Institutional and Procurement Practice Note on Cloud Computing

Despite widespread awareness on the benefits of cloud computing, authorities in most of the World Bank's client countries have not explored the opportunity of adopting cloud computing solutions. Task teams are finding it difficult to provide relevant advice to the counterparts and address their concerns. Most authorities have identified risks of moving to cloud computing: Will their data be safe? Will they have sovereign control over access to data stored offshore? Will privacy be protected? These risks are real. Due to an inadequate assessment framework to identify and assess these risks, the typical response of most client governments is to develop a government's cloud (G-Cloud or GovCloud). This seems logical for more sensitive or mission critical data. However, this is not enough. Adopting a hybrid cloud model, which leverages the cloud services from the private sector to work in conjunction with the G-Cloud can offer immense opportunities to save costs, improve security, enhance performance, and strengthen resilience in a post COVID-19 world. However, client governments need guidance to change their policy response on cloud computing - from the risk-avoidance to the one of risk-management. This note provides guidance on institutional and procurement arrangements and risk mitigation methodology for acquiring and managing public cloud solutions using a whole-of-government approach