern Virginia, United States Iowa, United States Oregon, United States Virginia, United States North America Northern California, United States Illinois, United States Ohio, United States (Coming Soon) Texas, United States Canada (Coming Soon) California, United States South America São Paulo, Brazil São Paulo, Brazil This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 69 of 82 Cloud Readiness Toolkit Country Report General Comparison Category Description Amazon Azure Container is an image that contains the complete file system in order to run Container software. It includes code, runtime, system   tools, system libraries and all other EC2 Container Azure Container Support components you can install on a server. Service Service This will allow environment and component consistency. This feature will enable the processing and Analytics analysis of large amounts of data to reveal   (Big Data) patterns, trends, associations, and other Elastic Map - HDInsight (Hadoop) information readable by human. Reduce (EMR) - Azure Data Lake   This service provides the computing - Elastic Compute power. It comes with different operating - Virtual Machine Compute Cloud Service system and other services such as storage - Cloud Service (EC2) and network. - Azure Websites and - Amazon Elastic Apps Beanstalk This service provides virtual desktop Desktop service where you have your desktop   Service computer in the cloud and access it via the Amazon Azure RemoteApp internet. Workspace This allows on premise applications to Hybrid access storage which is located in the   Cloud cloud system. It makes data growth AWS Storage Storage management, data management, and StorSimple Gateway backup (disaster recovery) easier. A load balancer distributes network or Load application traffic across a number of   servers. Load balancers are used to Elastic Load Azure Resource Balancing increase capacity (concurrent users) and Balancing Manager (ARM) reliability of applications. This service automates code deployments, Managed enabling you to deploy reliably and rapidly. Deployment The service allows you to launch and track Visual Studio Team AWS CodeDeploy the status of application deployments. Services This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 70 of 82 Cloud Readiness Toolkit Country Report Operating System Comparison Type Amazon Azure CentOS 6.3+ / 7.0+ CentOS 6.0+ / 7.0 CoreOS 494.4.0+ Debian 8.0+ Debian 7.9+ / 8.2+ Linux Red Hat Enterprise Linux 6.0+ / 7.0+ Oracle Linux 6.4+ / 7.0+ SUSE Linux Enterprise 11+ / 12+ Red Hat Enterprise Linux 6.7+ / 7.1+ Ubuntu 12.04 / 14.04 SUSE Linux Enterprise 11 SP3+ / 12+ FreeBSD 9.0+ / 10.0+ Open SUSE 13.1+ Ubuntu 12.04 / 14.04 / 15.04 / 15.10 Windows 2003 R2 Windows Windows 2008 R2 Windows 2008 R2 Windows 2008 Windows 2012 R2 Windows 2012 Windows 2012 R2 Desktop Virtual Windows 7 with MS Office, Trend Micro Not Supported and utility bundles Network Comparison Type Amazon Azure Remark This service enables you to establish a private Network Virtual Amazon Virtual network (closed and security enhanced). This Virtual Network Private Cloud (VPC) network is logically (rather than physically) isolated from other networks. This service enables you to directly connect to Connection the cloud directly from your premises (office Direct AWS Direct or data center) over vLAN which means you Express Route Connection can control bandwidth throughput, and keep a more reliable connection than internet- based connections. Domain Name Server (DNS) is used to translate domain names to IP address (like DNS Amazon Route 53 Azure DNS yellow pages). This feature enables users to quickly access applications and infrastructure in the cloud. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 71 of 82 Cloud Readiness Toolkit Country Report Database Comparison Type Amazon Azure Remark Relational Database Amazon Relational Both Amazon and Azure provide Database as a Service Azure SQL Database Service (DaaS) options. Amazon provides more database Database (RDS) options as part of their DaaS. Database NoSQL databases do not use tabular relationships to NoSQL DynamoDB DocumentDB organize data and are mostly used to store large MongoDB MongoDB amounts of unstructured data. Warehousing Azure SQL Data Data warehousing is used to run data analysis and Data Amazon Redshift Warehouse produce reports. It stores current and historical data. Operating System Pricing Comparison – Azure and Amazon