Cloud Decision Guide

Public Sector Buyers Guide for office productivity in the cloud

A Microsoft U.S. Public Sector Solutions Guide March 2011

This document is provided as-is. Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

2011 Microsoft Corporation. All rights reserved.

Contents
Using the cloud in the public sector ..................................................................................................................................................... 1 Step 1: Determine your on-premises vs. cloud balance ................................................................................................................ 2 Step 2: Choose your cloud ........................................................................................................................................................................ 4 Step 3: Assess your workloads................................................................................................................................................................. 6 Step 4: Compare the services ................................................................................................................................................................... 8 Step 5: Assess risk and security ............................................................................................................................................................... 9 Next steps ..................................................................................................................................................................................................... 11

List of tables
Table 1. Considerations when comparing on-premises vs. cloud computing ..................................................................... 2 Table 2. Benefits of cloud messaging and collaboration services ............................................................................................. 3 Table 3. Summary of Microsoft Online Services SLA ...................................................................................................................... 5

ii

Using the cloud in the public sector

Looking for innovative ways to do more with less, governments of all sizes are turning to cloud computing as a key way to save money.
For example, the United States Department of Agriculture (USDA), the States of California and iii iv Minnesota, and New York City have all recently chosen the Microsoft cloud computing platform because of the way it provides enhanced IT services, such Cloud applications in the public as email and other business productivity applications, in a sector standardized and predictable way. Compared to traditional systems deployed on-premises, cloud computing can offer A cloud computing infrastructure can significant cost reductions and better support for disaster deliver one application to many users, v recovery and mobility efforts, such as teleworking. regardless of their location, rather than the traditional model of one Cloud computing refers to sourcing information and application per desktop. Cloud communications technology services over the Internet on a activities are managed from central pay-as-you-go basis. In the last few years, the topics of locations in a one-to-many model, cloud computing and software as a service (SaaS) have including architecture, pricing, dominated the IT landscape. For citizens, SaaS partnering, and management applications in the cloudtranslates into a more characteristics. In addition, the cloud connected world where they can access their data and provider handles software updates for information at virtually any time from just about anywhere. you. These attributes make the cloud a For the public sector, SaaS provides compelling benefits, cost-effective option for government, from improved worker productivity to faster delivery of education, and health care groups. new services. In the public sector, the cloud is Microsoft has been in the forefront of the cloud revolution commonly used for: for more than a decade. Today, the companys cloud vi includes top global enterprises energy companies, Email and instant messaging. telecom firms, banks, and pharmaceutical giantsin Desktop productivity, such as addition to more than 500 state and local governments in document creation and sharing. vii the United States. The latest cloud service is Microsoft Public records tracking. Office 365, which includes Microsoft Exchange Online, Microsoft SharePoint Online, Microsoft Lync Online, and Collaboration and presence. Microsoft Office Professional Plus. Payment processing. With a long-standing commitment to the cloud, Microsoft Identity and relationship understands that public sector institutions face unique management. regulatory requirements. This guide is designed to help you adopt the cloud solution thats right for your needs. User services delivered through the Based on numerous conversations with our customers, the web, such as e-government projects guide features common buying criteria and answers to and school portals. frequently asked questions about cloud solutions. 1
i ii

Step 1: Determine your on-premises vs. cloud balance

The choice to move to the cloud is not an all-or-nothing proposition. As you weigh your options, you can start by comparing traditional computing on-premises to cloud computing. A key differentiator is control. In general, traditional, on-premises computing solutions give you complete control over your assets with all the overhead and expenses that the scenario implies. The cloud computing model asks you to relinquish some control and potentially share assets in exchange for greater scalability, rapid deployment, and reduced costs. Most organizations use a hybrid approach. Your solutions can span on-premises and cloud environments. That way, you can preserve your current IT assets while investing for future needs. Table 1 shows a few fundamental differences between the two models to help you begin the selection process.

