g-cloud vision

DATA CENTRE STRATEGY, G-CLOUD &
GOVERNMENT APPLICATIONS STORE
PROGRAMME PHASE 2

PHASE 2 SCOPE REPORT

Authors: Martin Bellamy and Gerry Gallagher
Date: 10 February 2011
Version No: 0.35

UNCLASSIFIED

Data Centre Strategy, G-Cloud & Government Applications Store Programme Phase 2

Summary of Vision

Introduction

1.1 At the core of the programme is the vision of providing political, business and ICT
leaders with greatly improved agility, flexibility and choice in the ICT that enables the public
sector and to deliver substantial cost savings on both existing and new ICT services. This will
involve a wholesale move to shared utility style ICT services for use as „the default‟ across
the public sector. Citizens, staff and the third sector will benefit from greater innovation and
choice and from more personalised presentation of relevant services from across the public
sector.

1.2 The programme is being designed to address key ICT related objectives set out by
the Operational Efficiency Programme, and those of the Green ICT Strategy, Digital Britain,
Building Britain‟s Future and Smarter Government.

1.3 Recent developments in ICT have made it possible to consolidate ICT Infrastructure
in a way that delivers increased flexibility and responsiveness to business needs whilst
reducing costs. This change involves a move from ICT being provided individually by
organisations procuring their own separate ICT infrastructure, to a new model in which ICT is
provided as a utility which is known as “Cloud Computing”. The flexibility provided by Cloud
computing has enabled its rapid growth and a corresponding lowering of costs.

1.4 Public sector organisations will benefit from ready access to a wide range of pre-
accredited ICT services. These will include both „public cloud‟ services and common and
custom „private cloud‟ services procured by other public sector organisations. Services will
offer usage based pricing, elastic scalability (up or down), and there will be in built flexibility to
switch to alternate services or providers.

1.5 Cost savings will be founded on driving down the number of unique public sector
services through rationalising, sharing and re-using software and infrastructure across
organisational boundaries, joining up buying power by establishing an open and transparent
marketplace that delivers „latest best prices‟ to all, and by introducing standard, automated
processes across the entire ICT lifecycle;- from purchasing new solutions through to
migrating existing services to a new supplier. Industry standards will be used „as is‟ for public
cloud services. For private cloud services common standards and services will be driven „up
the stack‟ to the maximum possible extent; the technical standards landscape will be
controlled by the CTO Council through the cross government Enterprise Architecture (xGEA).

1.6 G-Cloud services will be selected and procured from the Government Applications
Store, and automatically provisioned – either from public cloud providers, or from a private
cloud platform hosted in one of a much reduced number of List X compliant government data
centres; these will also support legacy services during the transition period.

1.7 The way forwards involves substantial change from today‟s ICT delivery model;-
public sector CIO teams will shift from managing the whole ICT lifecycle, to the selection and
integration of relevant services. A federated (rather than centralised) implementation
approach is proposed, allowing many public sector organisations and suppliers to contribute
re-usable assets that can be sourced by others from the Government Applications Store.
Retained ICT organisations will be able to increase focus on business engagement and

01 FINAL G-Cloud Vision v0 35.doc5 UNCLASSIFIED 2


achieving value adding outcomes as less effort will be needed on infrastructure management.
There will be choice in the „road-map‟ for each organization; the route chosen will depend on
business priorities and the current ICT and contractual landscape.

1.8 Major change inevitably creates execution risks. Other public and private sector
organisations that have pioneered the move to a shared utility ICT delivery model have had
strong central drive and leadership. Most private sector organisations have had "someone in
charge" on a global basis. The US government has introduced the Klinger Cohen act and
Economic Development act, which mandate some elements of a more common public sector
approach to ICT. The main areas of challenge in successfully moving to the new model
include leadership, business change management, stakeholder engagement and creating a
win-win proposition for business leaders, users of ICT services, public sector ICT
professionals and the ICT supplier community. For the UK, leadership by the CIO Council is
central to achieving the transition within the public sector‟s devolved, federated organisation.
Engagement of Permanent Secretaries and other business leaders will be also be crucial.
The programme will allocate significant resource to the „soft‟ aspects of change; this will
include centrally co-ordinated communications support and sharing of experience.

1.9 The new approach enables substantial benefits in small and medium sized public
sector organisations including local authorities which may be relatively easier to realise in the
short term, as well as significant benefits in central government in the longer term.
Implementation planning will ensure appropriate balance to mitigate the risk that focus on
large organisations „crowds out‟ the potential delivery of larger benefits to the majority.

1.10 Establishing and maintaining „trust‟ will be essential for public sector organisations to
move to the new model – individual organisations will remain responsible for the service they
provide to the public and will need to be able to count on G-Cloud services as being at least
as good as those used today. G-Cloud will be the internal brand for secure, trusted and
shared public sector ICT services;- all G-Cloud services will have common characteristics
including pre-certified standards compliance covering areas such as service delivery,
technical (data, inter-operability etc) and information assurance, provisioning from an efficient
and sustainable data centre, and will be available through the Government Applications Store
at a „value for money‟ best public sector price.

1.11 Given that significant value comes from up front, sharable work on commercials,
service management and information assurance, frameworks will be developed in each of
these areas to enable certification/validation on a component level, so that work does not
have to be repeated when components are assembled into new combinations.

1.12 The transition to the new approach will be achieved through a series of business
focused implementation programmes, each of which will deliver financial and other business
benefits. Some of these will be progressed in parallel. Potential implementation programmes
include Consolidating Data Centres, Utility Applications, Efficient Hosting, Streamlining
legacy, Empowering Business Change, Delivering for Citizens and Staff.

1.13 The programme is adopting a "learning by doing approach” through the “Quick Wins”
work strand. Quick Wins will launch a number of initiatives in February 2010 including several
prototype cloud development environments and a demo version of the Government
Applications Store. These will be available free of charge to public sector organisations. The
strand is exploring extending its scope to build proofs of concept of some automation and



management services. The Quick Wins strand provides a foundation that can potentially be
used to develop a full proof of concept of the future G-Cloud model. CIO Council members
are encouraged to help build programme momentum and early experience by signing their
organisations up to participate in the Quick Wins pilots.

1.14 While further work is needed to determine implementation timescales, the ambition is
to deliver substantial cost savings in the period 2011-2014, to have the proposed approach
fully in place for new services within 3-5 years, and to complete the majority of legacy
rationalisation and migration within 10 years.

Data Centre Consolidation

2.1 Consolidation can commence through inviting suppliers that currently operate multiple
data centres for the public sector to consolidate to two each, with the savings achievable
through estate reductions and virtualisation rebated to their public sector clients. As existing
contracts expire, replacement G Cloud services can then be sourced from the Government
Applications Store where available;- where not, contract renewal can be used to drive
provision of additional G Cloud services as the preferred choice. During the transition period
some unique residual needs will need to be sourced via a conventional procurement
exercise.

2.2 Private G Cloud services will be provisioned from a limited number of sustainable data
centres. Analysis will be conducted to determine whether there is a case for procuring data
centre estate separately from ICT services; this would enable sharing of physical facilities
between multiple G Cloud service providers and ease inter-supplier service transfers.

G Cloud

3.1 There will be 3 main categories of G Cloud branded services:-

Software as a Service (SaaS) which includes managed services, common, utility and
custom services, all of which can be configured for use by many Public Sector bodies.
Platform as a Service (PaaS); a framework overseen by the CTO Council that will be
used to create and manage provisioning of new business applications based on
shared re-usable components ; and
Infrastructure as a Service (IaaS) for hosting existing applications. This includes
services providing capability for
o Managing, securing and storing data
o Hosting applications

3.2 The G Cloud brand will offer dedicated „private‟ services for public sector
organisations, and trusted public cloud services in each category. Public cloud services are
developing rapidly, and are already used by a number of public sector bodies, for example for
services that do not involve personal data. The range and sophistication of public cloud
services will continue to grow and more of the Public Sector‟s ICT needs will be met from
public clouds as today‟s constraints are addressed over time. These constraints currently
include:-



Information Assurance requirements e.g. data centres are outside the UK;
End to end performance of services from public clouds may not be guaranteed; and
Proprietary standards used by some public clouds create the risk of lock in.

3.3 G-Cloud private cloud services will address these constraints, enabling earlier use of
the shared utility model across the public sector. Private G Cloud services will typically be
provisioned by suppliers using an industry standard platform for example Microsoft Azure,
VMware, or Eucalyptus, an Open Source platform that implements Amazon Web Services
standards.

Government Applications Store

4.1 The Government Applications Store will be the marketplace in which trusted services
can be trialled and then purchased from a variety of sources by the Public Sector. The
services available will include private G-Cloud services, certified public cloud and other ICT
Services (eg COTS); and other public sector ICT services such as PSN services.

4.2 The Government Applications Store will be an open marketplace encouraging both
existing and new suppliers to the Public Sector to participate. New suppliers to the Public
Sector will be able to promote and trial their services as “free” prototypes on the Government
Applications Store in order to gauge market interest, with a defined commercial process to
introduce new categories of service where demand is generated. Services that add new
value will be welcomed into the portfolio provided they meet the minimum assurance
requirements – the approach will be „light touch‟ and will emphasise validating service
outcomes rather than auditing the detailed implementation approach.

4.3 Services available through the Government Applications Store will be certified to
demonstrate their compliance to Public Sector requirements. The scope, service levels,
security accreditation and price of the services will be available for review by potential
purchasers.

4.4 The commercial framework of the Government Application Store will allow
purchasers to buy certified services from an on-line catalogue under a cross public sector
framework contract. Services will be paid for on a per use or subscription basis. The latest
price achieved for the service will be shown to purchasers, however if subsequently a lower
price for this service is achieved by another organisation then this will be made available to
all subscribers of the service - from the point at which the new lower price is achieved.

4.5 The Government Applications Store will encourage re-use of existing services.
Purchasers will be directed to existing Managed Services and then to Common Government
and Utility services. Only if these types of offerings are not suitable will purchasers proceed
to build a custom service. The application services offered will vary from commodity
applications which can be used by any organisation with little change to line of business
applications which will require adapting to a particular organisation.

4.6 In order to avoid “lock in” to a particular infrastructure provider there will be a choice
of at least two infrastructure providers for each application. In principle purchasers will be



able to transfer their chosen application service to another infrastructure provider if required
at some future point, although this may involve some data migration activity.

4.7 Following selection of the application and infrastructure provider, the purchased
service will be provisioned through an automated process in the organisation‟s data context.
This will require standards for common data items, again to be specified by the CTO
Council. Subject to policy and individuals‟ decisions, these standards will also ease the
process of sharing data between different public sector organisations.

4.8 While the Government Applications Store will have a centrally managed „master
catalogue‟, there will be the capability to configure views of the catalogue for specific
communities, for example to enable focus on services most relevant to a particular type of
organisation, or to „grey out‟ services which are not approved by the user‟s organisation.
There will also be the ability to support „Communities of Interest‟, encouraging public sector
organisations and individuals to innovate by creating/configuring and then sharing locally
generated applications. „Closed loop‟ feedback will provide visibility of what‟s working,
enabling future trial and purchasing decisions to be informed by others‟ experiences.



Contents

1. Purpose of Document ........................................................................................................... 11

2. Introduction ............................................................................................................................ 12

3. Why Use Cloud Computing in the Public Sector ................................................................ 14

3.1. Public Sector ICT Landscape........................................................................................... 14

3.1.1. Budgetary Pressures..................................................................................................... 14

3.1.2. Green Agenda ............................................................................................................... 14

3.1.3. Digital Britain .................................................................................................................. 15

3.1.4. ICT Procurement ........................................................................................................... 15

3.1.5. ICT Strategy for Government ....................................................................................... 16

3.1.6. Quality of Data Centres................................................................................................. 18

3.2. Developments in the ICT Industry ................................................................................... 18

3.2.1. Will G-Cloud Deliver? .................................................................................................... 20

3.2.2. Will Cloud Computing Happen? ................................................................................... 20

3.2.3. Can the benefits be delivered? .................................................................................... 20

3.2.4. Does G-Cloud depend on leading edge technology? ................................................ 21

3.2.5. Key Risks ....................................................................................................................... 21

3.3. Benefits .............................................................................................................................. 23

3.3.1. Budgetary Pressures..................................................................................................... 23

3.3.2. Green Agenda ............................................................................................................... 23

3.3.3. Digital Britain .................................................................................................................. 24

3.3.4. ICT Procurement ........................................................................................................... 24

3.3.5. Current Initiatives........................................................................................................... 24

3.3.6. Quality of Data Centres................................................................................................. 25

3.3.7. ICT Market ..................................................................................................................... 25

4. The New World of G-Cloud .................................................................................................. 26

4.1. G-Cloud .............................................................................................................................. 27



4.1.1. Application and Information Services .......................................................................... 28

4.1.1.1. Personal Information Management .......................................................................... 29

4.1.1.2. Interaction................................................................................................................... 29

4.1.1.3. Collaboration and Simple Applications .................................................................... 29

4.1.1.4. Resource and Management ..................................................................................... 29

4.1.1.5. Departmental Applications ........................................................................................ 29

4.1.1.6. Data Services ............................................................................................................. 29

4.1.1.7. Line of Business (LOB) ............................................................................................. 29

4.1.1.8. Information Access .................................................................................................... 29

4.1.2. Infrastructure and Platform Services ........................................................................... 30

4.1.3. Data Services on the G-Cloud...................................................................................... 31

4.1.4. Professional ICT Services ............................................................................................ 33

4.1.4.1. Service Management Services ................................................................................. 33

4.1.4.2. System Integration Services ..................................................................................... 33

4.1.5. Exclusions from G-Cloud Scope .................................................................................. 33

4.2. Government Applications Store ....................................................................................... 34