Data Center Location Amazon – Linux Azure - Linux Amazon - Windows Azure - Windows Japan $0.08 $0.11 $0.10 $0.158 Australia $0.08 $0.116 $0.10 $0.186 Singapore $0.08 $0.116 $0.10 $0.174 EU Region #1 – Ireland $0.056 $0.094 $0.076 $0.15 EU Region #2 - Varies $0.06 $0.102 $0.08 $0.162 Brazil $0.108 $0.116 $0.128 $0.178 US West $0.052 $0.094 $0.072 $0.154 US East $0.052 $0.088 $0.072 $0.148  Amazon EU Region #2 - Frankfurt  Amazon - 2 vCPU / 4GB RAM  Azure EU Region #2 – Netherland  Azure - 2 cores / 3.5GB RAM This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 72 of 82 Cloud Readiness Toolkit Country Report Storage Pricing Comparison – Azure and Amazon Data Center Location Amazon - Storage (500TB) Azure - Storage (500TB) Japan $0.0313 per GB $0.0228 per GB Australia $0.0313 per GB $0.0251 per GB Singapore $0.0285 per GB $0.0228 per GB EU Region #1 - Ireland $0.0285 per GB $0.0228 per GB EU Region #2 - Varies $0.0308 per GB $0.0228 per GB Brazil $0.0387 per GB $0.0309 per GB US West $0.0285 per GB $0.0228 per GB US East $0.0285 per GB $0.0228 per GB This table compares S3 storage on Amazon and Locally Redundant Storage (LRS) on Azure  Azure EU Region #2 – Netherland  Amazon EU Region #2 – Frankfurt Network (traffic) Pricing Comparison – Azure and Amazon Traffic Amazon – DNS Query Azure – DNS Query First One Billion Queries / month $0.700 per million queries $0.540 per million queries Over One Billion Queries / month $0.350 per million queries $0.375 per million queries Traffic Amazon – Health Check Azure – Health Check Internal $0.50 per health check / month $0.36 per health check / month External $0.75 per health check / month $0.54 per health check / month Health check is a process by which network traffic is sent to check if an instance or node is active. This is required in order to setup load balancing and high availability. Data Center Location Amazon – Gateway Azure - Gateway Japan $0.062 per hour $0.036 per hour Australia $0.059 per hour $0.036 per hour Singapore $0.059 per hour $0.036 per hour EU Region #1 - Ireland $0.048 per hour $0.036 per hour EU Region #2 - Varies $0.052 per hour $0.036 per hour Brazil N/A $0.036 per hour US West $0.045 per hour $0.036 per hour US East $0.045 per hour $0.036 per hour A gateway is a network point that acts as an entrance to another network. It enables the end users to access the system over the internet or enable a hybrid cloud system. This table compares a NAT Gateway in a VPC on Amazon and basic VPN or ExpressRoute Gateway on Azure. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 73 of 82 Cloud Readiness Toolkit Country Report 7 Glossary The following terms appear in this document and in the assessments. Category Term Definition The concurrent use of shared computing resources by multiple users, also General Multitenancy known as tenants A private cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple users (i.e. departments). It may be owned, General Private Cloud managed, and operated by the organization, a third party, or some combination, and it may exist on or off the premises. A public cloud infrastructure is provisioned for use by any organization that wishes to pay for computing resources. It may be owned, managed, and General Public Cloud operated by a business, academic institution, government organization, or some combination. The infrastructure exists on the premises of the cloud provider rather than the users. A hybrid cloud infrastructure consists of two or more distinct cloud infrastructures (private, community, or public) that remain separate, but are General Hybrid Cloud bound together by standardized or proprietary technology which enables data and application portability. Normally, it is a combination of public and private. The community cloud is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (i.e., mission, security requirements, policy, and compliance considerations). General Community Cloud It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. Provides the capability to request (provision) processing, storage, networks, and other fundamental computing resources, but the requester is able to General IaaS deploy and run anything they want, including operating systems and applications. Provides the capability to deploy onto the cloud infrastructure, consumer- General PaaS created or owned applications created using programming languages, libraries, services, and tools supported by the provider. Provides the capability to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either an interface, such as a web browser (i.e., web-based email), General SaaS or a program interface (i.e. Office 365). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage. Also known as an internet gateway, this is a primary or backbone link General High Capacity Link outside of a country to the Internet. Internet Service Provider An organization that provides services for accessing, using, or participating General (ISP) in the Internet. A server that is owned by a third party and accessible via a public network, General Public server such as the internet (i.e. AWS or Azure). This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 74 of 82 Cloud Readiness Toolkit Country Report Category Term Definition Critical - the application cannot afford to have more than 2 hours of downtime and there is no alternative for this application. Also, application that is classified as 'critical' by internal policy High - the application cannot afford to have more than 4 hours of downtime Application Criticality and there is alternatives for this application (i.e. manual entries) Moderate - the application can cannot have more than 12 hours of downtime Low - the application can have more than 24 hours of downtime Single tier, sometimes called one-tier, architecture involves putting all of the required components for a software application or technology on a single server or platform. The alternative is multi-tiered architecture or the three- Application Single Tier tier architecture that is used for some web applications and other technologies where various presentation, business and data access layers are housed separately. Any source code component that has been hard coded (i.e. hard coded IP Application Static Attribute address and hostnames). Personally Identifiable Personal information is data that can be used to identify the individual (i.e. Data Information name, passport number, phone number). Sensitive data refers to data that is deemed sensitive by the owner of the Data Sensitive data data (i.e. classified government documents). User information is data that belongs to an individual but cannot be used to Data User Information identify them without additional information (i.e. ID, position). An agreement that sets maximum or minimum targets for various metrics. Service Level Agreement Functional For example there may be a service level agreement in regards to how (SLA) quickly technology support must respond to defects of various severities. A physical or logical subnetwork that contains and exposes an organization's Infrastructure Demilitarized Zone (DMZ) external-facing services to a larger and untrusted network, usually the Internet. The expected retirement date of a server based on internal policy or other Infrastructure End of Service (EOS) methods. Input / Output A common performance measurement used to benchmark computer Infrastructure Operations Per Second storage devices such as hard disk drives (HDD), solid state drives (SSD), and (IOPS) storage area networks (SAN) An emulation of a particular computer system. Operates based on the computer architecture and functions of a real or hypothetical computer, and Infrastructure Virtual Machine (VM) its implementations may involve specialized hardware, software, or a combination of both. The electronic circuitry within a computer that carries out the instructions of Technical Central Processing Unit a computer program by performing the basic arithmetic, logical, control and Architecture (CPU) input/output (I/O) operations specified by the instructions. Technical Horizontal scaling Ability of an application to function across multiple instances or nodes. Architecture Technical Ability of an application to take advantage of additional computing power, Vertical scaling Architecture when added (i.e. CPU, memory). This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 75 of 82 Cloud Readiness Toolkit Country Report Category Term Definition Technical A piece of computer software, firmware or hardware that creates and runs Hypervisor Architecture virtual machines. Sometimes called a virtual machine monitor (VMM). Refers to designing a system in which each of its components has, or makes Technical Loose Coupling use of, little or no knowledge of the definitions of other separate Architecture components. Technical Random Access Memory A form of computer data storage. Stored information is lost if power is Architecture (RAM) removed (computer is shut down). 