Table 1. Considerations when comparing on-premises vs. cloud computing Onpremises Heterogeneous infrastructure Capital expense Own Self-managed Cycle in years On-site Built for peak demand Homogeneous infrastructure Operating expense Lease or rent Third-party managed Cycle in months Off-site Changes based on demand Hybrid Cloud

Decision point: What is your priority? If your goal is to shift more of your IT cost center from a capital expense to an operational expense, the pay-as-you-go SaaS model is a good choice. However, if your organization requires direct control over physical assets and operational personnel, a solution onpremises may work better for you.

Microsoft offers solutions that let you enjoy the benefits of the cloudlower IT costs, enhanced collaboration, and ease of accesswith the applications you already know and trust. Table 2 takes a closer look at how the cloud can benefit public sector organizations.

Table 2. Benefits of cloud messaging and collaboration services Considerations Infrastructure Cloud benefits
Replaces heterogeneous IT platforms and legacy infrastructures, which often operate as data silos, with a unified platform. Supports geographically distributed teams and mobile workers with a single infrastructure in the cloud.

Business model

Helps simplify budgeting, because the clouds all-inclusive pricing models eliminate the need to estimate hardware, licensing, service, and support fees separately. Can replace capital expenditures with a more predictable monthly service fee.

Availability

Provides network-based access to applicationsemail, documents, contacts, calendars, and morefrom virtually anywhere on almost any device. Supports predictability and flexibility for all or part of your organization with pay-as-you-go pricing options.

Management

Offloads operational maintenance of the services, thus reducing your administrative overhead. Includes business-class features, such as IT-level phone support, a service level agreement (SLA) of 99.9-percent uptime,viii geographic redundancy, and disaster recovery.

Technology updates Scale

Deploys updates seamlessly so you dont need to manage software deployment processes. Accommodates peaks and valleys in demand automaticallyand you pay only for what you use. Reduces capital and operational expenses associated with equipping and managing data centers to serve peak capacity periods.

Step 2: Choose your cloud

Just as the public sector encompasses many different organizations and missions, the cloud is not a single entity. Messaging and collaboration needs vary, and so do cloud models. Microsoft hosts business productivity tools in three ways: In a public cloud. When software and services are hosted in a data center shared by many subscribers and operated by a commercial entity, it is called a public cloud. For example, the City of Plano, Texas, uses Microsoft Business Productivity Online Suite (BPOS) to provide employees with online access to email messages, calendar and task items, and shared documents. Microsoft Online Services hosts several government solutions in this way, and the latest is Office 365, the next generation of BPOS communication and collaboration products and services. In a dedicated cloud. This solution hosts applications and services within a separate, secured hardware infrastructure dedicated to a single customer. Microsoft Office 365 Dedicated with ITAR
ix

and BPOS for Federal work this way and are designed to meet the enhanced security needs of the
U.S. government, including state and local governments, government contractors, and other entities that require this level of security. For example, the USDA has chosen to provide email, document sharing, and other collaboration tools in this manner.
x

In a private cloud. This solution hosts applications and services within your own or a partners data center that you manage, giving you a high degree of operations control, enhanced security, and data sovereignty. The U.S. Defense Information Systems Agency (DISA) delivers Microsoft Office applications from a private cloud. The U.S. Army is a tenant. Cloud models from Microsoft
xi

In the cloud, you put your trust in the providers ability to deliver the level of service you require. Table 3 summarizes the SLA you can expect from Microsoft Online Services. Table 3. Summary of Microsoft Online Services SLA Service type Security Microsoft dedicated and public cloud data centers Data centers continuously strive to meet or exceed U.S. federal government and international security body standards. Secure Internet protocols include HTTPS and HTTP over SSL to access your services. Data centers and services are managed by rigorously screened and highly trained staff. Reliability and availability Provisioning Customer support Disaster recovery You can adjust your deployment model dynamically as your needs shift and grow. Support is available 7 days a week, 24 hours a day. Data centers are outfitted to operate during power outages and after natural disasters. Redundant network architecture is capable of disaster recovery. Microsoft replicates data from its primary data centers to secondary data centers for redundancy, without storing any data off-site. 99.9-percent uptime Service Level Agreement.