4.3. Data Centre Consolidation ............................................................................................... 37

4.4. Organisation and Governance in the world of G-Cloud ................................................. 38

4.5. Roadmap ........................................................................................................................... 40

4.6. Transition ........................................................................................................................... 42

5. Principles ............................................................................................................................... 43

5.1. Commercial Principles ...................................................................................................... 43

5.2. Technical Principles .......................................................................................................... 46

5.3. Information Assurance Principles .................................................................................... 47

5.5. Transition Principles.......................................................................................................... 50

6. Scenarios ............................................................................................................................... 51

7. Conclusion ............................................................................................................................. 52



8. Appendices ............................................................................................................................ 53

A1. Appendix 1 - Glossary of terms ............................................................................................ 53

A2. Appendix 2 Stakeholder list .................................................................................................. 55

A3. Appendix 3 – Details of Scenarios........................................................................................ 57

A3.1. Central Government Department ICT Service Director ................................................... 57

A3.1.1. Role: ................................................................................................................................. 57

A3.1.2. Challenge: ........................................................................................................................ 57

A3.1.3. Outcome: .......................................................................................................................... 57

A3.2. Local Government Director of Housing ............................................................................. 59

A3.2.1. Role: ................................................................................................................................. 59

A3.2.2. Challenge: ........................................................................................................................ 59

A3.2.3. Outcome A: ...................................................................................................................... 59

A3.2.4. Outcome B: ...................................................................................................................... 60

A3.3. Private Sector Application Provider................................................................................... 61

A3.3.1. Role................................................................................................................................... 61

A3.3.2. Challenge: ........................................................................................................................ 61

A3.3.3. Outcome: .......................................................................................................................... 61

A3.4. Central Government Department ICT Service Director ................................................... 62

A3.4.1. Role: ................................................................................................................................. 62

A3.4.2. Challenge: ........................................................................................................................ 62

A3.4.3. Outcome: .......................................................................................................................... 62

A3.5. Local Government CIO....................................................................................................... 63

A3.5.1. Role: ................................................................................................................................. 63

A3.5.2. Challenge: ........................................................................................................................ 63

A3.5.3. Outcome: .......................................................................................................................... 63

A3.6. Private Sector ICT Provider ............................................................................................... 64

A3.6.1. Role: ................................................................................................................................. 64



A3.6.2. Challenge: ........................................................................................................................ 64

A3.6.3. Outcome: .......................................................................................................................... 64

A4. Appendix 4 Drivers for Change............................................................................................. 65

A4.1. Strategic Drivers for Change ............................................................................................. 65

A4.2. Financial Drivers for Change ............................................................................................. 65

A4.3. Non Financial Drivers for Change ..................................................................................... 66

A4.4. Technological Drivers for Change ..................................................................................... 67

A5. Appendix 5 Programme Risks .............................................................................................. 68

A6. Appendix 6 Information Assurance ...................................................................................... 78



1. Purpose of Document

The G-Cloud, Government Applications Store and Data Centre Consolidation Phase 2
programme started on 5 October 2009 and will run till 12 February 2010. The programme
comprises seven workstrands and a Programme Office function. These workstrands have
been staffed by a mix of civil servants, consultants and industry volunteers.

This document provides a Vision of how the G-Cloud, Government Applications Store and
Data Centre Consolidation will deliver ICT services to the Public Sector. The Vision builds on
the Government Data Centre Strategy Phase 1 Report produced by Phase 1 of the
programme; it is also based on the Government ICT Strategy.

The Vision should be used by stakeholders to gain an overview and high level understanding
of G-Cloud.

The Vision is underpinned by further documents which provide more detail in addition to that
provided in the Vision, these include:

Commercial Strategy
Technical Architecture Strategy
Information Assurance Strategy
Service Management Framework Approach
Service Specification
Transition Approach
Business Plan



2. Introduction

The Government Data Centre Strategy Programme Phase 1 identified the desirability of
consolidating existing public sector data centres and creating a private government
computing cloud (G-Cloud) for the public sector. This document describes the Vision of how
a consolidated set of public sector data centres and a G-Cloud would provide ICT services to
the public sector. It will be used by Phase 2 of the Data Centre Consolidation, G-Cloud and
Applications Store programme to develop more detailed business case and plans,
specifications, architectures and a transition strategy for and to the G-Cloud.

UK Government currently has an extensive and disparate ICT estate supporting the delivery
of services. The emergence of cloud computing and new application delivery models offer
the opportunity to consolidate and improve this existing ICT estate through provision of
standard, commodity ICT services to the whole of the public sector through a government
cloud (G-Cloud).

The government will develop an integrated set of strategies for consolidation of existing data
centres in the public sector, delivery of ICT services through a government cloud (G-Cloud)
and the development of an Application Store for purchase of G-Cloud services.

These strategies will address a number of government objectives:

Reduction of ICT costs
- A sustainable reduction in the operational costs of ICT across public sector to
contribute to the Operational Efficiency Programme (OEP) savings target for
ICT

- The reduction in cost will include a lower cost associated with future change
in ICT service provider specifically the cost of transition to a new provider

Improve government services and agility through use of ICT
- To support a better citizen experience of government services by allowing
government to provide new ICT services faster to meet citizen needs

- Enabling improved responsiveness to ministerial and business generated
changes through faster deployment of ICT services

Reduction of carbon footprint due to Government ICT services
- Through consolidating and optimising use of existing spare ICT capacity and
decommissioning unused capacity

- Adoption of more carbon efficient technology



Improve data centre services
- By removing known issues in existing infrastructure including lack of
resilience and known security concerns

Align with other Government thinking
- Including supporting the objectives of Digital Britain through the deployment
of ICT services and creation of a new market for government ICT services

- Integrating with wider Government ICT initiatives e.g. PSN, Desktop Strategy
to ensure that the overall government ICT Strategy is supported by the G-
Cloud

In order to implement the G-Cloud and support these strategies a set of multi dimensional
changes will need to occur:

Technical – implementation of a G-Cloud architecture covering applications , data
management storage and security services;
Process – implementation of processes to use and manage G-Cloud services;
Commercial – implementation of a commercial framework to permit contracting of
services from the G-Cloud; and
Cultural – a shift to sharing and re-use of ICT services from the G-Cloud
The remainder of this document describes the Vision for Datacentre Consolidation, G-Cloud
and Application Store which will meet these objectives. The services described will be
available to all UK public sector organisations from small bodies through to major central
government departments. The Vision described is for 10 years hence, although many
aspects of the Vision can be implemented within 2 years.



3. Why Use Cloud Computing in the Public Sector

Why should the Public Sector adopt Cloud Computing? What will a new model for delivery of
ICT to the Public Sector bring? Is Cloud computing dependent on new and untried
technology? In this section these questions are answered and why the new model proposed
for ICT in the Public Sector must be implemented is explained.

3.1. Public Sector ICT Landscape

Public Sector ICT has developed to meet the needs of specific public bodies, with limited
sharing of resources, this approach has led to duplication and excess capacity with ICT
system silos in individual public bodies.

Public Sector ICT is now subject to a number of significant drivers for change. These drivers
range from budgetary pressures to ensuring the UK is at the leading edge of the global
digital economy.

3.1.1. Budgetary Pressures

In April 2009, HM Treasury published the Operational Efficiency Programme (OEP) Final
Report which estimated that overall savings of around 20 per cent of the estimated £16
billion annual Public Sector ICT expenditure (£3.2 billion) should be achievable without
compromising the quality of frontline public services. These savings must now be found by
delivering ICT services more efficiently.

3.1.2. Green Agenda

Government runs some of the world‟s largest computer systems and is Britain‟s largest
purchaser of Information and Communication Technology (ICT). This technology is used to
improve the lives of millions of people and can enable smarter ways of working to reduce
carbon. However, this same technology is a major consumer of energy and natural
resources. UK government has made a number of sustainable operational commitments:

Central government office estate will achieve carbon neutrality by 2012;
UK to reduce greenhouse gases by 26% or more by 2020, 60% by 2050; and
Sustainable Operations on the Government Estate (SOGE) targets.



ICT globally emits comparable levels of carbon to the aviation industry, and emissions
continue to grow. Recognising this, the Greening Government ICT Strategy set two
challenging targets which support delivery of mandatory SOGE (Sustainability on the
Government Estate) targets:
government ICT will be carbon neutral by 2012, and
carbon neutral across its lifecycle by 2020.
In order to deliver on these commitments delivery of ICT services to the Public Sector in new
more energy efficient ways which support the Government‟s climate change agenda need to
be developed and implemented.

3.1.3. Digital Britain

The delivery of services to the public by ICT enables wider Government aims for the UK in
the global digital economy and citizen engagement. The Government in the Digital Britain
Report (June 2009) identifies the need for the UK to be at the leading edge of the global
digital economy. The Report also states that “an ambitious and clear programme of The
Digital Switchover of Public Services, to primarily electronic and online delivery, will
unlock significant cost savings, whilst at the same time serving to increase levels of
satisfaction”. The achievement of these aims will require a step change in the efficiency of
ICT procurement and delivery by the Public Sector.

3.1.4. ICT Procurement

Government procurements are overseen by the Office of Government Commerce (OGC)
which has an objective of ensuring the Government gets best value from its spending and
that procurements support the Government‟s sustainability agenda.

Currently the procurement and delivery of ICT programmes in the Public Sector is a lengthy
and costly process. Procurement of large ICT systems can take in excess of 12 months. The
cost of this procurement cycle for both the Public Sector and Suppliers is significant. The
length of time involved means that ICT services in support of new Government policies can
rarely be deployed in the timescale best suited to support the policy. A more agile method of
procuring and delivering ICT in the Public Sector is needed.

These constraints affect Local and Regional Government in addition to central Government.

The OGC is seeking ways in which government procurements can become more efficient
and quicker while supporting sustainability.



3.1.5. ICT Strategy for Government

The CIO Council agreed the overall ICT strategy for Government in summer 2009.

This ICT Strategy supports existing core public sector goals, set in Digital Britain, Building
Britain‟s Future, Excellence and fairness, and the Operational Efficiency Programme:

improving public service delivery
improving access to public services, and
increasing the efficiency of public service delivery

At the heart of the strategy is the creation of a common, secure and flexible infrastructure
that is available across the public sector. It comprises the strands depicted below:



There are 14 strands making up the strategy:

1. The Public Sector Network Strategy - Rationalising and standardising to create a
„network of networks‟, enabling secure fixed and mobile communications for greater
capability at a lower price.
2. The Government Cloud (G-Cloud) - Rationalising the government ICT estate, using
cloud computing to increase capability and security, reduce costs and accelerate
deployment speeds.
3. The Data Centre Strategy - Rationalising data centres to reduce costs while
increasing resilience and capability.
4. The Government Applications Store (G-AS) - Enabling faster procurement, greater
innovation, higher speed to deliver outcomes and reduced costs.
5. Shared services, moving systems to the Government Cloud - Continually moving
to shared services delivered through the Government Cloud for common activities.
6. The Common Desktop Strategy - Simplifying and standardising desktop designs
using common models to enhance interoperability and deliver greater capability at a
lower price.
7. Architecture and standards - Creating an environment that enables many suppliers
to work together, cooperate and interoperate in a secure, seamless and cost-efficient
way.
8. The Open Source, Open Standards and Reuse Strategy - Levelling the playing
field for procurement, enabling greater reuse of existing tools, fewer procurement
exercises and enhanced innovation – all at a lower cost.
9. The Greening Government ICT Strategy - Delivering sustainable, more efficient
ICT at a lower price.
10. Information Security and Assurance Strategy - Protecting data (citizen and
business) from harm – whether accidental or malicious.
11. Professionalising IT-enabled change - Improving the capabilities, knowledge, skills
and experience of those involved in ICT-enabled business change through the
Government IT Profession.
12. Reliable project delivery - Using portfolio management and active benefits
management to ensure that government undertakes the right projects in the right
ways.
13. Supply management - Working together to gain maximum value from suppliers –
both for individual organisations and collectively across the public sector.
14. International alignment and coordination - Ensuring that international treaties and
directives reflect UK national requirements and that the UK remains at the forefront of
delivery.



3.1.6. Quality of Data Centres

The Data Centre Strategy Report produced by the Strategic Supply Board for the Government CIO
Council in September 2009 had a number of findings including:

There is a major opportunity for government to make significant cost savings whilst
delivering improved agility, flexibility, resilience, security and environmental
sustainability. High level analysis suggests a reduction in ICT data centre
infrastructure costs will deliver a net £900 million of cost savings over 5 years, with
recurrent savings of more than £300m a year thereafter;
There are significant variations within the current estate that are not justified by
differences in business needs, which will be rationalised by the approach proposed
in this Vision;
Other organisations have successfully delivered major ICT consolidation
programmes to create a dynamic ICT infrastructure and there is considerable
experience to draw on;
The challenges in consolidating ICT infrastructure are organisational and cultural
rather than technical; and
There is the potential for further cost saving and operational benefits by delivering a
government private Cloud (G-Cloud) in addition to data centre consolidation.

3.2. Developments in the ICT Industry

Recent developments in ICT have made it possible to consolidate ICT Infrastructure in a way
that delivers increased flexibility and responsiveness to business needs whilst reducing
costs. This change involves a move from ICT being provided individually by organisations
procuring their own separate ICT infrastructure, to a new model in which ICT is provided as
a utility which is known as “Cloud Computing”. Over the last few years consumer facing firms
delivering products in large volumes have adopted Cloud computing.

Cloud computing is most frequently cited as providing ICT “as a service” to customers using
a utility model over a network. Cloud computing offers a commercial model of “pay as you
use” thus avoiding the capital expenditure usually associated with provision of ICT. The
flexibility provided by Cloud computing has enabled its rapid growth and a corresponding
lowering of costs. Cloud services can be either infrastructure or application services.

