Cloud Italy Strategy: Cloud PA migration
Cloud Italy Strategy is a programmatic document created by the Department for Digital Transformation and the National Cybersecurity Agency (ACN) with the aim of responding to three main strategic challenges:
- Technological autonomy of the country
- Data control guarantee
- Increased digital operational resilience
Consistently with the objectives of the PNRR (National Recovery and Resilience Plan), this document traces the roadmap to accompany about 75% of PAs in the cloud migration of data and applications by 2026.
The funds disbursed under the National Recovery and Resilience Plan will support the first (massive) phase of cloud PA migration. Then the organizational machine, thus launched, will continue according to a strategic plan whose objective is the complete diffusion of cloud infrastructures in the Public Administration. Within the Cloud Italy Strategy, both the migration methods to the cloud and the management of cloud PA infrastructures are envisaged for this purpose.
Cloud first is the methodological approach aimed at guiding and facilitating, in a controlled and complete manner, cloud migration by the Public Administration, in line with the principles of protecting the privacy and security of IT data.
Cloud Italy Strategy: what is digital operational resilience?
If the first two strategic challenges of the Cloud Italy Strategy are easily understood, namely making Italy a technologically autonomous country and having control over data protection, the concept of digital operational resilience may not be as intuitive.
The Digital Operational Resilience Act (DORA) was born on the basis of a legislative proposal from the European Commission (24 September 2020) and was initially designed to mitigate the risks associated with cyber threats and technical failures within financial organizations. Since DORA aims to improve the ability to build, guarantee and test the technological operational integrity of an entire organization, ensuring that it continues to provide its services with continuity and quality even in the face of operational interruptions in ICT (Information and Communication Technologies), its application has crossed the borders of the financial sector.
The concept of digital operational resilience first of all requires a change of mentality: flexibility becomes central to adapt to changes, to react to unforeseen events and to constantly guarantee the quality of service, understood also, but not only, as productivity.
What is the Cloud PA Regulation?
To implement Cloud Italy Strategy, AgID (Agency for Digital Italy) has drawn up a regulation that operationally governs the cloud PA infrastructures in relation to the characteristics and minimum requirements required for cloud migration.
The Cloud PA Regulation (AgID Determination 628/2021) is the enabling element of the Cloud Italy Strategy and on its basis, on January 18, 2022, they were prepared by ACN and the Department for Digital Transformation (support structure of the Minister for technological innovation and digital transition) three lines of the Cloud Italy Strategy:
- Classification of data and services
- Cloud Services Qualification
- National Strategic Pole (PSN)
These guidelines will show public bodies the way to make the appropriate choices towards cloud PA migration.
Cloud PA migration: classification of data and services
The first operational guideline of the Cloud Italy Strategy concerns the classification of data and services. The purpose of this activity is to classify the data on the basis of the damage that their possible compromise would cause to the country. We, therefore, have 3 levels of risk:
- Ordinary Risk: if the data and services are compromised, they are not detrimental to the country’s system.
- Critical Risk: the threat to the data identified here could cause damage to relevant functions in the national system at a social and economic level.
- Strategic Risk: the data and services that belong to this class have an impact on the security of the country if compromised.
Cloud PA migration: qualification of cloud services
With the qualification of the Cloud PA services offer, we intend to simplify the acquisition of cloud services by public bodies and local administrations. The simplification in turn will make it possible to regulate the following aspects from a technical and administrative point of view:
- data control measures;
- security requirements for data management;
- application technical standards;
- organizational standards.
These requirements are met with the migration to what is called “cloud qualified PA” which we will deepen in the next chapters.
Cloud PA Migration: National Strategic Pole (PSN)
The National Strategic Pole will aim to equip the state and bureaucratic machinery with cloud technologies and infrastructures capable of matching the highest possible guarantees in terms of reliability, resilience, and autonomy.
This feature also gives the PSN a unique specificity compared to other providers: the responsibility of managing data classified as strategic at the national level (to learn more about the latest updates on the subject, read here).
How does the National Strategic Pole work?