8 Assessment References Cannon, N. (2014). Key Skills Needed for Successful Deployment of Cloud Computing in Government. Stamford: Gartner. Galexia Consulting. (2013). Global Cloud Computing Scorecard. Retrieved from BSA The Software Alliance: http://www.bsa.org/~/media/Files/Research%20Papers/GlobalCloudScorecard/BSA_Glo bal%20Cloud%20Scorecard_021113.pdf Kyle Hilgendorf, A. D. (2015). 2016 Planning Guide for Cloud Computing and Virtualization. Stamford: Gartner. 9 Report References Microsoft. (2011). Business Agility and the Cloud. Neville Cannon, G. A. (2015). Government CIOs See Expected Cloud Cost Savings Evaporate. Stamford: Gartner. Pham, T. (2011, September 15). Benefits of Private Cloud Computing: Compliant & Cost- Effective. Retrieved from Online Tech: http://resource.onlinetech.com/benefits-of- private-cloud-computing-compliant-cost-effective/ Rodier, M. (2011, May 18). Speed-to-Market Is Biggest Benefit Of Cloud Computing. Retrieved from InformationWeek WallStreet & Technology: http://www.wallstreetandtech.com/infrastructure/speed-to-market-is-biggest-benefit- of-cloud-computing/d/d-id/1264839 Savvas, A. (2014, May 14). The benefits of hybrid cloud computing. Retrieved from ITProPortal: http://www.itproportal.com/2014/05/14/the-benefits-of-hybrid-cloud-computing/ U.S. Department of Commerce. (2011, September). The NIST Definition of Cloud Computing. Retrieved from National Institute of Standards and Technology: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 76 of 82 Cloud Readiness Toolkit Country Report 10 Participants and Reviewers Many individuals were involved in creating and reviewing the toolkit and this report. In addition, many individuals in Serbia, the Philippines, and Zambia participated through interviews, discussions, and feedback during presentations. As many of these individuals as possible are captured in this section. 10.1 Serbia The individuals listed in the table participated in the interviews and presentations in Serbia. Group Name Role Additional Contacts Borislav Srdić Additional Contacts Irena Cerovic Portfolio Manager at UNDP Jelena Manic Additional Contacts Petronikolos Additional Contacts Jelena Tatomirovic Coming, Network and Security Engineer Additional Contacts Marko Filipovic MS, Serives Delivery Lead Additional Contacts Milan Vujovic Coming, Network and Security Engineer Additional Contacts Miroslav Pevac Additional Contacts Radoje Gvozdenovic Additional Contacts Tomislav Ranđić Additional Contacts Vladimir Milosevic IBM Architect Additional Contacts Vladimir Radunovic Cybersecurity Expert Directorate for e Government Dusan Stojanovic Director Directorate for e Government Marija Kujacic Head of Department Directorate for e Government Marija Laganin PR Advisor Head of Department for Development and Directorate for eGovernment Rade Dragović Standardization Environmental Protection Agency Dejan Lekic Director Environmental Protection Agency Elizabeta Radulović Director of Information System Environmental Protection Agency Nikola Pajcin Assistant Secretary General of the General Secretariat Petar Janjic Government Head of Department of Informatics & Institute of Public Health Dr Ivan Ivanović Biostatistics Korean Embassy Hongsik Kim Korean Embassy / 1st Sec Korean Embassy Kichang Park Korean Embassy / Minister Counselor Medicines and Medical Devices Agency of Serbia Igor Pasic System Administrator, IT engr. Medicines and Medical Devices Agency of Serbia Igor Vanevski M.Sc, grad. Mech. Engineer Medicines and Medical Devices Agency of Serbia Tatjana Stojadinovic Ph.D., IT Group Manager Ministry of Interior Dr. Predrag Djikanovic Assistant Head of Sector Ministry of Interior Duško Sivčević Ministry of Interior Goran Perunicic Assistant Head of Sector Head of Sector, Assistant Minister for Ministry of Interior Slobodan Nedeljkovic Analytics and ICT Ministry of Public Administration and Self- Dražen Maravić Government This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 77 of 82 Cloud Readiness Toolkit Country Report Group Name Role Ministry of Public Administration and Self- Irena Posin Assistant Minister Government Ministry of Public Administration and Self- Jovana Vlaškalin Government Ministry of Trade, Tourism and Dr. Irini Reljin Head of MTTT, Professor Telecommunications Ministry of Trade, Tourism and Head of Department