At the core of the Cloud computing model are 3 principles:

simplification and standardisation of ICT infrastructure;
automated processes to support activities such as change management and service
reporting; and



enabling of Software as a Service (SaaS) through standards and multi tenanting of
services.
Cloud application services are applications delivered as a service via a network to a browser
front end. Cloud application services usually require the creation of a multitenant architecture
where one application supports many firms or organisations, but provides a unique view for
each. Cloud applications are often SaaS, but not all SaaS applications are cloud application
services. SaaS applications delivered as single-tenant applications on dedicated
infrastructures are not Cloud application services.

Large corporate firms which have implemented Cloud computing report:

ICT cost reductions of 40-65%;
improved agility in implementing strategy with ICT support; and
improved speed in implementing changes to support business needs.
Public Cloud services are gaining in acceptance by corporate world and the Public Cloud
providers are increasing their capacity and services. Amazon has 1000 staff involved in
developing their Public Cloud offering. Early concerns of the market regarding the security
and service levels offered by Public Clouds are being taken very seriously and
improvements have been made in these areas with further improvements planned. However
a number of firms have decided to setup a Cloud computing model in house, creating a
private cloud for use only within their organisation. This provides a number of advantages:

Cloud services can be tailored to the firm‟s requirements;
security is under the control and monitoring of the organisation; and
end to end service levels are easier to achieve.



3.2.1. Will G-Cloud Deliver?

The G-Cloud model can bring many beneficial changes to the delivery of ICT across the
Public Sector but will it really deliver? In the section below how Cloud computing has the
foundations and track record to succeed is described.

3.2.2. Will Cloud Computing Happen?

What is the evidence that Cloud computing is becoming a standard ICT delivery model:

Large ICT Services Suppliers have invested in the implementation of large global
public clouds;
The ICT industry itself is migrating to the use of clouds to deliver in house ICT
services; and
Private sector organisations are adopting Cloud computing to deliver ICT services.

3.2.3. Can the benefits be delivered?

What is the evidence that the key elements of the G-Cloud – Cloud computing, Data Centre
Consolidation and Software as a Service (SaaS) are capable of delivering the promised
benefits:

Bechtel have adopted a cloud computing model with a resulting saving of 60% on
their ICT costs;
In a data centre consolidation programme Hewlett-Packard have reduced the number
of data centres globally from 85 to just 6;
IBM have reduced their data centres globally from 155 to 7; and
Telegraph Media Group has used SaaS to
- make new functionality available without complex software upgrades
- pay only for the computing power needed
- lower total cost of ownership of ICT.
However in order to gain the benefits of Cloud computing the Public Sector will need to
adopt a new approach to ICT services. The existing approach of defining and procuring
bespoke systems which meet the specific needs of a department will need to shift to an
approach which makes use of standard or generic systems which are available at lower cost
and adapts the processes of the department to use the system.



The commercial potential of cloud computing and cloud services is widely accepted, both in
private industry and in the public sector. The opportunities for cost reduction and efficiency
in the UK public sector are real and achievable, but require significant changes to
procurement practices, delivery frameworks and across the supplier landscape.

A pre-requisite for realisation of the commercial objectives are a set of UK Government
technical & operational standards that can define the G-Cloud based on a (significant)
number of competing infrastructural service providers operating at any appropriate security
level.

However Government has a significant legacy of applications which exhibit many pre-cloud
symptoms, including low server utilisation and high operational costs. It must be understood
that the cloud computing and cloud sourcing paradigms do not always directly lead to
reduced costs - the real challenge will be to ensure that sufficient economy of scale and
standardisation is reached quickly enough to deliver a net saving.

3.2.4. Does G-Cloud depend on leading edge technology?

Does the G-Cloud depend on new and untried technologies which mean that the Public
Sector must take on significant technology risks in its implementation?

In fact the innovation of the G-Cloud model is in its approach to the governance and
management of ICT in the Public Sector rather than the deployment of new technology.

Cloud computing is based on significant amounts of existing technology. Specific aspects of
the G-Cloud may require new technologies but this will not be the norm for the majority of
the G-Cloud if a prudent approach to its design is implemented.

Instead for G-Cloud to be successful Public Sector leadership will need to encourage
existing ICT services to be re-used where possible avoiding bespoke solutions to common
challenges across the Public Sector.

The successful introduction and implementation of the G-Cloud is a leadership not a
technology challenge.

3.2.5. Key Risks

The programme must manage effectively a number of risks in order to deliver the G-Cloud
benefits. These risks cover a number of key areas including: Commercial, Information
Assurance, Technical Architecture, Organisation and Governance.

The full list of key risks to delivery of the programme are listed in Appendix 5. However a
number of key risks are highlighted in the following sections.

3.3.9.1 Commercial

A Commercial approach will be implemented which manages the following risks:

Current resource constrained environment prevents up front investment for G-Cloud
becoming available;



Pricing and contractual framework for the G-Cloud is attractive to Public Sector but
discourages suppliers from making services available on the G-Cloud;

Business case may double count savings with other Public Sector programmes;

Procurement regulations do not allow additional consumers after initial procurement
of the service; and

Take up of G-Cloud proceeds too slowly so benefits will not be significant enough to
attract Public Sector organisations in future.

3.3.9.2 Information Assurance

An Information Assurance approach will be implemented which manages the following risks:

Aggregation of data in G-Cloud raising IL levels beyond 4 and preventing use of G-
Cloud services by public bodies with lower IL infrastructure; and

Common infrastructure and shared nature of G-Cloud cannot be assured by
departmental SIRO model and so are not accredited.

In addition the challenges of situational awareness on the G-Cloud will require approaches
to be developed during the implementation of the G-Cloud.

More details of the Information Assurance principles and approach to risks are provided in
Section 5.3 and Appendix 6.

3.3.9.3 Technical Architecture

A Technical Architecture for the G-Cloud will be developed which manages the risk that
adoption of G-Cloud “locks” the Public Sector into a particular vendor‟s proprietary standards
as industry standards for Cloud technologies are not currently agreed

3.3.9.4 Organisation and Governance

An Organisation and Governance approach will be implemented which manages the
following risks:

G-Cloud is not taken up or deployed effectively across the Public Sector due to de-
centralised nature of ICT governance in the Public Sector; and

Senior stakeholders may not support the implementation of the G-Cloud.

3.3.9.5 Public Sector Network

The G-Cloud programme will have a number of dependencies on the Public Sector Network
programme. Programme managements will work together to ensure that these
dependencies are managed or mitigated in order that the G-Cloud is implemented as
planned.



3.3. Benefits

The new world of the G-Cloud offering utility computing from consolidated data centres and
encouraging re-use of ICT assets through the Government Applications Store will bring a
comprehensive set of benefits across the Public Sector ICT landscape.

3.3.1. Budgetary Pressures

The G-Cloud will deliver a fundamental contribution to the cost savings for OEP and will
facilitate and accelerate the OEP targets. This will be achieved by:

- Reduced hardware maintenance, server capital expenditure, and power
consumption through more efficient and better utilised infrastructure.
- Reduced up-front investment costs through standardisation and sharing of
assets.
- Reduced estate footprint through site sales/repurposing of accommodation.
G-Cloud
- Reduced capital investment in computer infrastructure through utility-based
rental of computing and processing time.
- Reduced server purchase costs through virtualisation of servers across
departments leading to higher utilisation rates
- Reduced data recovery costs through fewer dedicated DR facilities.
- Reduced bespoke application development through reuse of existing
components.
- Reduced application purchase prices through economies of scale.
- Reduced licensing costs through licensing consolidation and reuse.
- Reduced investment costs through SaaS pay for use model
- Volume discounts achieved by purchasers apply to all public sector bodies
already using the service

3.3.2. Green Agenda

The G-Cloud will lead to more efficient use of ICT by the Public Sector so lowering the
carbon emissions associated with delivering ICT services:

Consolidation of data centres will reduce footprint of building estate;



Virtualisation will drive higher server utilisation reducing server footprint; and
Re-use of ICT assets will lower development and project resources used to
implement new services and systems.
The G-Cloud will also facilitate smarter ways of working through integration of government
information and data sources, further reducing government‟s environmental impact and
carbon footprint.

3.3.3. Digital Britain

The G-Cloud will deliver greater agility and speed in the delivery of policy and services,
underpinned by the adoption of shared infrastructure at lower cost. The agility will result from
the ability to re-use existing assets and the new commercial model reducing procurement
timescales and costs.

The G-Cloud will through the Government Applications Store create a marketplace with a
low cost of entry to new and small ICT suppliers encouraging the development of new UK
ICT businesses and supporting the UK‟s position in the digital world.

3.3.4. ICT Procurement

The commercial model of the G-Cloud will be based on pre agreed frameworks. This will
remove the need for lengthy and costly procurements. This will reduce costs for both the
Public Sector and Suppliers. In addition the Public Sector will be able to deliver ICT services
faster in support of policy.

Procurement law will apply to the G-Cloud, and all normal rules will need to be followed. It
will be important to get this right at the outset. This is particularly the case given the arrival
of the regulations implementing the Remedies Directive on 20 December 2009. This puts an
increasing emphasis on the use of legally compliant procurement vehicles.

3.3.5. Current Initiatives

The G-Cloud will complement and support the implementation of existing Public Sector
programmes:

PSN: the G-Cloud will offer PSN a route to market through the Government
Applications Store. In addition the G-Cloud will use PSN services to connect users to
G-Cloud services.
Strategic Desktop: the G-Cloud will provide ICT services for the Strategic Desktop



3.3.6. Quality of Data Centres

Existing data centre space and infrastructure will be rationalised into a smaller set of secure
physical data centres – these will host both the G-Cloud and existing legacy applications
during the migration period. The outcome will be a significantly smaller footprint in highly
virtualised shared data centres which meet government standards for resilience, security
and sustainability at an overall lower cost. This will result not only in a reduction in the costs
of data centres but also in the risks of disruption to delivery of ICT services to the Public
Sector.

3.3.7. ICT Market

The market for Cloud services, IaaS, PaaS and SaaS is expanding; the G-Cloud and
Government Applications Store will offer the Public Sector the opportunity to access this
market. The expansion of this market will provide the Public Sector with new services and
greater competition will help to that these services will be cost efficient.



4. The New World of G-Cloud

The G-Cloud, Government Applications Store and consolidation of existing public sector
data centres are all components of the new model for delivery of public sector ICT services.
The G-Cloud will provide a variety of infrastructure and application services for the public
sector. The Government Applications Store will provide a “portal” to purchase G-Cloud
services. The consolidation of existing data centres will provide both a modern and fit for
purpose environment for the public sector ICT while at the same ensuring that excess data
centre capacity is reduced to meet government cost saving and carbon emission reduction
targets.

These services will be offered both from a UK government specific cloud (G-Cloud) and from
public clouds. Services from the public clouds will be used where the public cloud service
offers appropriate levels of security, service levels and performance for public sector use. It
is anticipated that the levels of security on the G-Cloud will support higher impact levels than
on the public clouds.

The vision is for G-Cloud services to be accessed via the Public Sector Network (PSN) from
the strategic government desktop although in the short term other existing public sector
networks and desktops may be used to access the G-Cloud.



4.1. G-Cloud

G-Cloud: “bringing utility convenience to public sector ICT – shared, flexible, agile,
transparent and efficient allocation of ICT when it’s needed, through sharing standardised
resources to reduce costs”

The G-Cloud is the delivery of Public Sector ICT by a shared secure “utility” style ICT
services infrastructure, underpinned by a new commercial model enabling public bodies to
have the option to pay only for the service at the time when they use it. This approach is now
developing rapidly and is known as “Cloud Computing”. It is enabled by common standards,
and by heavily automated secure business processes that enable substantial reductions in
costs.

“G-Cloud” is the Public Sector brand for the use of certified cloud computing.

There will be 3 main categories of G-Cloud branded services:-

Software as a Service (SaaS) which includes managed services, common, utility and
custom services, all of which can be configured for use by many Public Sector
bodies;
Platform as a Service (PaaS) will be will be used to provide a platform for creating
new business applications based on shared re-usable components. The platform
offered will be approved and overseen by the CTO Council;
Infrastructure as a Service (IaaS) will provide ICT infrastructure primarily computing
resource and data storage.

The G-Cloud will be a UK Public Sector implementation of “cloud computing” that will provide
both secure, private cloud services and access to certified public cloud services, for example
those provided by Amazon cloud services. These services will range from ICT infrastructure
services through to application and information services and to ICT professional services
such as service management.

The G-Cloud will offer dedicated „private‟ services for public sector organisations, and trusted
public cloud services. The range and sophistication of public cloud services is growing and
more of the Public Sector‟s ICT needs will be met from public clouds as today‟s constraints
are addressed over time. These constraints currently include:-

Information Assurance requirements e.g. data centres are outside the UK;
End to end performance of services from public clouds may not be guaranteed; and
Proprietary standards used by some public clouds create the risk of lock in.

G-Cloud private cloud services will address these constraints, enabling earlier use of the
shared utility model across the public sector. Private G-Cloud services will typically be
provisioned by suppliers using an industry standard platform for example Microsoft Azure,
VMware, or Eucalyptus - an Open Source platform that implements Amazon AWS
standards.



The services offered by the G-Cloud will be defined in a Service Catalogue which any public
sector organisation can use to purchase ICT services. Each service will be described in the
Service Catalogue, its description will include details of the service, service levels offered,
service reports provided, if relevant the increments of capacity offered, time periods or
increments for which the service can be procured and the price of the service.

Services provided by the G-Cloud will be up to security level IL4 only.