Decision point: Where are the hosting facilities? If a cloud service provider uses a data center located outside the United States, you need to know which law applies to your institution's datathe law where you are located or the law where your data is located. Export control laws may also apply to your data. If your data must be stored within the United States, Microsoft has primary and backup data centers in the United States to help ensure reliability and failover for government customers.

Step 3: Assess your workloads

Another way to evaluate cloud computing versus traditional computing models is to assess your workloads. Using the public cloud for pay-as-you-go services like email can reduce your total cost of ownership by lowering the need for infrastructure, maintenance, and management. However, privacy or compliance concerns may require you to keep sensitive data, such as human resources (HR) data, financial databases, or proprietary business intelligence (BI), on-premises, whether in a traditional data center or a private cloud. In addition, hybrid implementations can be a good option. That is, your solution can span onpremises and cloud resources. For example, you can move email or your communication and collaboration stack to the cloud while keeping financial applications and other sensitive workloads on-premises. You should also consider how much customization you require. For standard business productivity workloads, public cloud solutions like Office 365 offer the tools you need. For custom-tailored solutions, you can develop applications on-premises or using cloud services. For example, the City of Miami created the Miami 311 application to record, track, and report on non-emergency incidents. Developed using the Windows Azure platform of cloud application tools, Miami 311 is also hosted by Microsoft, which gives the city greater scalability than they could achieve in their own data center. Our top three workloads in the cloud for the public sector
xii

Email and collaboration

Websites and public domain data

Public records and correspondence management

Decision point: Customization in the cloud A public cloud solution should allow you to modify the workflows of applications and services to suit your business processes. Dedicated and private clouds typically offer a greater degree of customization and integration of services than do public clouds.

How workloads are hosted in cloud architectures

From private, self-hosted clouds to dedicated clouds to public clouds, cloud data centers rely on multi-tenant architecture to deliver services efficiently and affordably. Multi-tenant means that individual applicationsthe tenantsshare data center resources in the cloud. Public clouds use higher degrees of multi-tenancy, which enable you to deploy services rapidly and provide immense scalability for your users. Thats why youll find common productivity workloads, such as email, messaging, and collaboration, in public clouds. By comparision, dedicated and private cloud data centers give you the greatest flexibility in customization and addon services for your workloads.
Microsoft core cloud principles In delivering cloud services to the public and private sector, Microsoft follows these core principles: You are the owner of your data. Microsoft tells you where your data is. Microsoft will never use the data housed in its cloud for data-mining purposes, nor does Microsoft monetize your data via advertising. Microsoft Online Services uses multiple layers of industryrecognized security controls and multiple technologies as part of its strategy for defense in depth and breadth.

Decision point: Application performance If you run bandwidth-intensive applications that require lower latency and packet loss than your Internet provider can deliver, you probably dont want to use the cloud for that workload. A high-performance infrastructure on-premises may be preferred and could be integrated in a hybrid cloud model for the agency.

Step 4: Compare the services

Before moving users and services to the cloud, you need to know whether your key requirements will be met. Are there potential roadblocks to be aware of? Public sector organizations need to pay attention to regulatory compliance, in particular. Another consideration is the feature set you receive in the cloud. If your organization currently uses custom features or add-on services, you need to know whether equivalent features are available from your hosted service. Decision point: Is your organizations current IT structure centralized? Even if your IT platform is not based on Microsoft technology, the journey to a Microsoft cloud data center goes more smoothly when your existing IT resources are already centralized. Youll encounter fewer policy and organizational hurdles.

Regulatory requirements
Office 365 services are built to meet both government and commercial regulatory requirements and have additional security features, such as two-factor authentication. Each agency has unique needs, though, so please contact us to discuss your specific agency requirements and accreditations. Decision point: Will legal requirements be met? Microsoft data centers help preserve the chain of custody for 20 different document formats, including XML Paper Specification (XPS), Portable Document Format (PDF) 1.5, PDF/A, and Open Document Format (ODF) v1.1. When moving these types of documents between Microsoft on-premises and cloud services, documents retain the format and fidelity needed to comply with the requirements of the Federal Records Act, the E Government Act of 2002, Freedom of Information Act (FOIA), and the implementing regulations issued by the National Archives and Records Administration (NARA).