for Information Society Zlatko Jelisavcic Telecommunications Development Office of Prime Minister Ana Šarenac Prime Minister's Delivery Unit Office of Prime Minister Gregor Virant Prime Minister's Delivery Unit Personal Data Protection Lela Rudic Personal Data Protection Personal Data Protection Rodolijub Sabic Public Investments Management Office Sandra Nedeljković Public Investment Management Office Public Policy Secretariat of the Republic of Serbia Djiana Ilic Zogovic Senior Expert Advisor, Head of Group Public Policy Secretariat of the Republic of Serbia Jasna Atanasijević Director Public Policy Secretariat of the Republic of Serbia Siniša Barjaktarević Senior Expert Advisor RATEL Aleksandra Stefanovic Public and International Relations RATEL Nemanja Vukotić RATEL Vladica Tintor Director Republic Geodetic Authority Borko Drašković Director Republic Geodetic Authority Dragan Bogdanović Head of Department (Info. & Comm.) Republic Geodetic Authority Veselin Bakic Serbian Business Registers Agency Branislav Dobrosavljevic Data Services Manager Serbian Business Registers Agency Zvonko Obradovic Director Telekom Srbija Borko Crnogorac Sales & Marketing Director - SME Manager of the Department for Sale to Telekom Srbija Jelena Petrovic Public Admin. 10.2 Philippines The individuals listed in the table participated in the interviews and presentations in the Philippines. Group Name Role Advanced Science and Technology Institute Bayani Benjamin Lara Supervising S/R Specialist Deputy Executive Director for e- Advanced Science and Technology Institute Denis Villorente Government Advanced Science and Technology Institute Jessi Rubio Advanced Science and Technology Institute Jelina Tetangco Bureau of Internal Revenue (BIR) Carolyn Ann Reyes Bureau of Internal Revenue (BIR) Jocelyn Zabala Construction Industry Authority of Philippines Angelina F Tajon (CIAP) Construction Industry Authority of Philippines Lady Laput (CIAP) This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 78 of 82 Cloud Readiness Toolkit Country Report Group Name Role Construction Industry Authority of Philippines Lorina S Laurequez (CIAP) Construction Industry Authority of Philippines Sonia T. Valdeavilla Executive director (CIAP) Department of Budget and Management Christopher Kuzhuppilly (DBM) Department of Budget and Management Gladys Abellano OCIO (DBM) Department of Budget and Management Mary Jane O. Eucos OCIO (DBM) Department of Budget and Management Executive Assistant, Office of Undersecretary Michelle Arianne Manza (DBM) & Chief Information Officer Department of Budget and Management Richard Moya Undersecretary (DBM) Department of the Interior and Local Kieth P. Lagmay Government (DILG) DOST-ICTO Toni Torres Project Manager, i-Govt, ICTO Environmental Management Bureau (EMB) Consolacion Crisostomo Environmental Management Bureau (EMB) Herburt Narisma Environmental Management Bureau (EMB) Lexter Maymay Environmental Management Bureau (EMB) Sharmaine Tayco Information and Communications Technology Juli Ana E. Sudario Project Manager, MITHI Office Information and Communications Technology Maria Teresa Magno-Garcia Director Office Philippine National Police (PNP) Felizanrdo Eubra Jr. Head of Cyber Security Philippine National Police (PNP) Mr. Ferrancullo University of the Philippines Rommel P. Feria University of the Philippines Vic Angelo D.S. Mamaril 10.3 Zambia The individuals listed in the table participated in the interviews and presentations in Zambia. Group Name Role CEC Liquid Kauba Kalungombe Legal Counselor CEC Liquid Marjorie Nalubamba Chief Sales and Marketing CEC Liquid Mwizu Sikanyika CTO Centre of Excellence for e-Government and ICT Dr. Felix Phiri Director Centre of Excellence for e-Government and ICT Chibala Centre of Excellence for e-Government and ICT George Mbasela Centre of Excellence for e-Government and ICT Godfrey Chinyama Senior Analyst Centre of Excellence for e-Government and ICT Joyce Chipwepwe Acting Head/CPT Centre of Excellence for e-Government and ICT Kaluba Shiliya Centre of Excellence for e-Government and ICT Stanley Phiri Senior Analyst Ministry of Community Development and Social Noel Masese Assistant Director - ICT Welfare This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 79 of 82 Cloud Readiness Toolkit Country Report Group Name Role Ministry of Finance Boyd Lumbwe Budget Office Ministry of Finance Percy Musona Principal Budget Analyst Ministry of Health