In order to provide services in the G-Cloud a supplier will undergo a certification process for
both their organisation and each of their services. This certification process will ensure that
services meet the quality and information assurance requirements of the public sector and
will provide consuming public bodies with the confidence that G-Cloud services are suitable
for supporting provision of services to citizens. The information assurance certification will
represent a partial accreditation, a residual element of accreditation which cannot be carried
out centrally remaining with the consuming organisation.

A public sector body will govern the certification process, overseeing and managing the
approval of suppliers and their services.

4.1.1. Application and Information Services

The G-Cloud will provide a variety of application and information services to the public
sector. These services will vary from the purchase of software licenses to access to
government stores of information where this is appropriate from a statutory and information
assurance perspective. The focus will be on re-use of existing assets and use of commodity
services. Existing common application services where possible will be offered so that public
bodies do not need to develop or commission development of new application services.

Application & Information Services

- ERP - DVLA./IPS
- Flex Desktop Verification
- Gateway (Citizen - Authentication
and Business Services
Authentication) - Correspondence
- Payment of Handling
Grants - Secure Data
- Government Handling (GCHQ)
Banking - CIS (X)
- Government
Vetting

Procurement Strand and Crowd Sourcing



Applications available on the G-Cloud will vary from personal productivity tools through to
complex departmental specific applications which are tightly integrated with their data. The
services available for each class of application will vary.

A large proportion of these applications will already be in use elsewhere in the public sector,
so their provision to other public bodies via the G-Cloud will promote re-use of applications
across government allowing the cost reduction for the public sector through both larger
volume discounts and avoidance of new development costs.

Applications will generally be provided as Software as a Service (SaaS), where the body
using the application will pay using a pay for use model.

Applications will be available on at least two different infrastructure platforms so that public
sector bodies can transfer loads between infrastructure suppliers if required.

The different classes of application are described below:

4.1.1.1. Personal Information Management

These are personal productivity applications where data will be specific to the individual or
body. Examples are Email, Calendaring and Contacts.

4.1.1.2. Interaction
These are applications which support contact and interaction with others. Examples are Peer
to Peer communications and Social Networking applications.

4.1.1.3. Collaboration and Simple Applications
These are applications which either support collaborative working or provide support for
common tasks. Examples are workflow and records management.

4.1.1.4. Resource and Management
These are applications which support public sector staff in their daily duties. Examples are
travel booking and expense claiming applications.

4.1.1.5. Departmental Applications
These are applications with data specific to and useful to a department. Examples are
computer based training or small departmental databases.

4.1.1.6. Data Services
These are applications providing access to data. Examples are management reporting and
access to geographic data.

4.1.1.7. Line of Business (LOB)
These are applications which support the functioning of the public body; they will have data
which is specific to that public body. They will require tuning for a particular department.
Examples are a HR application or a CRM system.

4.1.1.8. Information Access
These are applications provided by a department to other public bodies which give access to
data held by the department. The data will generally be tightly coupled to an application. The



G-Cloud will provide this service as a gateway using CTO Council endorsed G-Cloud
services to connect the two public bodies.

This service will only be permitted where statute allows the data to be shared with the
requesting public body and information assurance requirements for the data are adequately
supported across the G-Cloud.

An example of this service is CISx from the DWP.

4.1.2. Infrastructure and Platform Services

The G-Cloud will provide a variety of ICT infrastructure and platform services to the public
sector. These services will be based on a layered architecture model, and are standardised
to widen their applicability to multiple public sector consumers.

Database

Operating System
IL Level Options
Service Level

Resilience

CPU Processor Power

Memory Capacity

Disk, SAN or offline storage

Environment (space, air conditioning & power only)

A public body will be able to purchase services at multiple layers. For example on one
occasion the body could purchase a server capacity service onto which the body loads its
own operating system and database. On another occasion the body may choose to
purchase a database service into which the supplier has packaged underlying operating
system and server capacity.

Data across the Public Sector continues to expand. A key infrastructure service offering will
be storage services for data, such as SAN services. This offering will enable public bodies
to access and store their data cost effectively in resilient, secure storage, with the ability to
expand or contract the capacity without major capital investment in their ICT infrastructure.

There is an opportunity for greater development of services for Data Management, Storage
and Security separately from services provided for applications processing. This Data
Capability can become a long-term asset in that applications can be chosen accordingly to
meet a given organisations current business priorities.

The G-Cloud will provide data services for storage and management of:
Operational data;



Management Information data for analysis and reporting; and

Archive data for storage.

Database services are becoming common in cloud computing, so in addition database
services will be offered as part of G-Cloud, providing structured storage of data. This service
will enable public bodies to access and use data to support new business services. The G-
Cloud will implement standards that will enable wider, but secure and legislatively permitted
shared access to data resources with other Public Sector bodies where there is a policy
decision to do so.

More detail on G-Cloud data services are provided in Section 4.1.3 Data in the G-Cloud.

In order to ensure that services in the G-Cloud are available from multiple suppliers the
services available will conform to open and industry standards for ICT components. The
capacity of services will be measured using industry standard units.

Services will be defined so that varying levels of resilience, service levels and support allow
consumers to purchase services to host business services of varying priority to the public
body involved. In addition this differentiation will allow the purchase of services with high
levels of resilience and superior service levels for production systems while more cost
effective services with lower service levels are available for development and test services.

Specific specifications of services for purposes such as Disaster Recovery will also be
available.

4.1.3. Data Services on the G-Cloud

Data is one of the key assets of the Public Sector. As it develops, the G-Cloud will become
the repository of a significant portion of Public Sector data. Data also persists beyond an
application, with migration between applications being required as the application stack
changes.

Cloud providers are addressing the new challenges and opportunities management of data
in a cloud environment offers:

Microsoft has implemented cloud-based data platforms which seek to provide a
database service which meets the needs of primarily network based application
access;

Cisco are offering SAN consolidation services and security approaches for multiple
organisation use of SANs;

Amazon offers database services including tools which are scalable to meet the
needs of cloud services; and

Other suppliers are developing data and database services for the cloud.



The continuing expansion of data is a key challenge for Public Sector ICT. The G-Cloud will
provide access to a cost effective, secure and resilient data storage capacity which can be
expanded or contracted rapidly in accordance with business needs of the Public Sector.

In addition the G-Cloud can provide database services which will allow access to structured
data which can be used to support new business services.

The Public Sector will draw on G-Cloud data services for storage and management of:

Operational data;

Management Information data for analysis and reporting; and

Archive data for storage.

The management of this data by the G-Cloud will encompass its complete lifecycle including:

creation or migration onto the G-Cloud;

monitoring of growth including provision of additional storage capacity as needed

protection through appropriate resilience and security;

migration to cost effective storage facilities as full operational use ceases; and

archival or secure destruction at end of life.

The G-Cloud will offer data services which enable wider, but secure and legislatively
permitted access to this resource across the Public Sector.

The development of data standards for the G-Cloud will support widening of access and
ease of data transfer at contract termination for public bodies.

Data is currently often tightly coupled with a business application within a public body‟s ICT
estate. However as data usually persists beyond the life of the application, transition from a
legacy application to a new or enhanced application can involve an expensive and time
consuming activity of data transfer including data structure changes to fit with the new
application‟s requirements. The definition of data standards for G-Cloud which recognise
data persistence has the potential to reduce the amount of effort to migrate data.

In addition the G-Cloud offers the potential to make existing data assets more widely
available across the Public Sector. Capitalising on this potential will require the G-Cloud to
define data standards and a data strategy. A Data Strategy will be developed in Phase 3 of
the programme.

The G-Cloud will offer data services which are compliant with the security and the legislative
constraints that data held in the Public Sector must operate under.

The Public Sector is already adopting standards to make Public Sector data more available
in line with the objectives of bodies such as the National Archives and with the launch of
data.gov.uk. G-Cloud data strategy and standards will be aligned with the existing public
sector work.



However data obtained by the Public Sector must only be used in the manner allowed and
specified by the associated legislation, the strategy for data and the operational controls of
the G-Cloud will ensure that data is not accessed or shared in violation of this principle. This
will require the storage of data in separated infrastructure storage areas. The G-Cloud will
data tools to permit the wider sharing of appropriate data in a controlled manner.

4.1.4. Professional ICT Services

A number of professional services will be provided to support the delivery of G-Cloud
components and to aggregate services from components available on the G-Cloud.

4.1.4.1. Service Management Services

Both suppliers and larger public bodies will offer service management services on the G-
Cloud. This service will manage the overall delivery of services from the G-Cloud so that an
integrated and consistent operational service is provided. These services will include the
service management of operational services such as change management, incident
management and service reporting. The service management will be based on a common
industry accepted framework such as ITIL. This will enable suppliers of service components
to use a standard method for interaction with the service integrator and public sector
consumers. These services will be of particular value to smaller public bodies with limited
ICT expertise available in their organisation.

4.1.4.2. System Integration Services

These services will provide public bodies with services which will integrate G-Cloud
components into coherent services which can be consumed by a public sector body.

4.1.5. Exclusions from G-Cloud Scope

The G-Cloud will provide a wide range of ICT and business services across all of the Public
Sector. These services will be made available over time in line with the G-Cloud roadmap.
The initial G-Cloud services will therefore be limited in range and coverage across Public
Sector compared to the end Vision for G-Cloud.

However even in the final Vision the scope of G-Cloud and Government Applications Store
does not include:

Services which are not ICT services or business services not supported primarily by
ICT systems, for example
- Facilities management;
- Catering services;
- Stationary procurement;



Development of services which are already provided by other strategic Government
projects such as PSN or common desktop, although these services may be
purchased through the Government Applications Store;
IL5 IL5 and above are not provided in the G-Cloud, although such services may be
co-located in the data centres from which G-Cloud services are provided. However
only those elements of an application which are at IL 5 and above are excluded from
G-Cloud, lower security rated components of the application can be hosted within the
G-Cloud;
Legacy services of limited life or applicability which would not justify cost of migration
to G-Cloud;
Making G-Cloud services available to the private sector, eg commercial firms except
for the creation of composite services for resale to the Public Sector, for example
providing infrastructure services to a software house so that it can provide a
complete application service to a set of public bodies; and
Making G-Cloud services available to foreign governments.

There are no exclusions to the Data Centre Consolidation at this stage, However as detailed
design and planning continues it may be necessary to exclude overseas locations due to
reliance on network capacity and information assurance considerations.

4.2. Government Applications Store

Government Applications Store: “enabling faster, more cost-effective and more consistent
certified ICT enabled solutions to business challenges through reusing and sharing
applications and services”

The Government Applications Store is the Public Sector ICT marketplace to readily source,
share and promote Managed Services, Utility Services and Common Services. It will include
Infrastructure components and services aswell as application and business solutions. Only
where existing services cannot meet a public body‟s requirements will Custom Services to
create a new service be available.

The services available will include private G-Cloud services, certified public cloud and other
ICT Services (eg COTS); and other public sector ICT services such as PSN services.

Services available through the Government Applications Store will be certified to
demonstrate their compliance to Public Sector standards and requirements. The commercial
framework of the Government Application Store will allow purchasers to buy certified
services from an on-line catalogue under a cross public sector framework contract. The
scope, service levels, security accreditation and price of the services will be available for
review and comparison by potential purchasers. Services will be paid for on a per use or
subscription basis. The latest price achieved for the service will be shown to purchasers,
however if subsequently a lower price for this service is achieved by another organisation
then this will be made available to all subscribers of the service - from the point at which the
new lower price is achieved.



Home About Managed Utility Services Common Custom FAQs Contact us
Service Services Services

UK Govt Applications Store
What do you want to do?
Type in query Search

Please choose your required service below
Featured Apps

Featured Apps
Managed
Utility
Featured Apps Services
Services
Featured Apps

Common
Services Custom
Services

The Government Applications Store will provide a portal for public bodies purchasing
services from the G-Cloud. Open Source software and services will be available in the
Government Applications Store encouraging cost effective services to be provided in this
market.

While the Government Applications Store will have a centrally managed „master catalogue‟,
there will be the capability to configure views of the catalogue for specific communities, for
example to enable focus on services most relevant to a particular type of organisation, or to
„gray out‟ services which are not funded by the user‟s organisation. There will also be the
ability to support „Communities of Interest‟, encouraging public sector organisations and
individuals to innovate by creating/configuring and then sharing locally generated
applications. „Closed loop‟ feedback will provide visibility of what‟s working, enabling future
trial and purchasing decisions to be informed by others‟ experiences.

Certification of a service will include review and approval of its information assurance,
service management and commercial elements.

In order to avoid “lock in” to a particular infrastructure provider there will be a choice of at
least two infrastructure providers for each application. In principle purchasers will be able to
transfer their chosen application service to another infrastructure provider if required at some
future point, although this may involve some data migration activity.



Following selection of the application and infrastructure provider, the purchased service will
be provisioned through an automated process in the public body‟s infrastructure and data
context.

The Government Applications Store will continually be updated with new services. It will be
an open marketplace encouraging new suppliers to join the existing community of ICT
suppliers to the public sector. In order to support new suppliers joining a prototyping facility
will be available on the Government Applications Store. The prototyping facility will allow a
supplier to offer free for a period a new service without complete certification. If this service
is taken up by public bodies the supplier will be able to subsequently “upgrade” the service
to certified and chargeable. This will provide an agile way for new and smaller suppliers to
trial new services and join the Government Applications Store. Services that add new value
will be welcomed into the portfolio provided they meet the minimum assurance requirements
– the approach will be „light touch‟ and will emphasise validating service outcomes rather
than auditing the detailed implementation approach.

The Government Applications Store will also list requests for new services from public
bodies. Suppliers and other public bodies will be able to review these requests and decide
whether they wish to provide the suggested service. If new services are created in response
to the requests they will be required to undergo certification before being made available on
the Application Store.

