1. WOSM Staff Support Centre
  2. Workplace and Travel
  3. Digital and Information Technology

WSB Policy: Cloud First

Updated
Have more questions? Submit a request

Introduction

The WSB is committed to modernising our information and communication technologies (ICT) and will lead in example of adopting and using cloud computing services to reduce capital expenditure related costs, increase security, and develop and excellent digital technology landscape for our global community of staff, consultants, volunteers and members.

The WSB will adopt a Cloud-first approach with the aim of:

  • Reducing cost related to capital expenditure for ICT services, duplication of services and/or solutions and the fragmentation in the technology landscape.
  • Leveraging on the efficiencies of on-demand provisioning of ICT services.
  • Increasing security via the adoption of accredited platforms
  • Increasing productivity and agility, thereby improving our ICT services.

In order to achieve this all WSB offices globally will evaluate cloud-based services when undertaking procurement activities related to ICT services and solutions. Where possible, Commercial Of The Shelf (COTS) Cloud based applications are preferred over custom development activities.

The delivery of the ICT service will be based on an assessment of a number of short-listed applications. The assessment model will cover the following areas:

  • Fit for Purpose
  • Cost Benefit Analysis
  • Value for money

The assessment for COTS Cloud-based applications should be made via the WSB SRS Excel template downloadable from here. For any Custom development activity, please use the WSB ARS Excel Template downloadable from here.

 

Scope

This policy is applicable for all WSB offices globally who are looking to host their data, applications or digital services in a centralised cloud environment, in accordance with the overall WSB’s strategic direction to use a Cloud-first approach to support cost optimisation and to deliver world class ICT services and solutions.

 

Definitions

A list of terms used throughout this policy are defined in Appendix A.

 

Overview of Cloud Computing

There are many definitions of Cloud Computing, however, the WSB is adopting the cloud computing definition provided by the National Institute of Standards and Technology (NIST) which defines cloud computing as:

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

This section provides a brief overview of the essential characteristics of cloud computing together with the cloud service and deployment models. It is recommended that all WSB offices familiarise themselves with the NIST definitions to ensure that they are able to identify and understand the risks associated with different cloud service and deployment models.

Picture_1.png

 

Essential Characteristics

There are 5 essential characteristics of Cloud Computing as defined by NIST. They are as follows:

  • On Demand Self-Service – Computing resources such as servers and networks can be unilaterally provisioned by a consumer as and when needed without the aid of human interaction with each service provider.
  • Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
  • Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacentre). Examples of resources include storage, processing, memory, and network bandwidth.
  • Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability[1] at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

     

Service Models

There are 3 primary of Cloud computing service models. They are:

  • Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure[2]. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings.
  • Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment
  • Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

A 4th Cloud computing service delivery model is quickly becoming a norm in small and medium sized organisation is commonly referred to as Business Process as a Service (BPaaS). Gartner[3] defines the BPaaS as the delivery of business process outsourcing (BPO) services that are sourced from the cloud and constructed for multi-tenancy.”

 

Deployment Models

There are 3 primary deployment models for a Cloud-first approach. They are listed below:

  • Public Cloud is a type of cloud hosting that allows the accessibility of systems & its services to its clients/users easily. Some of the examples of those companies which provide public cloud facilities are IBM, Google, Amazon, Microsoft, etc. This cloud service is open for use.
  • Private Cloud also termed as 'Internal Cloud'; which allows the accessibility of systems and services within a specific boundary or organization. The cloud platform is implemented in a cloud-based secure environment that is guarded by advanced firewalls under the surveillance of the IT department that belongs to a particular organization. Private clouds permit only authorized users, providing the organizations greater control over data and its security. Business organizations that have dynamic, critical, secured, management demand-based requirement should adopt Private Cloud.
  • Hybrid Cloud is another cloud computing type, which is integrated, i.e., it can be a combination of two or more cloud servers, i.e., private, public or community combined as one architecture, but remain individual entities. Non-critical tasks such as development and test workloads can be done using public cloud whereas critical tasks that are sensitive such as organization data handling are done using a private cloud.

 

Policy

Guiding Principles

The WSB’s Cloud-first policy is based on the following guiding principles:

  1. ICT at entity level must focus on functional excellence and delivering higher business value.
  2. ICT Infrastructure is one key candidate for national level consolidation and optimisation.
  3. Standardised infrastructure management to enable:
    • optimisation of infrastructure cost
    • Improvement in service quality
    • improvements in ICT security
    • efficient business continuity
  2. Promote a holistic “Cloud-first“ approach across all WSB offices globally.
  3. WSB's preferred Service Model will be Software-as-Service and / or Platform-as-Service. Other service models may be considered and used on a case-by-case basis.

Purpose

This policy provides guidance to all WSB office globally, as the WSB moves towards a common operating environment, leading to:

  1. Reduction in cost for both hardware and platforms for the WSB’s ICT services and solutions.
  2. Improved manageability and productivity of ICT solutions.
  3. Better integration between services.
  4. Operational continuity and business recovery.
  5. Greater budget control.
  6. Greater agility.

 

Operational Framework

In order for WSB’s Cloud-first strategic direction to be successful, the following aspects must be incorporated in the overall process for ICT solution development and delivery.

Service & Deployment Model Selection

  1. To utilize only the SaaS service model for COTS digital services and solutions and to use only PaaS deployment model for any custom digital services and solutions.
  2. To use the Public Cloud for COTS digital solutions and Private Cloud for any custom development work.

