Cloud policy

What is it?

The delivery of Government services to meet citizen needs continues to drive a large range of agency ICT use cases, which must balance legacy platforms with more responsive services. To better address these needs, the NSW Government is making the strategic shift to cloud consumption through the use of public and private cloud services.

The following cloud services are available to NSW Government agencies:

• Public Cloud: Public cloud services are operated by third party cloud service providers, who own, manage, and deliver computing resources (e.g. compute, storage) over the internet. These computing resources are delivered to multiple organisations.
• Private Cloud: The NSW Government provides private cloud services through GovDC managed and operated data centres.
• Dedicated Network and Cloud Connectivity: The NSW Government private cloud offers dedicated network interconnects between private cloud services and public cloud services.

The NSW Government Cloud Policy is 'public cloud first' meaning NSW Government agencies must make use of public cloud services as the default. Where public cloud services are not suitable for agency requirements, private cloud services, provided through the Government Data Centres (GovDC) can be used by exception.

What does it cover?

The Cloud Policy is presented in six sections:

Policy outcomes

The Cloud Policy provides the direction to enable you to achieve the following outcomes:

• Security – adhering to this policy guidance, regarding usage of cloud services will ensure NSW Government agency assets and data are secured.
• Consistency – agencies receive common direction in the consumption of cloud services, allowing them to make consistent usage of the public and private cloud services.
• Modernisation – the policy guides you in consuming cloud services to modernise their ICT and Digital service delivery. The policy enables modernisation through lineage to updated business processes for procurement, security, and consumption of cloud services.
• Alignment – By defining and guiding the usage of hybrid cloud, this policy ensures alignment of cloud service consumption across the NSW Government in accordance with NSW Government strategic objectives and priorities.
• Innovation – enables you to consume new cloud capabilities such as AI, machine learning, data analytics etc. By leveraging cloud services, the NSW Government will be able to keep up with services released by industry, without having to build and maintain each capability.
• Optimal Commercial Outcomes – you will contribute to optimising NSW Government commercial outcomes by using strategic partnerships with public cloud services providers, whole of government agreements and purchasing arrangements that have been established and referred to in this policy.

Public cloud services

Public cloud services are highly diverse, with varying models for consumption. The types of services that can be consumed through public cloud include:

• Infrastructure as a Service (IaaS): Consumption of ICT infrastructure (server, storage, network, operating system) from a cloud provider. Resources are consumed on demand for as long as they are needed.
• Platform as a Service (PaaS): Consumption of ICT platform to allow for the development, operation, and management of applications without the complexity of building and maintaining infrastructure.
• Software as a Service (SaaS): On demand delivery of software applications, with cloud providers hosting and managing the application and its underlying infrastructure.

Public cloud services are consumed through global hyperscale providers such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) as well as Australian providers such as Vault and Macquarie Government (to name a few). Each cloud provider has differing areas of focus, maturity, and speciality. A listing of Government approved cloud services can be found on buy.NSW.

Private cloud services

Private cloud services enable NSW Government agencies to consume ICT infrastructure in a highly efficient manner with a high standard for physical security. Private cloud services are delivered through the GovDC managed and operated data centres that were built in 2012. These services have evolved to meet the changing needs of NSW Government agencies.

1. Private Cloud

   Private cloud offerings refer to cloud computing resources used exclusively by a single organisation, with services and infrastructure maintained on a private network. Where an NSW Government agency has taken the position to consume their infrastructure as a service, they may engage a vendor to build a dedicated environment, within GovDC managed and operated data centres, on their behalf.

2. Community Cloud

   The community cloud (marketplace) is a secure environment for the provision of as-a-service solutions from a growing number of vendors, dedicated to NSW Government agencies. NSW Government agencies can acquire services through the ever growing ICT Services Catalogue, or by contacting the private cloud team at GovDC@customerservice.nsw.gov.au

3. Dedicated Network and Cloud Connectivity

   NSW Government private cloud facilities are supplier neutral and are open to all cloud service providers to offer cloud connectivity. A comprehensive array of suppliers is already on board. This service provides:

   • Access to dedicated Hyperscaler network links
   • Services supplied by AARNet for academia and associated entities.

   To access any of the approved NSW Government cloud services visit buy.NSW.

   Suppliers that offer services through the NSW Government private cloud are included on buy.NSW but must be procured following the requirements and considerations detailed in Cloud Service Procurement.