The public sector body will be responsible for identifying in advance:

which services users in the body can purchase;

which users are allowed to purchase services; and

which disallowed services can be seen by users. So that if necessary a user
can raise a request/justification for a currently unapproved for purchase
service to be made available for purchase within their public body.

The Government Applications Store will be designed so that potential purchasers of services
are directed to existing managed services, then common and utility services only if these
sources do not yield a satisfactory option will the purchaser be able to commission a custom
solution, which must meet G-Cloud certification standards. This approach will encourage re-
use of existing services, thereby reducing cost for the public sector by preventing
unnecessary development of new applications and maximising volume discounts with
existing Suppliers.



4.3. Data Centre Consolidation

Data Centre Consolidation: “delivering public sector ICT services from the optimum
number of high performing, energy-efficient, cost-effective and standards-based data
centres”

Existing data centre space and infrastructure will be rationalised into a smaller set of secure
physical data centres – these will host both the G-Cloud and existing legacy applications
during the migration period. The outcome will be a significantly smaller footprint in highly
virtualised shared data centres which meet government standards for resilience, security
and sustainability at an overall lower cost.

Consolidation can commence through inviting suppliers that currently operate multiple data
centres for the public sector to consolidate to two each, with the savings achievable through
estate and virtualisation rebated to their public sector clients. As existing contracts expire,
replacement G-Cloud services can then be sourced from the Government Applications Store
where available;- where not contract renewal can be used to drive provision of additional G-
Cloud services as the preferred choice. During the transition period some unique residual
needs will need to be sourced via a conventional procurement exercise.

All services delivered from existing facilities will be analysed to identify those which may be
discontinued, combined, re-engineered or replaced in order to improve service delivery
efficiency and lower the risk exposure on delivery of public sector ICT services.

Consolidation will focus on removing data centres with significant issues:

Lack of resilience;

Security concerns;

Lack of capacity (space or power); and

Situated in areas of risk eg sited on a floodplain so at risk of flooding.

Consolidation will include implementing the Phase 1 recommendation that a set of
mandatory minimum standards for data centre security and resilience across government
are produced and that the consolidated data centres adhere to these standards.

Substandard data centres will be addressed either by improvement of the facility or transition
of its load to a more appropriate facility. Adoption of a transition approach will only be carried
out where transition costs do not outweigh benefits of the transition.

The data centre consolidation will provide a set of modern, resilient, secure data centres.
The data centres will be a mix of private and government owned but will be managed to
meet requirements across government and provide services to the G-Cloud. They will make
services available to government and application providers on a fair and flexible basis. This
approach which fosters competition will be underpinned by appropriate technical and
commercial arrangements.



A set of the data centres will remain outside the G-Cloud to provide specific non commodity
type services that the G-Cloud is not designed to provide. An example of these services
would be where a public body requires services at IL 5 or IL 6 security level.

It is intended that Data Centre Consolidation will be progressed through three parallel
projects which will;

Consolidate Public Sector owned Data Centres

Consolidate Private Sector owned or operated Data Centres

Procure new services from the market both for infrastructure and Data Centre
facility services

A standard benchmark (e.g. Rack as a Service) will be established to enable the comparison
of the cost and quality of facilities from the various sourcing routes.

4.4. Organisation and Governance in the world of G-Cloud

The G-Cloud involves substantial change from today‟s ICT delivery model; - public sector CIO
teams will shift from managing the whole ICT lifecycle, to the selection and integration of
relevant services. Retained ICT organisations will be able to increase focus on business
engagement and achieving value adding outcomes as less effort will be needed on
infrastructure management.

Technical standards for the G-Cloud will be controlled by the CTO Council through the cross
government Enterprise Architecture (xGEA). A regulator/authority will be responsible for:

Maintenance of standards applicable to services including security

Certification of suppliers and supplier services

The delivery of services on the G-Cloud will conform to a comprehensive service
management framework based on ITIL. This framework will cover the management of
processes such as:

Change Management

Incident Management

Service Reporting

Larger government departments may interact directly with suppliers on the G-Cloud,
however for many public sector bodies a Service Manager will provide a service
management service which ensures that the body has an integrated set of services from the
G-Cloud and that delivery of these services is managed.



Department C
Department B

Department A
Service Regulatory
Service Management or Authority
Management Body
responsible
for
Standards
Service Catalogue and
Certification

G- Cloud

Application Infrastructure Professional
Services Services Services

The options for organisation and governance in the G-Cloud are being developed by the G-
Cloud Phase 2 programme.



4.5. Roadmap

The implementation of the Data Centre Consolidation, G-Cloud and Government
Applications Store will cover a period of 5 or more years, but an objective of the roadmap will
be that the achievement of benefits will commence early. The approach to building the G-
Cloud will be to build blocks of ICT services to support Public Sector digital capabilities and
then roll these out through the G-Cloud across the Public Sector.

The identification of and prioritisation of services to be built will be based on the
requirements of Public Sector bodies and communities. For example if secure email facilities
is identified by a group of Local Authorities as a service they require urgently then this would
be an early service made available on the G-Cloud.

The roadmap for specific services and their sequencing on the G-Cloud will be a deliverable
of Phase 3 of the programme. However in the remainder of this section the approach to
developing this roadmap is described and a potential roadmap is outlined.

Where appropriate the approach taken to implementation will be to identify public bodies
with existing plans to procure or implement a service suitable for inclusion on the G-Cloud,
this public body will then lead on the procurement of the service for the G-Cloud ensuring
that the procured or developed service meets the security, technical and contractual
certification requirements of the G-Cloud. The new service will then be available to all public
bodies for sharing and re-use via the Government Applications Store. This approach will
minimise the need to fund central development and procurement of services, in addition it
will ensure that each new service already has a committed market providing confidence to
private sector suppliers that participation in the procurement is worthwhile and will result in
genuine new business.

Risk management of the G-Cloud will also dictate the sequencing with which new services
are introduced. In the early stages – years 1 and 2 of the programme, private cloud, lower
criticality services with moderate service level and security requirements will be added.
Example services could include existing services such as Government Gateway or DCSF
collaborative working.

As confidence in the G-Cloud brand grows and the Government Applications Store becomes
a dynamic and vibrant market place, services which are critical to Public Sector delivery and
have higher service level and security requirements will be incorporated into the G-Cloud.
Public cloud services will also be enabled at this time. Early candidates for inclusion on the
G-Cloud will include the „Champion Assets‟ endorsed by the Government CIO Council‟s.

Subject to funding approval, the programme will be initiated in Spring 2010 to startup the
delivery of Data Centre consolidation, G-Cloud and Government Applications Store.
However, once the operational management and regulatory functions of the G-Cloud
become mature, the programme will transfer further development of the G-Cloud to these
bodies and itself be wound down.

The programme will be responsible for those aspects of the G-Cloud implementation will
require central control for example the procurement of the Government Applications Store.



The programme will manage the organisational and cultural activities required to transition
public bodies to use of the G-Cloud. The G-Cloud will require a cultural change in the ICT
departments of public bodies. In the G-Cloud identification of business needs and matching
re-usable assets rather than procurement and management of custom solutions will be
critical to cost effective delivery of ICT. An approach to equipping the ICT department with
the structure and skills to successfully move to this G-Cloud way of working will be provided
by the programme to participating public bodies.

While the definitive approach to implementation of the G-Cloud will be delivered in Phase 3,
a potential approach is outlined in the succeeding paragraphs:

A planned engagement programme across public bodies will identify the „early adopter‟
public bodies for creation and re-use of G-Cloud services. A small group of early adopters
across Central and Local Government in year 1 will pioneer use of the G-Cloud. The G-
Cloud will be extended to larger groups of public bodies in further years, with existing
adopters expanding the percentage of services they draw from the G-Cloud over time.

In order for the G-Cloud to deliver its benefits it must become a trusted brand. This will be
enabled by the risk managed approach to delivery of the G-Cloud but could also be
supported by the publicising of G-Cloud successes for example an annual G-Cloud Award
could be initiated.

Potential milestones in year 1 include:

Setup of management function for G-Cloud including regulator
Procurement of Government Applications Store
Initiate a consolidation programme for Public Sector owned Data Centres
Initiate a consolidation programme for Private Sector owned or operated Data
Centres
Procurement of new infrastructure and Data Centre facility services for ICT services
Implementation of some G-Cloud services by at least two central government
departments
Implementation of private G-Cloud services for a local authority

Key achievements in year 2- 3

Front line “innovation culture” established
First G-Cloud Awards ceremony held
Launch of public cloud services
Early adopters will now have 40% of relevant ICT services from G-Cloud
Consolidation and closure of more data centres across Public Sector and suppliers
G-Cloud becomes self funding
Early adopters have 70% of relevant ICT services from G-Cloud

During succeeding years, the G-Cloud could continue to expand by:

Completion of data centre consolidation
Adoption of G-Cloud across remaining public bodies
Public Sector retained ICT departments complete transition to new model



During this period the G-Cloud becomes a trusted and reliable brand for Public Sector ICT
services. Suppliers will use the G-Cloud as the primary route to market for providing ICT
services to Public Sector. Digital services of high criticality to citizens and Public Sector will
become established on the G-Cloud, re-use of digital assets will be the predominant model
in Public Sector ICT. The approach to delivery of ICT services in Public Sector will be based
on an established culture of sharing assets.

4.6. Transition

The approach to transition to the Vision of the G-Cloud must meet a number of
requirements:

Transition must take place in a manner which ensures that public sector services
are not disrupted;

Individual G-Cloud services are made available as soon as suitably available and
certified rather than when all planned services are ready so that the resulting
savings can begin quickly;

Public bodies moving to the G-Cloud must not incur unnecessary costs by
terminating existing contracts early; and

The public sector must have the skills and governance in place to purchase and
manage services provided by the G-Cloud.

These requirements mean that the transition to the Vision will take place in a phased
manner. Phasing of the transition will affect both the implementation of the G-Cloud itself
and its adoption by individual public bodies.

Services will be introduced to the G-Cloud by suppliers over time. The initial Service
Catalogue for the G-Cloud will reflect those services which are technologically feasible to
provide over the G-Cloud today, as suppliers and public sector understanding of the
potential of G-Cloud develops both parties will make new services available. In addition the
types of services available will evolve with technology, as new technologies appear the
potential services and their economic feasibility for provision through the G-Cloud will
change leading to new services continually being added to G-Cloud. This approach to
implementation of the G-Cloud will ensure that its initial use is not delayed while large
numbers of services are developed for deployment in a “big bang” launch.

An individual public body will adopt the G-Cloud in a phased manner also. This will allow the
public body to purchase services from the G-Cloud as existing ICT contracts for those types
of ICT services terminate. This means that the public body will not need to terminate
contracts early and incur termination charges unnecessarily.

Another advantage of this phased approach is that it avoids the risk of a “big bang”
implementation of G-Cloud at a public body where potentially all its services are at risk of
failure at go live. It also allows the public sector to develop the skills required for managing
G-Cloud services over time.



A detailed approach to Transition is being prepared as part of the G-Cloud Phase 2
programme.

5. Principles

The Vision has been developed based on a number of principles which cover Commercial,
Technical, Operational and Transition aspects of the G-Cloud. The principles govern the
extent, outcomes and structure of the Vision.

5.1. Commercial Principles

The commercial principles will support the creation of a commercial framework to support a
transition to cloud computing and cloud sourcing enabling sustained lower costs, improved
agility and better service.

Ease of Change: Creating a marketplace where purchasers can switch easily
between providers at the end of contracts and establish the principle of contract
migration and make provision for it by:

- limiting the term of contracts

- Minimise termination clauses

- Open standards for connecting

- Allow the market to determine the best approach to term contracts

- Transition (see later)

Comparable Pricing: Pricing should reflect total cost of service and be priced on
a utility model by a measurable unit (transaction, user, month, capacity). Pricing
should incorporate and make visible all additional service charges, or costs of
change. The ultimate aim is for no term contracts. Different business models may
exist for different parts of the stack (IaaS, PaaS, SaaS) and for different IL levels

Ease of Transaction: To minimise the transaction cost for purchase of service
through the cloud. Transacting should be standardised, simple, and low cost for
both parties by:

- Frameworks should be designed for categories of service to incorporate
simplified legal requirements

- Single standardised version of Ts & Cs would be optimal incorporating legal
concepts determined by the framework



Market Access: Ensure a competitive open market and that suppliers can deliver
and scale what is being sold. Limit the barriers to entry. Achieve this by:

- Establishing a code of conduct laying out expectations and responsibilities of
all participants

- Establishing a cloud certifier role

- Application Store and G-Cloud should be available to all entrants provided
that they meet certain criteria including:

 Technical validation

 Business probity

- Accreditation standards should be open, and published

- Technical access standards should be open and published

- Prototyping facility to allow suppliers to trial new services in an agile manner

Reusable Intellectual Property: To create a commercial model which supports
reuse of IP by incentivising suppliers to sell services which share or reuse
retained government IP in the cloud and creating an environment where the
cloud is the most profitable and accessible marketplace to build a rich
marketplace of useable services

Governance and Dispute: To protect customer and provider with comfort that
the service represents their interests fairly. Ensure that all players adhere to the
rules and principles of the cloud. Establish a place of arbitration/recourse for
disputes within the system. Ensure that the Crown doesn‟t abuse its position to
place onerous demands on entrants, and to trust the market to find an acceptable
balance of risk and value. This can be achieved by:

- Establishing an independent body to act as ultimate arbiter, and to uphold
spirit of principles

- The arbiter should be an independent body representing suppliers and the
government



Framework for Contracting: To minimise supplier effort to access G-Cloud with
a simple government procurement framework by:

- Developing a single method for contracting with the public sector for an
agreed basket of services

- A standard set of terms and conditions which apply across all customers

- Treating the crown as a single customer

- Transferability of reusable assets under this agreement between agencies

- 'Accessibility of shared services across public sector customers'

Management Information Transparency: For the market to work effectively
suppliers will need to share pricing and supply data openly. We will incorporate a
Service Information principle into contracts and access framework to open
access to pricing and volume transaction data

Compliance: To ensure that once a viable marketplace exists, government
departments use it. Ensure that there is no duplication of sales costs for
suppliers. Incentivise compliance/ penalise non-compliance. Achieve this by:

- Creating a framework (voluntary or mandated) which encourages all
departments to adopt frameworks and pricing levels

- Link adoption and savings to recognisable OEP savings

- Ensuring that a penalty process exists to penalise non-standard choices

Transitioning and Transforming: To encourage incumbent providers to
transition service prior to the termination of contracts. Taking into account the
need for large scale transformation of legacy to allow consumption of G-Cloud.
Allow suppliers to transition business models to cloud principles within a given
time frame. Ways of achieving this are:

- Encouraging and allowing different commercial principles to hold for transition
proposals, ie: contract renewals, longer contracts

- Suspending commercial principles for suppliers in some markets whilst critical
mass is built up

- Suspending commercial principles to allow incumbents to transition in return
for extended contract length

- Short term contract extensions to enable the transition of aggregated
common demand

- Paying a transitional premium during the transition period to non-continuing
data-centre vendors.



