How to write a cloud plan
Cabinet requires NZ government organisations to have a cloud plan — also called a cloud adoption strategy.
Create a separate or joint document
Your organisation’s cloud plan, or ‘cloud adoption strategy’, can stand on its own or be part of an overarching strategy for information and communications technology (ICT).
It must show how your organisation plans on using public cloud services.
Cabinet minutes for public cloud services
What goes into a cloud plan
The New Zealand Information Security Manual (NZISM) explains how to put together a cloud adoption strategy.
Cloud adoption strategy — NZISM
Focus on approaches instead of solutions
Rather than focusing on specific solutions, outline the approaches you want your people to use. This allows your organisation to:
- respond rapidly in a changing environment
- keep up with advances in technology
- support the mahi and mana of your people — they’re trying to use the tools that help them do their jobs well
- work together smoothly inside your organisation and with other organisations inside and outside of government.
Zero trust approach
Zero trust means no longer trusting connections or devices based on the network in which they are located. Instead, users and devices are identified and decisions made to allow or deny access to a resource. This happens each time the user or device tries to access it.
A zero trust approach is the best way of securing access to public cloud services. It enables mobility and flexibility while also providing more security than traditional network-based approaches.
Fit security controls to zero trust principles
Zero trust moves defenses from static, network-based perimeters to focus on:
- users — identified every time they try to access a resource
- assets — such as end-user devices, public cloud services and legacy infrastructure
- resources — such as data, public cloud services and legacy applications.
Zero trust architecture — National Institute of Standards and Technology
Other types of cloud services
Cabinet requires government organisations to consider public cloud services over other types of cloud services and traditional information technology systems.
In some cases, it might make sense for your organisation to use other types of cloud services — for example, hybrid or community cloud.
Public cloud versus other types of cloud
Get input from people in different roles
Do not write a cloud plan in isolation. Reach out to people in different roles in your organisation. This way, you can make a plan for using public cloud services that takes into account different experiences and skill sets.
Offer a choice of services to your people
In your cloud plan, make sure your approach allows for a wide range of public cloud services that your people can use to do their work. This should include:
- a catalogue of approved services
- a balance of choice and common ground that fits your organisation’s context
- ways to work together with organisations inside and outside of government.
Offer a choice of public cloud services to your people
Utility links and page information
Last updated