How to write a cloud plan
Cabinet requires NZ government organisations to have a cloud plan — also called a cloud adoption strategy.
Create a separate or joint document
Your organisation’s cloud plan, or ‘cloud adoption strategy’, can stand on its own or be part of an overarching strategy for information and communications technology (ICT).
It must show how your organisation plans on using public cloud services.
What goes into a cloud plan
The New Zealand Information Security Manual (NZISM) explains how to put together a cloud adoption strategy.
Overview of cloud plans
At a glance, your organisation’s cloud plan should:
- focus on adopting public cloud services — in some cases, other types of cloud services might make sense
- take advantage of the opportunities of using public cloud services
- with information from or about Māori, consider Māori interests in public cloud
- meet the privacy and public records requirements in New Zealand
- manage the risks and change needed in governance and management of your organisation’s information communication technology
- ideally, focus on approaches instead of specific solutions — for example, the zero trust approach moves your security controls from static, network-based perimeters to focus on users, assets and resources.
More information — overview of cloud plans
- Public cloud versus other types of cloud
- Benefits of using public cloud services
- Māori interests in public cloud
- Data Protection and Use Policy (DPUP)
- Digital information management
Focus on approaches instead of solutions
Rather than focusing on specific solutions, outline the approaches you want your people to use. This allows your organisation to:
- respond rapidly in a changing environment
- keep up with advances in technology
- support the mahi and mana of your people — they’re trying to use the tools that help them do their jobs well
- work together smoothly inside your organisation and with other organisations inside and outside of government.
Zero trust approach
Zero trust means no longer trusting connections or devices based on the network in which they are located. Instead, users and devices are identified and decisions are made to allow or deny access to a resource. This happens each time the user or device tries to access it.
A zero trust approach is the best way of securing access to public cloud services. It enables mobility and flexibility while also providing more security than traditional network-based approaches.
Fit security controls to zero trust principles
Zero trust moves defenses from static, network-based perimeters to focus on:
- users — identified every time they try to access a resource
- assets — such as end-user devices, public cloud services and legacy infrastructure
- resources — such as data, public cloud services and legacy applications.
Other types of cloud services
Cabinet requires government organisations to consider public cloud services over other types of cloud services and traditional information technology systems.
In some cases, it might make sense for your organisation to use other types of cloud services — for example, hybrid or community cloud.
Get input from people in different roles
Do not write a cloud plan in isolation. Reach out to people in different roles in your organisation. This way, you can make a plan for using public cloud services that takes into account different experiences and skill sets.
Offer a choice of services to your people
In your cloud plan, make sure your approach allows for a wide range of public cloud services that your people can use to do their work. This should include:
- a catalogue of approved services
- a balance of choice and common ground that fits your organisation’s context
- ways to work together with organisations inside and outside of government.