Feature requirements
Are you using features, add-ons, or services in on-premises deployments that you want to ensure are also available in your cloud-hosted software? Make sure you verify whether the custom forms or addon services that you use today are also available from the cloud service. Public and dedicated clouds can differ in the type of features they offer, even when the services are based on similar software. Decision point: Will one size fit all in your organization? You may need to meet the unique requirements of individual user groups, such as kiosk workers who do not typically work at a desk or information workers who do. Microsoft Online Services allow your agency to choose an appropriate mix of services without requiring you to over-provision to meet specific agency needs. 8

Step 5: Assess risk and security

Probably no cloud computing topic gets more attention than security. Whether you are protecting assets onpremises or in the cloud, you need to assess the technologies and methods used for user authentication, data transfer encryption, data storage, server security, and the security of data center facilities. Furthermore,no discussion of security is complete without an assessment of your institutions risk tolerance. Microsoft Online Services, including BPOS, uses multiple layers of security controls and multiple technologies as part of its strategy for defense in depth and breadth. Currently Microsoft has controls, contractual verbiage, and features in place to help your organization comply with a wide variety of industry standards and certifications. These include but are not limited to: International Organization for Standardization (ISO) 27001. Statement on Auditing Standards (SAS) 70 Type I (BPOS-S) or Type II (BPOSD and Global Foundation Services). Health Insurance Portability and Accountability Act (HIPAA). Family Educational Rights and Privacy Act (FERPA). Title 21 CFR Part 11 of the Code of Federal Regulations. Federal Information Security Management Act of 2002 (FISMA) Authorization to Operate (ATO) for Microsoft Cloud Infrastructure. The ATO covers the Microsoft cloud infrastructure that provides a trustworthy foundation for the companys cloud services.
xiii

Business Productivity Online Services-Federal has also received FISMA certification and accreditation resulting in an official ATO, which includes Exchange Online, SharePoint Online, and Office Communications Online.
xiv

Data protection and risk management best practices

Computing in the cloud can raise legitimate questions about security and data protection. Many public sector IT managers have come to recognize that Microsoft data centers help protect data at a standard higher than they could achieve on their own. In using private, dedicated, or public clouds for your messaging and collaboration needs, however, you can further extend your own security controls and processes: Manage risk through a comprehensive program that encompasses security, privacy, service continuity, and compliance management. Use multiple layers of physical and logical security controls and multiple technologies. Align risk management controls and practices with recognized standards, such as ISO 27001 and SAS 70, and periodically validate your controls and practices through third-party certification.

Data privacy in the cloud

Decision point: Is data encryption enough? Some regulatory or security issues may prevent you from hosting even encrypted data in a public cloud. A private cloud may offer an alternative if you still want to take advantage of cloud benefits.

When you entrust your data to someone elses data center, your need to know how that data is collected, used, and stored. In a Microsoft data center, your data is handled at an operational level and processed as part of the services you use. For example, a user might send an email using the Exchange Online service or post a document to a shared workspace using SharePoint Online. The Microsoft service does not know what is in the email or document but uses security protocols that help protect your contents during transfer and storage. Your data is treated by Microsoft under the terms of its privacy and security policies. Data privacy extends beyond data center technology to include partnerships and collaboration among users and providers. Thats why Microsoft policies and processes are designed to ensure that we: Engineer privacy into our products during the product life cycle. Implement privacy-based technology throughout our internal processes. Execute our global privacy practices properly throughout the company. Provide leadership for the industry. Microsoft will not contact a customers users, nor will we use any personal information collected for providing the services, for marketing or advertising purposes, except with the explicit consent of the customer.
xv

Decision point: Does your cloud provide privacy? Make sure a cloud service includes data encryption, effective data anonymization, and mobile location privacy in their service. In federal agencies, your contract with a service provider should include provisions for complying with the Privacy Act of 1974.

10

Next steps
Todays expectation for messaging and collaboration virtually anywhere and on any almost every device is being met in the cloud. To find out how your organization can benefit while meeting your operational and regulatory requirements, call your Microsoft sales representative or channel partner and ask for more information.