The National Strategic Pole (PSN) in accordance with the provisions of Article 35 of the Legislative Decree 76/2020, is an infrastructure intended for all public administrations. Here are the 4 pillars of this infrastructure:
- Where is the new National Strategic Pole? The PSN will be located on the national territory in such a way as to guarantee, as required by the Cloud Italy Strategy, high reliability of services understood as operational continuity and tolerance to IT failures. The sites will be appropriately identified and disclosed.
- Who does the National Strategic Pole respond to? The implementation of the PSN is carried out and managed by the Department for Digital Transformation.
- What is the goal of the National Strategic Pole? The PSN is responsible for hosting the data and services classified as critical and/or strategic by all central administrations (about 200), ASLs (Local Health Authorities), and larger local administrations (i.e. Regions, metropolitan cities, and municipalities with more than 250 thousand inhabitants).
- Who is the National Strategic Pole managed by? The infrastructure will be entrusted for management to an economic operator selected through the activation of a public-private partnership on the initiative of a proposer.
National Strategic Pole Call 28 January 2022
The first step for the implementation of the PSN was taken on January 28, 2022, with the publication of the National Strategic Pole announcement. The implementation model is that of a public-private partnership and the procedure was taken over by “Difesa Servizi S.p.A”., an in-house company of the Ministry of Defense, with the functions of “central purchasing body“.
What does the Call for the National Strategic Pole foresee?
The PNS Call provides for an investment of 723 million euros. The winner of the European tender, launched with the collaboration of ANAC (National Anti-Corruption Authority) for supervisory purposes, will have these funds for the provision of public cloud and private cloud services. The provision of services will be in compliance with the principle of transparency, to allow control by the authorities in charge of strategic data and services.
The winner of the call for the National Strategic Pole, which expires on 16 March 2022 at 4 pm, will be responsible for creating and managing infrastructure for Cloud PA services, located on the national territory and suitable for hosting public data/services, ensuring safety, reliability, and continuity in the provision of the service. This operator, selected by means of a tender, will have to set up a company subject to the golden power discipline.
Technical Glossary: The golden power (governed by Legislative Decree no. 21/2012) is the instrument that grants the Government special powers to set specific conditions, if not veto, on the purchase of companies considered strategic in sectors such as defense, energy, transport, and telecommunications.
Public Cloud PA and Private Cloud PA: what they are?
The winner of the Call for the PSN will be responsible for the construction of a Public Cloud and Private Cloud infrastructure.
- The Public Cloud is a cloud deployment model of a software or application whose processing and management resources are owned by a provider. These resources are shared among multiple tenants/users over the Internet.
- In the Private Cloud, cloud deployment takes place in a cloud computing architecture in which services are hosted in a private environment and use proprietary resources without sharing with third parties.
The PA Qualified Cloud Model
The Cloud Italy Strategy as outlined by AgID provides for a qualification process for public and private entities that intend to provide cloud services to the PA. This process is necessary for the Public Administration to adopt homogeneous Cloud computing services and infrastructures in line with standards. The standards are established by the AgID circulars number 2 and number 3 of 2018 and are related to safety, efficiency, and reliability.
The PA Qualified Cloud Model defined by AgID within the Cloud Italy Strategy is composed of:
- Qualified Services: Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).
- Qualified Infrastructures: for example PSN or Qualified Public Cloud
Remember that when referring to Cloud Computing, a pyramid of diversified services is always included:
- SaaS: is an application software distribution model, aimed at end-users, in which the software producer develops, operates (including through third parties), and manages a web application that it makes available via the Internet.
- IaaS: distributes hardware, software, network, and data resources to those who need to manage and configure the Cloud infrastructure system, as is the typical case of system administrators.
- PaaS: the service, in this case, aimed at developers, is the platform itself which can, in turn, be composed of different services, programs, or libraries.
Cloud Qualified PA: what qualifications are required?
From 1 April 2019, the Public Administration is obliged to acquire Saas, Paas, and IaaS services that are qualified by AgID, as well as included in the Catalog of Cloud services for qualified PAs. The reference regulatory documents for understanding what qualified cloud means for the Public Administration are AgID Circular no. 2/2018 and the AgID Circular n. 3/2018.