5.2. Technical Principles

These principles focus on governing the Vision in its technical aspects such as capacity,
technical standards and security constraints.

Resilience: A variety of levels of resilience will be available for the services
available through the G-Cloud. Consumers of G-Cloud services will be able to
choose the level of resilience for the service procured. Where appropriate for
example if a service is used to support a non production service such as testing a
consumer can procure a service without any resilience;
Security: The services provided by the G-Cloud will conform to Government
standard security. Multiple levels of security (IL 0 – 4) will be supported within the
G-Cloud and a consumer can choose the appropriate level of security for the type
of service being supported;

Standards: G-Cloud services will be based on open and/or industry standards as
much as is possible. This will enable multiple suppliers to provide services via the
G-Cloud;
Scalability: The G-Cloud will provide scalable services. These services will be
“elastically” scalable, i.e. the capacity of a service can be increased and
decreased;
Services: G-Cloud and Application Store will support a variety of sourcing
models including provision of ICT infrastructure, ICT professional services (eg
Service Management), provision of software, Software as a Service (SaaS) and
gateways to public sector applications amongst others; and

Certification: Services offered by suppliers must be certified by an appropriate
entity before they can be made available on the G-Cloud and Application Store
so that consumers can be confident that services are of appropriate quality and
use proven technologies.

Data: Consuming bodies will own their data and at the termination of a service or
application can request the return of the data. Standards will need to be adopted
to enable applications created by one organisation to be re-used by other
organisations within their data context.
Presentation standards: Consideration will be given to the need for
presentation standards to readily enable coherent aggregation of services from
multiple public sector organisations.



5.3. Information Assurance Principles

A summary of the Information Assurance strategy is provided in Appendix 6. This section
summarises the key principles of the Information Assurance approach.

Information Assurance Policy: There will need to be a fundamental change
from the current IA policy and practice when information risk management moves
from the current model of risk management by each organisation for their own
services and information to truly shared risks to services and information cutting
across multiple organisational boundaries.
Information Assurance Risks: IA risks will be managed by segregating the
services and information based on their Threat, Impact and Compliance profiles.
The current lack of technology assured to an acceptable level has meant that the
roadmap for the IA strategy will begin with physical segregation of domains
covering these groupings of services. The objective is to rationalise these
physical segregations as assured technology becomes available to manage the
risks. This includes continued work to investigate the assurance that can be
gained from public cloud services and what types of service might be suitable for
some types of public sector information.
SIRO Responsibility: The G-Cloud will bring about a fundamental change to
ownership and responsibility for IT services delivered to the public sector.
Organisational SIROs will remain responsible for the risk ownership of their
information wherever is stored or processed. Similarly organisational SROs will
remain responsible for managing the information risk for specific programmes or
projects to ensure they meet the objectives agreed with their SIRO and board.

Federated Information Assurance Accreditation: In order to realise potential
efficiencies in the application of IA processes in the G-Cloud environment, SIROs
and SROs will need to rely on risk management decisions made by their peers or
3rd parties. Without this change there will severe duplication of effort and
inconsistency in assurance results. This is a major change to the current model
of information risk ownership, but without removing the accountability or the
organisational SIROs or SROs.
G-Cloud SIRO: The creation of a G-Cloud SIRO that is responsible for the
Confidentiality, Integrity and Availability of the utility services and supporting
infrastructure of the G-Cloud. Similarly there is a requirement for a G-Cloud SRO
who will have overall responsibility for delivery of security for the operation of the
G-Cloud. The G-Cloud SIRO will also need to provide oversight (and co-
ordination) with respect to the public cloud elements of the hybrid G-Cloud
Aggregation: Aggregation by association in effect raises the protective marking
of the combined pieces of information (both the threat and business impact will
rise). There needs to be a procedural process backed up by technology to ensure
that information is afforded appropriate protection.
Policies: HMG IA Standards, Policies and practices will need to be amended to
adequately model the risks reflected by the G-Cloud environment.



Compliance: There will need to be a set of assured services and components
that build to a point that allows the risk owners and risk managers of consuming
organisations to make a minimum amount of evaluation before reaching a
decision on the use any particular service available from the applications store.



5.4. Operating Principles

These principles focus on governing the Vision in its operational aspects such as service
management, change management and service reporting.

Services: The scope and detail of services will be clearly defined in a Service
Catalogue;
Service Management: The delivery of services will be managed using a
framework based on accepted industry standards such as ITIL. This will include
processes for incident management, change management and service reporting;

Service Integrator: A service integration offering will be provided by Suppliers so
that public bodies will have access to support in integrating G-Cloud services to
create a comprehensive ICT service for their organisations;

Governance: The roles and responsibilities of supplier, service integrator and
consumer of services will be clearly defined;

Service Levels: The range and detail of Service Levels available for service will
be defined in the Service Catalogue;
Change Management: The procedure for change to services including notice
period will be clearly defined;

Capacity: Service capacity can be varied for defined periods of time. The
minimum period and increments over which/by which a service capacity can be
varied will vary by service, but will be defined in the Service Catalogue; and
Monitoring: Service Levels will be monitored by the supplier or service integrator
and reported to consumers of services. Reporting intervals will be defined as part
of the service description in the Service Catalogue.



5.5. Transition Principles

The transition from the existing ICT estate to the new model of the G-Cloud will be governed
by a series of principles which protect against disruption to public services and the incurring
of unnecessary costs by the public sector.

Phasing: G-Cloud services will be designed so that individual public sector
organisations can adopt G-Cloud services in an incremental manner if required
so that a “big bang” approach to adoption of G-Cloud services is not mandatory;

Implementation of Services: The G-Cloud will be capable of evolving the type
and capacity of services provided so that services are made available based on
proven technologies at any point in time;
Current Contracts: Existing public sector ICT contracts will not be terminated
early to facilitate an adoption of G-Cloud services unless appropriate transition
can be managed in a cost effective way;
Planning: Replacement of traditional ICT services with G-Cloud ICT services by
a public body will be accompanied by the development and implementation of a
comprehensive transition plan for that public body covering both the
technological, service management, organisational and governance aspects of
the adoption of the G-Cloud so that transition to the G-Cloud does not impact
delivery of services to citizens; and
Risk Management: Transition will be delivered in a „risk managed‟ way.



6. Scenarios

In order to refine the Vision described in this document a series of scenarios were reviewed
and walked through by the Cabinet Office Datacentre Consolidation, G-Cloud and
Application Store Phase 2 programme leadership team on 22 nd October 2009.

The results of these reviews are documented in the appendix 3.



7. Conclusion

The Vision will provide a significant number of tactical and strategic benefits to UK
Government and its provision of services.

The Vision is a platform upon which the next steps for implementation of data centre
consolidation, G-Cloud and Government Applications Store can be based.

The Vision will be used as a platform for the development of a specification of the services
on the G-Cloud and a Transition Strategy for consolidation of data centres and
implementation of G-Cloud and Government Applications Store.

These specifications and the strategy will be used to inform a business case to government
for implementation of the Vision.



8. Appendices

A1. Appendix 1 - Glossary of terms

Term Definition

Application Store Synonym for Government Applications Store.

Cloud Computing Gartner Definition: a style of computing where massively scalable
ICT-enabled capabilities are delivered 'as a service' to external
customers using Internet technologies.

The provision of computing platform/storage services has been the
initial focus for many Cloud Computing providers but any ICT
resource e.g. applications, data, and middleware can be delivered in
this style.

COTS Common Off The Shelf software packages.

ESB (Enterprise An ESB is an integration layer or mechanism linking different
Service Bus) components and services in the ICT architecture of an organisation

G-Cloud The G-Cloud is the delivery of Public Sector ICT by a shared secure
“utility” style ICT services infrastructure, underpinned by a new
commercial model enabling public bodies to have the option to pay
only for the service at the time when they use it. This approach is now
developing rapidly and is known as “Cloud Computing”. It is enabled
by common standards, and by heavily automated secure business
processes that enable substantial reductions in costs.

“G-Cloud” is the Public Sector brand for the use of secure cloud
computing.

Government The Government Applications Store is the Public Sector ICT
Applications Store marketplace to readily source, share and promote complete “out of
the box” applications, business solutions and services. Infrastructure
components and services can also be procured from the G-Cloud to
create a new service in response to a specific business requirement.
It is used by public sector bodies to purchase services which will then
be automatically provisioned on the G-Cloud.

IaaS Infrastructure as a Service

Impact Level (IL) A UK Government standard for assessing the impact of possible
compromises to the Confidentiality, Integrity or Availability of
information in the public sector

Infrastructure ICT hardware components including servers and SANs



ITIL ITIL (ICT Infrastructure Library) is a service management framework.
It is widely used in the ICT industry to manage the delivery of
services.

List X Status "List X" refers to the Security Clearance of a facility such as a data
centre. The term refers to contractors or subcontractors to the public
sector which have been formally placed on List X because they are
undertaking work marked CONFIDENTIAL or above at their facility or
data centre. List X is not available on request; it has to be
"sponsored" by a Contracting Authority (CA) in UK Government

PaaS Platform as a Service

PSN PSN (Public Sector Network) is a UK Government programme to
provide a common network for purchase across all of the public sector

SaaS (Software as A model of software deployment whereby a vendor licenses an
a Service) application to customers for use as a service on demand. In general
the service operates on a „pay as you go‟ model

Service Catalogue A list of all the services available in the G-Cloud at a particular time.
For each service it will include Price, Service Levels, Resilience,
Capacity, IL level, Reporting and Duration options



A2. Appendix 2 Stakeholder list

Name Organisation

Andy Nelson MoJ – CIO

John Suffolk Cabinet Office – SRO

Bill McCluggage Cabinet Office – Deputy Government CIO

Martin Bellamy Cabinet Office – Programme Director

John Fotheringham Deloitte

Annette Vernon Home Office – CIO

Tim Wright DCSF – CIO

Phil Pavitt HMRC – CIO

Nick Hopkinson GCHQ – CIO

Dean James DWP – CICT COO

John Taylor MOD – CIO

Roy Marshall Communities – CIO

Christine Connelly Health – CIO

Julian David Intellect

Derek Kay Deloitte – Cloud Computing SME

Toby Spanier Deloitte - Business Planning Workstrand Lead

Joe Penman HP - Business Planning Workstrand Co-Lead

Nicky Stewart OGC - Commercial Strategy Workstrand Lead

Barry Matthews Alsbridge - Commercial Strategy Workstrand
Co-Lead

Stuart Aston Microsoft - Information Assurance Workstrand
Co-Lead

Wendy Wright Deloitte - PMO Workstrand Lead

Alex Rees IBM - PMO Workstrand Co-Lead

Dilip Parmar CLG - Quick Wins Workstrand Lead

Andy Bates Cable and Wireless – Quick Wins Workstrand



Co-Lead

Mike Truran DWP - Service Management Workstrand Lead

David Greenway Capgemini - Service Management Workstrand
Co-Lead

Eileen Logie DWP - Service Management Workstrand Deputy
Lead

Gerry Gallagher Deloitte - Service Specification and Business
Transition Planning Workstrand Lead

Andy MacLeod Cisco - Service Specification and Business
Transition Planning Workstrand Co-Lead

Miles Gray Connecting for Health – Technical Architecture
Workstrand Lead

Kate Craig-Wood Memset - Technical Architecture Workstrand
Co-Lead



A3. Appendix 3 – Details of Scenarios

In order to refine the Vision described in this document a series of scenarios were reviewed
and walked through by the Cabinet Office Datacentre Consolidation, G-Cloud and
Application Store Phase 2 programme leadership team on 22 nd October 2009.

There are six scenarios each based on a different stakeholder within ICT services for the
Public Sector. Each scenario investigates the ways in which the G-Cloud will affect how this
stakeholder deals with a challenge to delivering ICT services.

The sections below describe the scenario and the results of the team‟s investigations of the
scenario and its challenges in the new world of the G-Cloud.

A3.1. Central Government Department ICT Service Director

A3.1.1. Role:
ICT Service Director in Central Government department
Current ICT services range from PC support to running of bespoke applications on a
mainframe

A3.1.2. Challenge:
10 year outsource deal for department‟s ICT services coming to an end in 12 months

A3.1.3. Outcome:
How will the G-Cloud help?
- Providing efficient procurement process
- Reduced time in definition of requirements
- Provide choice and competition
- Time savings (procurement)
- Agreed framework for SLA
- Enable budget planning
- Provide risk reduction
What features would G-Cloud need to have?
- G-cloud would need to have the following features: transparency in its
processes, security, provide scalability and resilience.
- The G-cloud would also need to contain agility
- In order to view the different services on offer, the G-cloud would require a
shop window
- Provide environment where we don‟t need to pay for what we don‟t need or
use
Will G-Cloud be able to provide all requirements?
- Short term, yes, but only in terms of core products
- In terms of more specific products in 2012 it will not be in a mature state
How will the role and skills in the ICT group of the Department change with the
use of G-Cloud?



