Cloud Service Providers and Public Administration. How to obtain AgID certification

The digital transformation of the Italian Public Administration (PA) is a very current issue.
Over the last few years, Italian institutions have regulated this area through a large number of interventions, such as the “Piano Triennale per l’Informatica nella Pubblica Amministrazione 2019 – 2021” (2019-2021 three-year IT plan for the Public Administration) from the Agenzia per l’Italia Digitale (Agency for Digital Italy). This document establishes one of the core principles of the Italian public administration’s digital transformation strategy, in other words “cloud first”: from 1 April 2019, public administration bodies which intend to define new projects must favor the adoption of cloud solutions over any other technology.

The possibility to remotely make use of software and hardware resources offered by a cloud provider involves numerous advantages in terms of system reliability, the quality of service provided, and cost savings – with the possibility of pay-per-use billing.

The adoption of cloud services represents the key to the digital transformation, allowing for a revolution in the supply of the Public Administration’s services.

Over the next few years, we can reasonably expect that non-cloud service providers will see ever-greater reductions in their PA market share, while Cloud Service Providers (CSPs) will be able to benefit from an interesting business opportunity – as long as they are able to guarantee compliance with the security standards defined by AGID and obtain the qualification required to perform such activities within the PA.

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. [Definition from the National Institute of Standards and Technology (NIST)]

The “Piano Triennale per l’Informatica nella Pubblica Amministrazione 2019–2021” (2019-2021 three-year IT plan for the Public Administration) states that public administration bodies which wish to create a new project or develop a new service must favor the adoption of cloud computing over any other technology.

It has also been established that, from 1 April 2019, all providers of cloud services to the PA must be an approved infrastructure and services provider, that is a supplier able to guarantee the security requirements requested by AGID.

From this point on, therefore, PA bodies can only purchase IaaS, PaaS, and SaaS services approved by the Agency and published on the Cloud Marketplace.

For Cloud Service Providers with contracts in force as of 1 April 2019, this approval is not required – but if they do not hold it, it will not be possible for further cloud service supply contracts to be signed with the PA.

The approval criteria for cloud infrastructure and services which can be supplied to PA bodies are laid down by two AgID memoranda:

• Memorandum no. 2/2018 establishes the criteria for approval of Iaas and Paas cloud services
• Memorandum no. 3/2018 establishes the criteria for approval of Saas cloud services.

The AgID memoranda establish two types of requirements which must be met for approval: organizational requirements and specific requirements.

1. Organizational Requirements

These are a series of “high-level” and experience-based organizational requirements.

For example, the CSP must prove that:

• They are able to handle “critical situations” (es. disaster recovery), to carry out tests on data integrity and recovery, where necessary.
• The services offered are covered by an appropriate quality management system.
• They have 24/7 customer support available.
• They have formalized and adopted specific change management, configuration management, and incident management processes and procedures.
• They are fully transparent in their contractual relationships.

2. Specific Requirements

The specific requirements relate to the following topics:

• Security, privacy and data protection requirements   
  The CSP must hold certification to ISO/IEC 27001 (information security management system) extended with the controls of ISO/IEC 27017 (controls for cloud services) and ISO/IEC 27018 (guidelines for the protection of personal data in the cloud).
  The certification must have been issued by accredited certification body. 
• Performance and scalability requirements      
  The CSP is required to declare the quality offered and the reliability of the service throughout its lifecycle.     
• Interoperability and portability requirements   
  The approved services must allow for interoperability with other services of the same type, through the use of open standards and appropriate Application Programming Interfaces (APIs).          
  The Cloud Service Provider must ensure the PA is able to migrate its applications to another provider in a secure manner, guaranteeing it the possibility to extract and remove its data at any time.
• Legislative conformity requirements    
  The Cloud Service Provider must provide the PA with the information and tools required to allow it to comply with Italian and European legislation within the scope of the use of the approved services and infrastructure. Particular importance is given to data protection regulations.   

In order to be able to have its services approved and to enter into contracts with the PA, a Cloud Service Provider must therefore carry out a series of activities which require a high level of specialization (management systems, technological solutions, and legal and compliance expertise).

Lutech’s Advisory Team accompanies Cloud Service Providers along the qualification path, allowing them to optimize their efforts and channel the expertise required to receive AgID approval in a short timeframe.
Lutech’s professionals boast many years of experience in the various fields required to obtain this certification. They are people who belong to multi-disciplinary teams, with the background necessary to guarantee the best support possible to Cloud Service Providers who wish to obtain AgID qualification as CSP for the PA.  

Some of the activities required to obtain AgID qualification are:

• Management of quality processes (ISO 9001)
• Security management extended to all environments involving the infrastructure of cloud services (ISO/IEC 27001 certification extended to ISO/IEC 27017 and ISO/IEC 27018 controls)
• Configuration and change management
• Incident management and recovery of infrastructure following critical events
• Management of regulatory compliance aspects

The time required to obtain the approval is closely linked to obtaining the certifications listed above and the implementation of the service subject to the approval.

As an example, for the purposes of checking the conformity of the environments put in place by the CSP for the supply of the services to the PA, Lutech’s Advisory staff carried out the following activities:

1. Assessment & Gap Analysis

This is the phase in which all information relating to the organization, the processes and the technological infrastructure of the CSP is gathered.  

A thorough check of the levels of maturity with respect to the requirements for AgID approval is made.

2. Remediation Plan

This is the phase in which the actions which allow the CSP to reach the levels of conformity required for approval are defined, taking into account the situation observed during the assessment and the specific organization requirements.

Analysis, assessment of the current maturity status and provision of remediation plans are performed using a proprietary tool developed by Lutech.

This tool allows a comparison to be made between the current conformity status, known as AS-IS, with the desired one which meets AgID requirements, identified as TO-BE.

The results relating to the 13 organizational requirements and 13 specific requirements are provided on the basis of the presence, absence or partial presence of the AgID requirements provided for and gathered during the assessment activities.

3. Design & Build

This phase involves detailed planning and implementation of all the organizational and procedural solutions required by the remediation plan which will allow AgID certification to be obtained.

4. Qualification & Optimization

In the final phase, the CSP is provided with support in obtaining approval, which will be issued following specific audits and checks on the requirements laid out in the memoranda. Continuing support and optimization services can also be provided for the IT, governance and compliance processes in line with the requirements of the contracting PA body.