Microsoft in the cloud Microsoft has been running some of the largest, most reliable cloud services in the world for almost 15 years. With more than 40 million paying customers, our online services help public and private sector organizations alike to improve efficiency and cut costs by migrating part or all of their messaging and collaboration solutions to the cloud. On your journey to the cloud, look to Microsoft for options that fit your specific requirements. We can deliver your cloud services from the public cloud, a private cloud, or a self-hosted cloud infrastructure. In addition, we offer a robust hybrid model that combines both on-premises and cloud service-based computing.

For more information

See Cloud computing for government at www.microsoft.com/govcloud. Visit the Microsoft Office 365 website at www.microsoft.com/office365. See the Online Security webpage, including the white paper Securing Microsofts Cloud Infrastructure, at www.globalfoundationservices.com/security/. Get security guidance for government at www.microsoft.com/govsecurity. Set up a pilot program to test Microsoft Online Services in your organization at www.microsoft.com/online. See the Business Productivity Online Suite for government webpage. Download the data sheet (Portable Document Format file, 336 KB): Business productivity with Microsoft Online Services for government agencies.

Learn more at
http://www.microsoft.com/govcloud

11

Endnotes
i

USDA moves 120,000 users to Microsofts cloud. Microsoft press release. December 8, 2010. http://www.microsoft.com/presspass/features/2010/dec10/12-08usda.mspx ii Microsoft signs cloud deals with California, New York City. CIO. October 20, 2010. http://www.cio.com/article/627563/Microsoft_Signs_Cloud_Deals_with_California_New_York_City iii State of Minnesota signs historic cloud computing agreement with Microsoft. PR Newswire. September 27, 2010. http://www.prnewswire.com/news-releases/state-of-minnesota-signs-historic-cloud-computing-agreement-with-microsoft103865608.html iv Microsoft signs cloud deals with California, New York City. CIO. October 20, 2010. http://www.cio.com/article/627563/Microsoft_Signs_Cloud_Deals_with_California_New_York_City v The economics of the cloud tor the U.S. public sector. Microsoft white paper. November 2010. http://download.microsoft.com/download/E/9/4/E94877E4-012E-42ED-A0432A3A00E09F70/USPublicSectorCloudEconomics.pdf vi Microsoft helps customers, partners harness Cloud Power. Microsoft. November 1, 2010. http://www.microsoft.com/presspass/features/2010/nov10/11-01CloudPower.mspx vii Microsoft unveils new government cloud offerings at eighth annual Public Sector CIO Summit. Microsoft. February 24, 2010. http://www.microsoft.com/presspass/press/2010/feb10/02-24ciosummitpr.mspx viii Financially-backed 99.9% uptime stated in Office 365 Pricing and Fact Sheet. Microsoft. 2011. http://office365.microsoft.com/uploadedFiles/Office365FactSheet_en.docx ix Fast-growing city moves to online services to reduce costs, boost productivity.Microsoft case study. July 13, 2010. http://www.microsoft.com/casestudies/Microsoft-Exchange-Server-2003/City-of-Plano-Texas/Fast-Growing-City-Moves-toOnline-Services-to-Reduce-Costs-Boost-Productivity/4000007938 x USDA moves 120,000 users to Microsofts cloud. Microsoft press release. December 8, 2010. http://www.microsoft.com/presspass/features/2010/dec10/12-08usda.mspx xi Army to move e-mail accounts to DISA cloud. Federal Times.com. January 7, 2011. http://www.federaltimes.com/article/20110107/IT03/101070301 xii City government improves service offerings, cuts costs with cloud services solution. Microsoft case study. February 24, 2010. http://www.microsoft.com/casestudies/case_study_detail.aspx?casestudyid=4000006568 xiii http://blogs.technet.com/b/gfs/archive/2010/12/01/microsoft-s-cloud-infrastructure-receives-fisma-approval.aspx xiv http://blogs.technet.com/b/msonline/archive/2011/04/20/bpos-federal-amp-fisma.aspx BPOS Federal and FISMA xv Microsoft privacy in the cloud. Microsoft Trustworthy Computing website. http://www.microsoft.com/privacy/cloudcomputing.aspx

12