Virginia Simushi Ministry of Health Chisanga Siwale Ministry of Transportation and Communication Austin Sichinga Department of Communication Ministry of Transportation and Communication Beaton Sibulowa Department of Communication Ministry of Transportation and Communication Nkula Mwanza Department of Communication Director, Department of Ministry of Transportation and Communication Yese Bwalya Communications MTN Clukondi Mwanza MTN Komba Malukufila MTN Linliwe Banda MTN Lubinda Mulikelela MTN Mark Townsend University of Zambia Christine W. Kanyengo Universty Librarian University of Zambia Collins C. Kachaka Director of IT University of Zambia Francina N. S. Makondo Deputy University Librarian Zambia Revenue Authority (ZRA) Daniel Kalunga Network Zambia Revenue Authority (ZRA) Davies Chansa Senior IT Officer Zambia Revenue Authority (ZRA) Enos Ngoma Business Admin Zambia Revenue Authority (ZRA) Halusaka Hamwalla Assistant Director - IT Zambia Revenue Authority (ZRA) Perry Chikwama Senior IT Officer Zambia Revenue Authority (ZRA) Winter Msukwa System Development Zamtel Albert Salima CIO Zamtel Clive Mutentwa IT Infrastructure Manager ZESCO Allan S. Kashimi ZESCO Anthony N. Mwange Senior Manager ZESCO Charity K. Chola ZESCO Mary Chitembo ZESCO Victor Chisemele Zambia Information and Communication Technology Bernard Banda Authority (ZICTA) Zambia Information and Communication Technology Choolwe Nalubamba Authority (ZICTA) Zambia Information and Communication Technology Elliot Kabalo Authority (ZICTA) Zambia Information and Communication Technology Margaret Muaewda Director General Authority (ZICTA) Zambia Information and Communication Technology Patric Mutimushi Authority (ZICTA) 10.4 Toolkit Reviewers The individuals listed in the table reviewed the toolkit prior to the start of the pilots. This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 80 of 82 Cloud Readiness Toolkit Country Report Name Company Role Reviewed Country Dr. Seunghyun Kim World Bank Project Manager Toolkit USA Samia Melhem World Bank Project Lead Toolkit USA Young Jin Choi World Bank Subject Matter Advisor Report USA Clay Lin World Bank Subject Matter Advisor Report USA Roman Lerman Accenture Subject Matter Advisor Toolkit USA Amanda Jensen Accenture Project Manager Toolkit USA Gregory Scheaffer Accenture Project Consultant Toolkit USA Cloud Application Anantha Ramadas Accenture Toolkit USA Transformation Senior Manager Cloud Application Timothy Aultman Accenture Toolkit USA Transformation Manager Lead for Accenture Amazon Chris Scott Accenture Cloud Comparison USA Business Group Managing Director, AFS Accenture Federal Country Dominic J. Delmolino Infrastructure Agility (Cloud and USA Services Assessment DevOps) Application Sigurd Myhre Accenture IT Strategy Norway Assessment Chan Lee Duzon President of the Security Division Toolkit Korea Inhyun Bark Duzon Senior Analyst Toolkit Korea Jay Lee Duzon Subject Matter Advisor Toolkit Korea Subject Matter Advisor - Cloud Nuri Lee Duzon Toolkit Korea Expert Dr. Jong Whoi Shin Microsoft Korea National Security Officer Toolkit Korea Korea Internet and Kyung-ho Son R&D Center Director Toolkit Korea Security Agency (KISA) Korea Internet and Internet Industry Division Dr. Wan S. Yi Toolkit Korea Security Agency (KISA) Director National Information Jungjoo Lee Subject Matter Advisor Toolkit Korea Society Agency (NIA) Legal Microsoft Representative from Legal Team Toolkit Policy Microsoft Representative from Policy Team Toolkit Senior Cybersecurity Strategist at Country Kaja Ciglic Microsoft USA Microsoft Assessment Stevan Vidich Microsoft Azure Expert Cloud Comparison Government Affairs Director, Steve Mutkoski Microsoft Microsoft Worldwide Public Toolkit Sector Regional Director - International Zaki Khoury Microsoft Organizations - Middle East & Toolkit Africa 10.4 Report Reviewers The individuals listed in the table reviewed this report. Name Company Country Dr. Seunghyun Kim World Bank USA Samia Melhem World Bank USA This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 81 of 82 Cloud Readiness Toolkit Country Report Reg Miller World Bank USA John Savageau World Bank USA Natasha Beschorner World Bank USA Oleg Petrov World Bank USA Roman Lerman Accenture USA Amanda Jensen Accenture USA Gregory Scheaffer Accenture USA This paper, created by The World Bank in collaboration with Accenture, is available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. Page 82 of 82