- Different type of commercial awareness and knowledge
- Increased visibility across govt departments
- Different approach to service management
What assumptions have you made?
- We are in 2012
- 3 key challenges = green agenda, digital Britain, reducing overall cost



A3.2. Local Government Director of Housing

A3.2.1. Role:
Director of Housing in Local Government

A3.2.2. Challenge:
New government legislation requires local authority to monitor new aspects of private
rental property in the borough
Responsibility will be given to the borough in 6 months time
Existing ICT systems are at full capacity and do offer appropriate functionality

A3.2.3. Outcome A:
- Provide scale
- Enable us to buy more of the same thing
- We don‟t need to go through a competitive procurement process
- Provide resilience
- Easy to terminate
- Similar to Scenario 1, for example G-cloud would need to have transparency
in it‟s processes, Security, provide scalability, resilience, and agility
- In order to view the different services on offer, the G-cloud would require a
shop window
- Provide agreed commercial principles
- Yes
How will the role and skills in the ICT group of the Department change with the use
of G-Cloud?
- There would be little change in skills
- There is a service that already exists and provides the appropriate
functionality
- Current capacity is provided by the G-cloud
- Business change has already taken place, therefore there will be little change
in terms of skills



A3.2.4. Outcome B:
- Provide a brokerage service
- Aggregated demand
- Application sharing/re-use of applications
- Yes
How will the role and skills in the ICT group of the Department change with the use
of G-Cloud?
- The role would require someone who is more focussed on strategy
- There would be a certain amount of headcount reduction
- The remaining staff would be required to perform a different type of support
and maintenance
- Less bespoke applications and a reduction in the number of legacy systems
would mean more standardised skill sets with less specialist knowledge
required
- Existing ICT systems DO NOT provide the appropriate functionality
- All required applications have already been purchased by the Crown



A3.3. Private Sector Application Provider

A3.3.1. Role
Small private sector software group
Just completed successful software implementation at a Police force
Functionality of software developed would be relevant to other Police forces

A3.3.2. Challenge:
Software group has limited marketing and sales resources

A3.3.3. Outcome:
How will the Application Store help?
- The application store would provide a low cost shop window
- A rating system would enable users to rate services/applications and add
comments
- Provide a window on certified solutions
- Reduced cost of sale/procurement, which would also mean a reduced price
point
- A small application provider could use a larger shared infrastructure to build
applications leading to a reduction in barriers to entry
What features would the Application Store need to have?
- Star ratings
- Associated services/infrastructure services
- Want to have categories of solution i.e. „other customers have bought this‟
How will the processes and skills of the Software firm change to use Application
Store?
- Going to have to change to online marketing
- How you get paid for your sales/for your application will affect your cash flow
- Have to align your process around standardised service management
- Certification services
- Change your support services/provide maintenance packages
- Move resources from design to implementation
- Lower cost of sale
- Central certification i.e. Once a product is certified it doesn‟t require re-
certification to be sold on or over time
- Don‟t have to compete every time i.e. Not a bidding system for use of
services/applications
- The department could also want to integrate it and sell
- Standard desktop environment
- Standard application development environment



A3.4. Central Government Department ICT Service Director

A3.4.1. Role:
ICT Service Director in Central Government department
G-Cloud provides infrastructure for application supporting Department‟s main function

A3.4.2. Challenge:
Changes in economic environment mean that capacity requirements will increase in
next 3 months significantly beyond projections when G-Cloud services were contracted

A3.4.3. Outcome:
- Elastic scalability
- By buying standard solutions, it is easier for the supplier community to roll out
the things that you want
- Season ticket concept:: cost will vary with the length of time, the longer you
have it the cheaper it will be
- Balanced demand across Government e.g. as the demand for the DWP goes
down, the demand for the HMRC will go up and vice versa
- Give advice on the extra things you might need to make the applications
work
- Standard building blocks
- Speed of procurement
- Flexible offerings
- Ability to aggregate demand
- No , does not include networks
- Application store included access to PSN services
- Minimum period of the rental terms becomes a differentiator
- Standardised units across the G-cloud
- Defined time period for which prices are fixed
- Minimum time period for which a price will be held firm



A3.5. Local Government CIO

A3.5.1. Role:
CIO in Local Government
G-Cloud infrastructure services provided to Social Services department

A3.5.2. Challenge:
Performance of G-Cloud services has recently deteriorated
Social Services director very concerned as social workers effectiveness being impacted

A3.5.3. Outcome:
How can CIO resolve issue with G-Cloud?
- There is a shift in the commercial model that results in the CIO being able to
easily switch providers (low switch costs) for continuous poor performance
What features would G-Cloud need to have both in technical and governance
terms to enable resolution of the issue?
- A back room/account management team pulling things together
- Point of vertical escalation
- Point of negotiation of requirements
- Application service rating
What roles and skills would the CIO need in his team to resolve the issue?
- Business understanding of local Government to offer re-use/other services
- CIO role will have to change to incorporate capacity management and
forecasting
- Replace ICT procurement with a G-cloud ICT person within the local
Government office
- Lead to in-house expertise
- A change in the retained ICT capability
- That there is a single point of contact for all cloud services
- Frontline has some business knowledge
- There is some knowledge of the service provider



A3.6. Private Sector ICT Provider

A3.6.1. Role:
Supplier of infrastructure and application services to Central Government department

A3.6.2. Challenge:
Supplier‟s 10 year outsource contract for the department‟s ICT services coming to an
end in 12 months
Current ICT services range from PC support to running of bespoke applications on a
mainframe

A3.6.3. Outcome:
- G-Cloud will provide opportunities to increase market share in public sector
- Offers broader international scope for repeat business
- Reduced bid costs because the organisation has cloud accreditation
- Brokering service so that application providers can offer applications across
the cloud
- Published open standards for interoperability
- G-cloud will not provide all requirements as there may be legacy/heritage
systems that may remain outside the cloud
- The supplier was going to be accredited and move into the cloud



A4. Appendix 4 Drivers for Change

In section 2.1 above, an overview of the factors affecting Public Sector ICT is provided. In
this appendix the drivers for change in Public Sector ICT are listed.

A4.1. Strategic Drivers for Change

CSR010 VFM Programme: OEP annual ICT saving targets of £3.2Bn achievable in
three years including £1.6Bn from the ICT Collaborative Procurement Strategy.
‒ G-Cloud will deliver a fundamental contribution to the OEP and will facilitate
and accelerate the OEP targets.

Climate change: Greening Government ICT white paper (July 2008) energy efficiency
and ICT equipment disposal recommendations. Government is Britain‟s largest
purchaser of ICT.
‒ G-Cloud will facilitate smarter ways of working through ubiquitous and secure
access to data, further reducing government‟s environmental impact and
carbon footprint.

Digital Britain: strategic vision for ensuring that the UK is at the leading edge of the
global digital economy. This requires a step change in the efficiency of the delivery of
purchases and ICT procurement.
‒ G-Cloud will deliver greater agility and speed in the delivery of policy and
services, underpinned the adoption of shared infrastructure at lower cost.

A4.2. Financial Drivers for Change

Cash releasing benefits have been estimated as significantly in excess of £900m over 5
years, with savings of £300m per annum thereafter.

These will be achieved by:

‒ Reduced hardware maintenance, server capital expenditure, and power
consumption through more efficient and better utilised infrastructure.

‒ Reduced up-front investment costs through standardisation and sharing of
assets.

‒ Reduced estate footprint through site sales/repurposing of accommodation.
G-Cloud
‒ Reduced capital investment in computer infrastructure through utility-based
rental of computing and processing time.



‒ Reduced server purchase costs through virtualisation of servers across
departments leading to higher utilisation rates

‒ Reduced data recovery costs through fewer dedicated DR facilities.

‒ Reduced bespoke application development through reuse of existing
components.

‒ Reduced application purchase prices through economies of scale.

‒ Reduced licensing costs through licensing consolidation and reuse.

‒ Reduced investment costs through SaaS pay for use model

A4.3. Non Financial Drivers for Change

Significant intangible and qualitative benefits are enabled by the Programme:

‒ Increased resilience and reduced risk through improved and modernised
facilities.

‒ Enhanced business agility through faster virtual server provisioning.

‒ Improved sustainability through more energy efficient estate.

G-Cloud
‒ Improved dynamic scalability through accessing additional resources for peak
demand.

‒ Enhanced ability to transition ICT staff to more value-adding activities through
reducing the need for maintenance and patching.

‒ Reduced project timescales through reuse of building components.

‒ Enhanced business agility through easier and less lengthy procurements due
to framework contracts

‒ Improved licence compliance through centralised monitoring and
management.

‒ Enhanced purchasing decision making through better pricing transparency
and comparability.

‒ Increased Information Assurance through being built-in to certified solutions.



A4.4. Technological Drivers for Change

Cloud computing has come of age driven by real advances in:
‒ architecture

‒ security

‒ web platforms

‒ elastically scalable processing

‒ utility computing, on-demand services, grid computing and software as a
service.

‒ Virtualisation providing ability to:

‒ Drive higher server utilisation rates

Use of commodity server resources
‒ Standardised components leading to easier recovery in event of failure

‒ Service Oriented Architecture providing

‒ Enhanced integration mechanisms between applications

‒ Ability to re-use application components

Process automation providing
‒ Standard support mechanisms

‒ Enhanced agility

‒ Improved visibility of service performance


A5. Appendix 5 Programme Risks
PROGRAMME R ISKS

(AS AGREED AT THE PROGRAMME BOARD ON 10TH DECEMBER)

# Category Owner Risk Description Likelihood Impact Mitigation Approach

There is a risk that pricing and commercial terms for
G-Cloud, Data Ensure that terms adequately reward
G-Cloud and data centre migration may be
6 Centre MT High High commercial risk commensurate with
insufficient to encourage industry investment and
Consolidation value for money and cost savings
participation

Failure to secure senior and early departmental Effective senior stakeholder management
8 All MB commitment to G-Cloud may prohibit service uptake High High to ensure understanding and buy-in
and infrastructure sharing Programme to engage regularly with CIOs

Delivery of the G-Cloud benefits will require strong Tech Architecture workstrand lead to
central coordination across Dept and LA boundaries - review and ensure open standards are
this is how the private sector successes to date have appropriately reflected
been achieved. This requires a radically new ICT
10 G-Cloud GG High High Peer review process to validate
governance and organisational approach for the
appropriate use of open standards.
Public Sector. If this change is not appropriately
implemented, achievement of G-Cloud benefits will Obtain early senior stakeholder support
be significantly impaired and/or delayed. for proposed governance models

UNCLASSIFIED


DS to engage CESG and other critical
Failure to agree an appropriate IA model will prevent
stakeholders to facilitate understanding
departments from using shared infrastructure and
12 G-Cloud DS High High of impact and changes required by G-
suppliers from easily providing services over the G-
Cloud and to gain commitment to
Cloud.
proposed IA model


Regularly assess support/commitment
There is a risk that the programme may not receive from Government (both Business and
1 All MB cross Government support and commitment required Medium High Technology perspective)
to deliver key elements of the G-Cloud strategy Demonstrate/communicated benefits of G-
Cloud

Secure at least one major government
There is a risk that the team will not get sufficient department to be fully involved in the data
data or engagement from departments, and will collection process.
2 All TS Medium High
therefore not be able to produce a robust business
case Engage with a cross selection of
departments to gather data



Commercial team to identify procurement
Procurement rules may prohibit the establishment of model(s) for the G-Cloud and test these
13 Apps Store NS Medium High
pan government purchasing, re-use and sharing. early with EU and UK procurement
specialists to validate their proposals.

Quick Wins workstrand is aware of this and
There is a risk that security accreditation constraints is working closely with the Information
14 Quick Wins DS Medium High
may prohibit quick wins from going live. Assurance workstrand to ensure that any
quick wins developed are able to go live.

There is a risk that failure to create common security 1. DS to progress with Technical
Data Centre
18 DS standard for data centre evaluation may inhibit the Medium Medium Architecture and DC teams and;
Consolidation 2. Assess viability of selecting/ using
Data Centre consolidation
current standards


There is a risk that any one data centre (if there are Ensure that data centre consolidation
Data Centre
19 DS 12) may not be secure enough to cater for the total Medium Medium approach defines sufficient data centres
Consolidation
data held and appropriate data separation strategies



There is a risk that incoming regulation may make
PUE (Power usage effectiveness) higher than 2.0
17 All MB illegal and this may mean that we have to change our Medium Low Ongoing monitoring of emerging regulation
target DC / transition approach (move more rapidly
than planned)

There is a risk that senior stakeholders’ expectations
regarding the projected savings for DC consolidation,
Progress validation of savings ASAP and
G-Cloud and Apps Store (as documented in the ICT
3 All TS Low High ensure stakeholders are provided with
strategy) cannot be met as the detailed analysis to
upper and lower savings projections
validate the high level extrapolation of industry
benchmarking has not yet been completed.

Arrange more cross strand meetings to
There is a risk that different interpretations for App
lock-down a single definition for service
Store and G-Cloud governance and commercial
11 All EL Low High management. Model service management
framework across the programme will inhibit the
architecture and challenge cross strand
creation of the Service management framework.
interpretations in work strand.




There is a risk that as a result of stating our preferred
Technical Architecture and peer reviewers
approach, one industry model/ method becomes
15 All MG Low High to ensure standards are open/ fair to allow
dominant / de facto and others are incompatible /
multiple industry models
sidelined.

