Create a separate or joint document

Your organisation’s cloud plan, or ‘cloud adoption strategy’, can stand on its own or be part of an overarching strategy for information and communications technology (ICT).

It must show how your organisation plans on using public cloud services.

Cabinet minutes and papers for public cloud services

What goes into a cloud plan

The New Zealand Information Security Manual (NZISM) explains how to put together a cloud adoption strategy.

Cloud adoption strategy — NZISM

Overview of cloud plans

At a glance, your organisation’s cloud plan should:

• focus on adopting public cloud services — in some cases, other types of cloud services might make sense
• take advantage of the opportunities of using public cloud services
• with information from or about Māori, consider Māori interests in public cloud
• meet the privacy and public records requirements in New Zealand
• manage the risks and change needed in governance and management of your organisation’s information communication technology
• ideally, focus on approaches instead of specific solutions — for example, the zero trust approach moves your security controls from static, network-based perimeters to focus on users, assets and resources.

More information — overview of cloud plans

• Public cloud versus other types of cloud
• Benefits of using public cloud services
• Māori interests in public cloud
• Data Protection and Use Policy (DPUP)
• Digital information management

Focus on approaches instead of solutions

Rather than focusing on specific solutions, outline the approaches you want your people to use. This allows your organisation to:

• respond rapidly in a changing environment
• keep up with advances in technology
• support the mahi and mana of your people — they’re trying to use the tools that help them do their jobs well
• work together smoothly inside your organisation and with other organisations inside and outside of government.

Zero trust approach

Zero trust means no longer trusting connections or devices based on the network in which they are located. Instead, users and devices are identified and decisions are made to allow or deny access to a resource. This happens each time the user or device tries to access it.

A zero trust approach is the best way of securing access to public cloud services. It enables mobility and flexibility while also providing more security than traditional network-based approaches.

Zero trust — NZISM

Fit security controls to zero trust principles

Zero trust moves defenses from static, network-based perimeters to focus on:

• users — identified every time they try to access a resource
• assets — such as end-user devices, public cloud services and legacy infrastructure
• resources — such as data, public cloud services and legacy applications.

Zero trust architecture — National Institute of Standards and Technology

Other types of cloud services

Cabinet requires government organisations to consider public cloud services over other types of cloud services and traditional information technology systems.

In some cases, it might make sense for your organisation to use other types of cloud services — for example, hybrid or community cloud.

Public cloud versus other types of cloud

Get input from people in different roles

Do not write a cloud plan in isolation. Reach out to people in different roles in your organisation. This way, you can make a plan for using public cloud services that takes into account different experiences and skill sets.

Offer a choice of services to your people

In your cloud plan, make sure your approach allows for a wide range of public cloud services that your people can use to do their work. This should include:

• a catalogue of approved services
• a balance of choice and common ground that fits your organisation’s context
• ways to work together with organisations inside and outside of government.

Offer a choice of public cloud services to your people