Evaluation Templates

Evaluation templates are available for use for any WSB offices globally when looking to embark on the Cloud-first journey. These templates are available on Dropbox and aids greatly in undertaking a comprehensive evaluation of services and solutions to find one that suits the WSB’s business needs. Should any WSB office need assistance in working with the template, please reach out to cer.support@scout.org.

Application / Service Migration Criteria

All WSB offices are required to use cloud services for new ICT services and when replacing any existing ICT services, except if:

  1. it can be shown that an alternative ICT deployment strategy meets special requirements of a government agency and
  2. it can be shown that an alternative ICT deployment strategy is more cost effective from a Total Cost of Ownership (TCO) perspective and demonstrates at least the same level of security assurance than a cloud computing deployment.

Security Principles

  1. The benefit of migrating WSB workloads and data onto commercial cloud is the ability to enhance overall data security.
  2. Cloud service providers engaged by any WSB office will be required to meet international security standards and ensure appropriate certification.
  3. They will abide by all relevant industry standards, for example, international security standards such as ISO 27001, Service Organization Controls Report (SOC) 1 and 2; and will adhere to any additional certifications required by specific industries, such as the Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Requirement (GDPR) and Cloud Security Alliance (CSA) certification and audit, as well as others that is relevant to the region/country.

Mitigation and Back-up.

  1. All WSB office will need to have in place mitigation and redundancy contingencies. It is the responsibility of each WSB office to ensure that they have a mitigation and back-up plan for their data and services.
  2. These plans need to ensure at a minimum:
    • Having service continuity in times of disaster or emergency
    • No WSB data loss occurs without recovery.
    • A mitigation and back-up plan should include backing-up data in a second location in two regions so as to ensure (i) full data protection, (ii) continued and uninterrupted service, and (iii) data recovery.

 

Data Sovereignty.

The benefits of cloud are best realized when there are no data residency restrictions placed on data. Such restrictions undermine the economies of scale and security benefits to be gained from shared computing infrastructure.

Access to data in the cloud is dependent on security controls, and WSB offices concerned with extraterritorial access to data owned by the WSB should select cloud vendors with the appropriate security standards and controls.

 

Roles & Responsibilities

Stakeholders

Responsibilities

Senior Management Team

Review, Approve and formally support this policy

Communications
  • To champion the adoption of the Cloud-first strategy.
  • Support WSB offices in their Cloud-first adoption.
  • Provide technical consultation services for the WSB offices in addressing any and all queries related to Cloud computing.

 

Line Managers, Supervisors, Department Heads
  • Complying with the terms of this policy and all other relevant WSB policies, procedures, regulations and applicable legislation.
  • Responsible for ensuring awareness of this policy within their area of responsibility.

Global Director, Communications & Partnerships and his/her designate

Authority to monitor for and investigate suspected non-compliance with this policy, and to report alleged non-compliance to the appropriate WSB officer.

 

Policy Distribution & Awareness

This policy and it's supporting policies, standards and guidelines will be published on the WSB Dropbox.

Soft copies of the policy and its supporting policies, standards and guidelines will be available on WSB Staff Support Center.

The IT Personnel and/or the Senior Manager, Digital & IT Services may make periodic policy announcements by email.

WSB line managers will ensure that all existing and new staff, contractors, consultants, interns, volunteers and third-party commercial service providers who report to them are made aware of and have access to the policy and its supporting policies, standards and guidelines.

Individuals requiring clarification on any aspect of the policy and its supporting policies, standards and guidelines and/or advice on general I.T. security matters may email their queries to the Senior Manager, Digital & IT Services or the local IT Personnel.

 

Exceptions to this Policy

Exceptions to the guiding principles in this policy must be documented and formally approved by the Global Director, Communications , with evidence of support from the appropriate Senior Management Team.

Policy exceptions must describe:

  • The nature of the exception.
  • A reasonable explanation for why the policy exception is required
  • Any risks created by the policy exception.
  • Evidence of approval.

 

Policy Enforcement

The WSB reserves the right to take such action as it deems appropriate against individuals who breach the conditions of this policy. WSB staff, contractors, consultants, interns and volunteers who breach this policy maybe subject to disciplinary action, including suspension and dismissal as provided for in the WSB disciplinary procedure.

Breaches of this policy by a third-party commercial service provider, may lead to the withdrawal of WSB information technology resources to that third party commercial service provider and/or the cancellation of any contract(s) between the WSB and the third-party commercial service provider.

The WSB reserves the right to refer any use of its IT resources for illegal activities to the relevant Authorities.

 

Review & Update

This policy will be reviewed and updated annually or more frequently if necessary, to ensure any changes to the WSB’s organisation structure and business practices are properly reflected in the policy.

 

Appendix A: Definitions

COTS: An adjective that describes software or hardware products that are ready-made and available for sale to the general public. For example, Microsoft Office is a COTS product that is a packaged software solution for businesses.

WSB community members: The WSB community members includes, but is not limited to, WSB Staff Members, Volunteers, Consultants, Interns or any individuals engaged by the WSB for any project, work or activity.

 

[1]Typically this is done on a pay-per-use or charge-per-use basis

[2]A cloud infrastructure is the collection of hardware and software that enables the five essential characteristics of cloud computing. The cloud infrastructure can be viewed as containing both a physical layer and an abstraction layer. The physical layer consists of the hardware resources that are necessary to support the cloud services being provided, and typically includes server, storage and network components. The abstraction layer consists of the software deployed across the physical layer, which manifests the essential cloud characteristics. Conceptually the abstraction layer sits above the physical layer.

[3]https://www.gartner.com/it-glossary/business-process-as-a-service-bpaas/

 

Articles in this section

See more
Was this article helpful?
0 out of 0 found this helpful