Identify potential double counts. Evaluate
the extent to which this programme will de
risk their delivery or provide the means to
There is a risk that the business case may double achieve them. Do not set a separate target
count savings with PSN programme and other existing on top of OEP etc. for programme benefits -
4 All TS Low Medium
programmes, thus weakening our or their business i.e. the programme enables benefits to be
cases. realised across current governmental
targets. Need urgent clarity on the scope
boundaries of PSN and G-Cloud to avoid
this scenario

There is a risk that insufficient engagement with the Implement an appropriate engagement plan
th for CIO engagement prior to the CIO
CIO community prior to 5 February will result in a
5 All MB Low Medium council. Request support from the
subsequent lack of buy-in to the business case and Programme Board in engaging with CIO
Vision.
stakeholders




Failure to secure early, senior industry engagement
Implement appropriate industry
(CXO-level) may constrain G-Cloud service provision
7 All MB Low Medium engagement plan using Intellect and other
decisions and prioritisation of investment in FY
appropriate industry bodies
2010/11

Ensure that development of transition plans
There is a risk that suppliers may develop Cloud includes appropriate governance to
20 All MB approaches for Public Sector based on the status quo Low Medium introduce non status quo approaches such
and thereby limit the cost efficiencies of G-Cloud. as introduction of new suppliers and
technologies

The Vision and transition approach should
be developed such that we do not have a
G-Cloud, There is a risk that if the PSN or Desktop are not
21 MB Low Medium dependency on the availability of
Apps Store available on time it will cause unnecessary delay
Desktop/PSN and that our infrastructure is
agnostic of network or desktop service

Failure to incorporate into contract terms the ability to
Commercial to progress, optional
use a purchased application across multiple
22 Apps Store NS TBD High Make “the Crown” the entity in contracts
government entities will result in applications not
rather than individual departments
being shared/re-used across government



There is a risk that commercial and carbon gains are
16 All MB made by departments on their own and the G-Cloud TBD Medium MB to provide mitigation w/c 17th January
does not deliver large enough incremental savings

POTENTIAL PROGRAMME RISKS

(SUBMITTED BY HMT FOR CONSIDERATION FOR INCLUSION INTO RISK REGISTER)


Government Governance of the
Programme

Input is being actively sought from CIOs in both local and central
Delivery of the G-Cloud benefits will require
government sectors, in order to build a high level of buy-in to the
23 All TBC strong central coordination across Dept and TBD [high]
programme’s direction of travel, deliverables, and governance
LA boundaries - this is how the good private
model.
sector successes to date have been
achieved. This requires a radically new
governance and organisational approach.



Alternative funding routes will be explored, including funding from
within the public sector CIO Community, and also upfront funding
from suppliers that is then repaid through service charges (HMT
Funding/ upfront investment would be content with this provided this does not add to the
national debt and still produces significant savings post high interest
24 All TBC In the current resource constrained TBD [high] rates levied). HMT can consider providing new funding for the
environment, upfront investment funding central project team, but first want the project to explore whether
will be particularly difficult to secure. the CIO Community would fund these costs from existing budgets,
on the basis that the investment will help deliver savings later on.
Early adopters could provide seed funding, further reducing the
barriers to entry (and affordability constraints) for later adopters.


Develop a business case which delivers significant benefits for a
Achieving critical mass quickly
reasonable level of funding within 2-3 years. Enable the early
adopters to share in the benefits of increased downstream scale,
If the programme does not achieve a certain critical
25 All TBC TBD [high] as more organisations make use of the programme. The
mass within the first 2-3 years, benefits will not be
Programme Director will engage the SRO and the Chair of the
significant enough to attract public sector
Programme Board to develop a broader socialisation and
organisations in the future.
engagement approach post the CIO Council meeting.



Work is already underway across government to secure political
support for the programme as part of the wider ICT Strategy.
Angela Smith has issued the ICT Strategy to ministers and their
departments, who have all formally accepted it. (Confirmation of
support from HMT still in progress.) The programme is positioned
as an enabler of government policy, including OEP, Digital Britain,
Political Sponsorship
Smarter Government, Building Britain’s Future and the Green ICT
26 All TBC TBD [high] Strategy – hence it centres on improving efficiency and delivering
This IT-enabled programme may not be viewed as
relevant business change capability, through buying IT differently
appealing to Ministers.
and therefore should appeal to a delivery focused politicians.
Government policy is to enable decentralisation, and efficient IT
decentralisation can only be undertaken successfully (and cost
effectively) with the strong central co-ordination for standard IT
assets, infrastructure and processes that will be delivered by the
programme.
Transition Plan
Work is still in progress on the governance and organisational
model, and the transition plan. Discussions are underway with
Though the vision and end destination of the
27 All TBC TBD [high] programme board members, and departments and LAs – the
programme are clear, the journey is not currently
proposed way forwards will be reviewed at the next programme-
developed enough to provide stakeholders with
HMT meeting in late January.
sufficient confidence of the programme’s success.

APPENDIX



Abbreviation Name

MB Martin Bellamy (Programme Director)

TS Toby Spanier (Business Planning Lead)

NS Nicky Stewart (Commercial Strategy Lead)

MG Miles Gray (Technical Architecture Lead)

GG Gerry Gallagher (Service Specification / Transition Planning Lead)

EL Eileen Logie (Service Management Deputy Lead)

HMT HM Treasury



A6. Appendix 6 Information Assurance

Information Assurance (IA) Workstream Report Summary

1. This workstream report, referred to as the Information Assurance Strategy (IA Strategy)
for ease of reference, sets out the vision and initial proposals for an IA Strategy covering
the vision of the of the Public Sector IT Strategy for Data Centres, Government
Applications Store and a Government Secure Cloud (G-Cloud) environment. It should
be read alongside the G-Cloud Vision and the Commercial, Service Management and
Technical Architecture workstream reports. Where necessary parts of these documents
have been reproduced in the IA Strategy for the ease of the reader. Annex A gives a
brief account of the working method of the IA Workstream in devising the IA Strategy.

Vision and Scope

2. The vision of the G-Cloud programme is set out in Reference A covering the creation of
a single „hybrid‟ cloud1 for the G-Cloud environment providing multiple services across a
range of assurance requirements. In order for the IA strategy to set out the IA areas that
will need to be covered, this strategy has created an IA Scope. The IA Strategy also sets
out an initial proposal for a roadmap identifying the steps that will need to take place to
identify if this vision is achievable.

3. The IA Strategy identifies the IA benefits of cross public sector IA governance, assured
utility computing components, service re-use and application rationalisation.

4. CONCLUSION: There will need to be a fundamental change from the current IA policy
and practice when information risk management moves from the current model of risk
management by each organisation for their own services and information to truly shared
risks to services and information cutting across multiple organisational boundaries.

5. CONCLUSION: IA risks will be managed by segregating the services and information
based on their Threat, Impact and Compliance profiles. The current lack of technology
assured to an acceptable level has meant that the roadmap for the IA strategy will begin
with physical segregation of domains covering these groupings of services. The
objective is to rationalise these physical segregations as assured technology becomes
available to manage the risks. This includes continued work to investigate the
assurance that can be gained from public cloud services and what types of service might
be suitable for some types of public sector information.

1
The definition of “Cloud” is in accordance with those as defined by the NIST.

UNCLASSIFIED


Governance and Roles

6. CONCLUSION: The G-Cloud will bring about a fundamental change to ownership and
responsibility for IT services delivered to the public sector. Organisational SIROs will
remain responsible for the risk ownership of their information wherever is stored or
processed. Similarly organisational SROs will remain responsible for managing the
information risk for specific programmes or projects to ensure they meet the objectives
agreed with their SIRO and board.

7. CONCLUSION: In order to realise potential efficiencies in the application of IA processes
in the G-Cloud environment, SIROs and SROs will need to rely on risk management
decisions made by their peers or 3 rd parties. Without this change there will severe
duplication of effort and inconsistency in assurance results. This is a major change to
the current model of information risk ownership, but without removing the accountability
or the organisational SIROs or SROs.

8. RECOMMENDATION: The creation of a G-Cloud SIRO that is responsible for the
Confidentiality, Integrity and Availability of the utility services and supporting
infrastructure of the G-Cloud. Similarly there is a requirement for a G-Cloud SRO who
will have overall responsibility for delivery of security for the operation of the G-Cloud.
The G-Cloud SIRO will also need to provide oversight (and co-ordination) with respect to
the public cloud elements of the hybrid G-Cloud

9. RECOMMENDATION: The IA regime will look to CIO/CTO Council groups for strategic
direction, as well as the agreement that services, architectures and information flows (i.e.
information exchange standards) are consistent with the CTO Council‟s Service
Orientated Architecture, especially when looking at the re-use of applications and
components when building new services. CTO/CIO council groups will act as counsel for
the G-Cloud IA governance structures.

10. RECOMMENDATION: Phase 3 of the programme to work via the Cabinet Office (IS&A),
who work in close collaboration with CESG, to engage with the SIRO community to test
the proposals in this strategy. In particular the roles and responsibilities related to G-
Cloud SIRO, G-Cloud SRO and organisational SIRO.

Asset Valuation and Aggregation

11. CONCLUSION: Asset valuation, involving aggregation (both accumulation and
association) is a key challenge going forward for the IA strategy. Engagement with the
Pan Government Accreditors, CESG, CPNI, IADG and a selection of SIROs will be
required to reach an agreed approach to this issue. The expectation is that aggregation
by accumulation will cause an increase in the Impact Levels for Confidentiality, Integrity
and Availability, in many cases by at least one level.

12. CONCLUSION: Aggregation by association in effect raises the protective marking of the
combined pieces of information (both the threat and business impact will rise). There



needs to be a procedural process backed up by technology to ensure that information is
afforded appropriate protection.

13. CONCLUSION: There is a need to articulate the architectural principles that will allow the
de-aggregation of information. E.g. mechanisms to ensure that normal users cannot
view or retrieve an entire dataset. These mechanisms need to be evaluated
appropriately so that they can be used as risk treatments. This work should begin at the
start of Phase 3.

14. CONCLUSION: The availability of a given service is inherently limited by the underlying
services, e.g. the network and the data centre. There is parity in terms of the levels of
availability between each of the services provided in the data centre and the network,
e.g. any data centre should be able to support a service that requires support up to IL4.

15. CONCLUSION: The aggregated level of impact for the loss of a number of services or
data centres may well reach as high as IL6. In some cases the aggregated impact of the
compromise to the confidentiality, integrity of a single utility computing service used by a
large proportion of the public sector may also reach as high as Impact Level 6.

Risk Assessment, Risk Management and Service Assurance
Methodologies

16. CONCLUSION: Current HMG IA Standards, Policies and practices will need to be
amended to adequately model the risks reflected by the G-Cloud environment.

17. RECOMMENDATION: The creation of new product and service assurance
methodologies covering shared services and shared data/information operating in a
cloud environment. This is necessary to enable efficient, reusable assessment of
applications and services to facilitate the delivery, composition and risk management of
services. The governance of the G-Cloud environment must include oversight of all
protective monitoring, forensics, incident management and compliance activities.

18. RECOMMENDATION: Phase 3 should begin with a comprehensive Threat and Risk
Assessment covering the issues of asset valuation and aggregation.

Assured Technologies

19. RECOMMENDATION: Phase 3 should begin with urgent research work in to the
assurance available in current technologies to assist in creating the initial G-Cloud
environment. E.g. Resource sharing technology such as virtualisation, Gateway
Services, Identity Management (including authentication and authorisation) and
Encryption.



20. CONCLUSION: Without assured virtualisation technology and an effective federated and
brokered Identity, Authentication and Authorisation model for the Public Sector, many of
the IA and business benefits will not be realised. Where resource sharing technology
with strong containment is desirable, it is likely that tools to manage deployment will also
be required.

Compliance

21. CONCLUSION: A common issue with cloud computing concerns the demonstration of
legal and statutory obligations. This subject will be taken forward with Treasury
Solicitors (TSoL) and the Information Commissioners Office (ICO), as well as the SIRO
community in the next phase of the Datacentre and G-Cloud programme. One of the
single biggest risks to the successful creation of a community cloud for the public sector
will be an inability to demonstrate legal and statutory compliance.

22. CONCLUSION: The areas of responsibility for Codes of Connections and authorisation
for applications and services are still to be resolved. The expectation is that the G-Cloud
SIRO will be responsible for the authorisation of utility services. The responsibility for
authorising agility services, including those hosted on utility services, may well rest with
the organisational SIRO. We will need a method of understanding whether any
consumer is attempting to breach the use of the IA conditions related to the use of a
service.

23. CONCLUSION: There will need to be a set of assured services and components that
build to a point that allows the risk owners and risk managers of consuming
organisations to make a minimum amount of evaluation before reaching a decision on
the use any particular service available from the applications store.

Roadmap

24. RECOMMENDATION: The proposal for an IA roadmap is in section 5. The G-Cloud
Commercial Strategy gives an indicative timeline. In Phase 3 of the programme, the IA
roadmap and roadmaps from other strands will need to be aligned and a common
timeline agreed.

25. To achieve the vision of a single physical community cloud there is a requirement to
create assured multiple logical instances of a resource on a single physical platform.
There is also a requirement for tools to manage deployment of logical instances of those
resources.



There has only been enough time and detailed information gathering during Phase 2 of this
programme to create a set of IA proposals and suggested principles to the many IA
questions and challenges posed by the use of Public and Private Clouds. The IA
Workstream recommends that paper based scenarios and pilots (including quick wins) are
used to test the proposals made in the paper and create more detailed policies and
procedures.


g-cloud vision

More Related Content

What's hot

Similar to g-cloud vision

Recently uploaded

g-cloud vision