4. Innovation Space

   The Innovation Space is an incubator to develop a broader catalogue of private cloud services. By lowering the commitment and investment required, the Innovation Space encourages cloud service providers to build demonstration and test environments of their offerings and latest technologies for NSW Government agencies.

5. Zone 3 PSPF Panel

   In September 2020, GovDC will introduce colocation services certified to PSPF Zone 3. This will enable support of Government systems or workloads classified to PROTECTED level.

6. Cloud Advisory and Procurement

   The Technology Services program can support agencies in the procurement and deployment of cloud services through advisory and management services.

For more information on any of the private cloud services email GovDC@customerservice.nsw.gov.au

Making cloud service decisions

You should consider the four lenses of Strategy, Policy, Procurement and Cyber Security to inform your cloud service decisions. A summary of these lenses is in the diagram below.

Cloud service procurement

The Procurement Policy Framework outlines the procurement process (Plan, Source and Manage).

• Plan – Best practices including when and how to approach the market;
• Source – Finding the right supplier, going to market, and awarding the contract; and
• Manage – Fostering a relationship so suppliers can excel while meeting obligations.

As you determine the appropriate mix of services to suit your needs, you will need to undergo procurement activities to source these services. Procurement of services is governed by the NSW Procurement Policy Framework and supported by buy.NSW.

buy.NSW is designed for NSW Government to make informed decisions when buying goods and services. It offers a space for buyers and sellers of products and services to connect and do business.

• Buyers can search for, identify, and contact suitable suppliers; and
• Suppliers can register to do business with government, manage their profile and provide information on their goods and services.

Sourcing and contracting

The NSW Procurement Board Direction states that agencies must use whole-of-government contracts for obtaining the goods or services to which those contracts apply, except where specific exemptions are provided by Procurement Board policies. These contracts must be used, where they provide the best value for money, as determined through an assessment of the hybrid cloud consumption over the life of the contract. Where hybrid cloud consumption changes, these contracts and their use, should be re-evaluated.

The list of whole of government contracts can be found on buy.NSW.

Where a suitable whole of government contract does not exist, agencies must use one of the following Procure IT Framework components:

• Core and Contracts: may be used for low risk procurements with a contract value up to $1,000,000 (excl. GST); or
• Procure IT v3.2 : for all high risk procurements with a contract value over $1,000,000.

The Department of Customer Service has also developed a new form of agreement for cloud services, the Cloud Purchasing Arrangements (CPA). Further information on the CPA is outlined below.

Cloud purchasing arrangements (CPA)

The CPA is a collection of whole of government contracts which are available for consumption of cloud services, generally via the public cloud and community cloud deployment models. A CPA whole of government contract typically incorporates a commercial framework providing a range of benefits to buyers in recognition of whole of government volume. It also enables suppliers to provide a compelling and standardised offer to eligible buyers, enabling transactions to be streamlined.

CPA whole of government contracts are standing offers where buyer will enter a customer contract (or equivalent) under a head agreement before raising orders. It is therefore important that each buyer assess and can demonstrate value for money associated with their preferred suppliers prior to raising orders.

CPA contracts also take one of three forms:

1. an amendment of an existing whole of government contract to accommodate cloud services
2. variation of a contract available through another jurisdiction such that it is suitable for use by NSW buyers or
3. a new contract based on the Digital NSW Cloud Framework Agreement.

CPA whole of government contracts, including scope and details of applicable benefits, will be published on buy.nsw as they are approved.

Cloud service security

Securing data in the Cloud is a shared responsibility between NSW Government agencies and their cloud service providers. The cloud service provider is responsible for security 'of the Cloud', whilst agencies are responsible for security 'in the cloud'. The table below outlines the delineation of this responsibility across cloud consumption models:

You should refer to the table above to understand the technology layers they are responsible for securing and refer to the NSW Cyber Security Policy to understand the requirements and considerations to apply across each of these areas.

You must abide by the NSW Cyber Security Policy when protecting data hosted in cloud services. The NSW Government Information Classification, Labelling and Handling Guidelines detail how NSW agencies can correctly assess the sensitivity and security of their information, label and then handle this information safely. These guidelines align closely with the Commonwealth Protective Security Policy Framework (PSPF).

The PSPF has been updated in 2018. The PSPF has three security classifications, PROTECTED, SECRET and TOP SECRET.

Further information can be found in the Australian Cyber Security Centre's Cloud Computing Security Considerations which provides detailed security considerations, applicable to public and private cloud services.

Need more information?

Download the NSW Government Cloud Policy (PDF, 971.36 KB)