Cloud Strategy Italy: this is the name of the document that explores strategic aspects for the migration path towards the cloud of data and digital services of Italian public administrations.
The text clearly illustrates the criteria for classification and the composition of the high reliability infrastructure (National Strategic Pole) that will host strategic and critical services.
The Minister for Technology Innovation and Digital Transition, Vittorio Colao, the State Secretary for Security, Franco Gabrielli, the Director General of the National Cybersecurity Agency, Roberto Baldoni, and
The digitisation of the Public Administration is a priority objective of the National Recovery and Resilience Plan to ensure citizens and businesses with higher quality, efficiency and effectiveness public services, as well as to create new opportunities for development for the digital economy of the Country.
In this process of digital transformation, the Italian Cloud Strategy plays a central role and, in continuity with the initiatives envisaged in the national plan, introduces important new features in order to simplify the work of administrations.
Through the cloud first approach, the strategy aims to guide and foster the secure, controlled and comprehensive adoption of cloud technologies by the public sector, in line with the principles of privacy protection and the recommendations of the European and national institutions.
In this way, digital infrastructures will be more reliable and secure, and the Public Administration will be able to respond in an organised manner to cyber attacks, ensuring continuity and quality in the use of data and services.
Cloud services qualification
The acquisition of Cloud services by Public Administrations takes place through purchase procedures whose lack of flexibility makes it difficult to keep pace with the market and, above all, to assess the actual technical and organisational risks associated with the adoption of a specific service.
With a view to facilitating and guiding the implementation of the policy • Cloud-First for PA, it is directly available to offer an ex-ante qualification service for Cloud services that can be purchased from PA.
This qualification, based on the experience gained by AgID, aims to simplify and regulate, both from the technical and administrative point of view, the adoption of Cloud services.
Based on the analysis of the technological and organisational solutions available on the market, the three aspects of analysis allow to identify a priori the qualification of cloud services according to four types of cloud.
The four clouds for Italy
Cloud services qualified public (EU) compatible with relevant legislation (e.g. GDPR and NIS) that allow the location of data in the EU and compliance with technical organisational security requirements, typically based on granular encryption systems managed by the supplier
Public Cloud services with on-premises control of security mechanisms, called Cloud Public Crypt (IT), which allow to significantly increase the level of control over data and services, introducing a higher level of autonomy from non-EU CSPs in operational management
Private and hybrid Cloud solutions allow data localization in Italy and greater isolation from the public regions of the main CSPs. Such guarantees of autonomy shall be obtained through operational management by a provider subject to public supervision and monitoring.
Private Cloud services, which will be qualified through technological scrutiny
Finally, the services of unqualified public cloud (extra EU/EU). These services do not meet the technical-organisational and regulatory criteria identified above and therefore excluded from the plan.
The areas of use of cloud services
Qualified Cloud services can be used, according to the classification of data, with clearly defined constraints.
The offers of Cloud Public Qualified and Public Encrypted, can accommodate ordinary data and services.
The offers of Cloud Public Encrypted, Private/Hybrid …on license… and Private Qualified will accommodate critical data and services.
Private/Hybrid Cloud \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
This process of adopting Cloud services in the PA will culminate with the creation of an electronic market for qualified Cloud services.
This market will have to be the means by which administrations will be guided, in accordance with the process of classifying data and services, in the choice of Cloud services for them most suitable and direct purchasing with simplified and pre-negotiated administrative tools.
Three challenges that the Italian Cloud Strategy intends to address, ensure the country’s technological autonomy, ensure data control and increase the resilience of digital services.
The strategy is developed in three directions that will guide the bodies in the choices to be made regarding the different solutions of migration to the cloud.
The three guidelines to be followed by the PA
Classify PA data and services to guide and support cloud migration.
Adjusting the wide range of cloud services available on the market allows you to mitigate systemic security and reliability risks. In this context, the classification of data and services, introduced by the strategy, catalogs them on the basis of the damage that their impairment could cause to the country system (strategic, critical and ordinary).
Qualifying cloud services through a technological scrutiny process.
The qualification of cloud services is aimed at simplifying and regulating, from the technical and administrative point of view, the acquisition of cloud services by administrations. The aspects taken into account are: operational management of services, in particular technical-organisational application standards and data control measures; security requirements for data management, provision of services and contractual conditions for the provision and reporting of the service
To implement the NSP dedicated to strategic services, under control and public address.
The National Strategic Pole aims to equip the Public Administration with cloud technologies and infrastructures that can benefit from the highest guarantees of reliability, resilience and independence. The Pole will be distributed geographically on national territory at properly identified sites, to ensure adequate levels of continuity and tolerance to faults. The control and the guidelines of the NSP will be public and independent from third parties. The operational management will be entrusted to a qualified supplier on the basis of technical-organizational requirements.
The National Strategic Pole
The NSP aims to equip the PA with Cloud technologies and infrastructures that can benefit from the highest guarantees of reliability, resilience and independence. To this end, the NSP is expected to be distributed geographically across the national territory at appropriately identified sites14 in order to ensure adequate levels of operational continuity and failure tolerance.
The operational management of the NSP will be entrusted to a qualified supplier on the basis of appropriate technical-organizational requirements. The provider will have to ensure data control in accordance with relevant legislation, as well as strengthen the possibility of the PA to negotiate appropriate contractual conditions with Cloud service providers.
The PSN will have to enable PA to ensure, from the design (by-design), compliance with security requirements, such as PSNC and NIS, and enable migration, at least initially with a lift-and-shift process, to types
According to the classification provided in the previous section, the PSN will offer Cloud Public Crypt (IT) services, i.e. it will enable you to manage, for example, on-premises encryption tools integrated into public Cloud for PA, and
The three phases of the Italian Cloud Strategy
There are three steps planned by the Government to implement the new strategy.
The first phase will be the publication of the call for tenders for the implementation of the NSP: at the latest by the end of 2021 the call for tenders will be published for the implementation of the National Strategic Pole.
The second phase, to be completed by the end of 2022, concerns the award of the contract notice for the implementation of the NSP.
The third phase, the final phase, will see the migration of PAs to the NSP from 2022 onwards. Operation that, according to the plan, will have to end by 2025.
Download the text of the Italian Cloud Strategy