1

Platform as a Service Solutions Standard

CONTENTS

1.CONTEXT

1.1.Background

1.2.Purpose

1.3.Scope and application

1.4.Policy context

1.5.The ICT Services Catalogue

2.KEY PRINCIPLES

3.REQUIREMENTS

3.1.Platform as a Service

3.2.Service level and complexity

3.3.Requirements tables

3.3.1 Silver (standard) – Use Cases / Scenarios

3.3.2 Gold (complex) – Use Cases / Scenarios

3.4.Elements of this standard

3.4.1Platform as a Service requirements

3.4.2Service Management requirements

DOCUMENT CONTROL

APPENDIX A – ABBREVIATIONS AND DEFINITIONS

APPENDIX B – REFERENCES

APPENDIX C – STANDARDS

Developing technical standards

Management and implementation

  1. CONTEXT

1.1.Background

This is a technical standard developed through the NSW ICT Procurement and Technical Standards Working Group. The standard contains technical and functional requirements that agencies should consider when procuring ICT services for Platform as a Service solutions.

By defining the necessary and common elements across agencies the standard provides an opportunity to leverage the buying power of Government as a whole,improve procurement efficiency and increase interoperability.

1.2.Purpose

The purpose of this standard is to assist NSW Government agencies to develop, procure and implement Platformas a Service solutions and tools, as well as take full advantage of their benefits. This standard also helps agencies procure in a strategic manner that reflects the NSW Government’s priorities as outlined in the NSW Government ICT Strategy.

This standard details the issues that need to be considered so each agency can identify the available options that best suit their business requirements, helping agencies achieve value for money through cost savings and improved flexibility of service offerings.

1.3.Scope and application

This standard applies to all NSW Government departments, statutory bodies and shared service providers. It does not apply to state owned corporations, but is recommended for their adoption.

For the purposes of this standard,Platformas a Service means (based on NIST SP800-145):

The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider.

The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

This standard sets out service definitions as minimum requirements that vendors must meet to be able to offer their services through the NSW ICT Services Catalogue. Agencies should consider any specific operational or regulatory factors that impact their requirements, and specific requirements they have in addition to those detailed in this standard.

1.4.Policy context

The NSW Government ICT Strategyand Digital + 2016 Final Updateset out the Government’s plan to: build capability across the NSW public sector to deliver better, more customer-focused services that are available anywhere, anytime; and to derive increased value from the Government’s annual investment in ICT.

Developing whole of NSW Government ICT technical standards is a key initiative of the NSW Government ICT Strategy, driven by the ICT Procurement and Technical Standards Working Group. These standards leverage principles defined in the NSW Government ICT Strategy and the NSW Government Cloud Policy, and they support the NSW ICT Services Catalogue.

The standards set out service definitions as minimum requirements that vendors must meet to be able to offer their services through the NSW Services Catalogue. This helps achieve consistency across service offerings, emphasising a move to as a service sourcing strategies in line with the NSW Government ICT Strategy, and it signals government procurement priorities to industry.

Solutions should also assist agencies in their alignment with the NSW Government Enterprise Architecture(NSW GEA), which encompasses all aspects of enterprise architecture activity at the business, information, application and technology infrastructure layers. The NSW GEA is about providing direction and practical guidance to accelerate the development of agency EA capability and enabling a common, intra and inter agency approach to the design of digital government.

This standard should be applied along with existing NSW Government policies and guidance, including the NSW Digital Information Security Policy. More information on the process for the development of standards that populate the ICT Services Catalogue is at Appendix C – Standards.

1.5.The ICT Services Catalogue

This catalogue provides suppliers with a showcase for their products and services, and an opportunity to outline how their offerings meet or exceed standard government requirements. The standards, together with supplier service offerings, help to reduce red tape and duplication of effort by allowing suppliers to submit service details only once against the standards. The offerings are then available to all potential buyers, simplifying procurement processes for government agencies.

Implementing this category management approach will embed common approaches, technologies and systems to maintain currency, improve interoperability and provide better value ICT investment across NSW Government.

  1. KEY PRINCIPLES

This standard is informed by the following principles:

  • End-to-end digital: PaaS solutions should enable end-to-end digital business processes and management.
  • Control technical diversity: PaaS solutions should help control technical diversity to minimise costs associated with maintaining expertise in and connectivity between multiple processing environments.
  • Data security: Meet any applicable requirements of the NSW Digital Information Security Policy and ISO 27001.
  • Technology currency: Solutions should be designed to maintain technology currency for key systems, and to maintain a pace that aligns with business context and risk profile.
  • Data quality: Data should possess characteristics indicating data quality, including in relation to: accessibility, the institutional environment, relevance, timeliness, accuracy, coherence and interpretability (see the NSW Government Standard for Data Quality Reportingfor more details).
  • Facilitating as a service:PaaS solutions should facilitate the agency transition to as a service, and ensure agency alignment with broader NSW ICT Strategy.
  • Interoperability: PaaS solutions should meet applicable recognised open standards across the elements of compute, storage, network, and pre-production and testing.
  • Business continuity: PaaS solutions should meet business continuity requirements, particularly with transition in and out (see the NSW Digital Information Security Policyand ISO 27031-2011for more guidance).
  1. REQUIREMENTS

3.1.Platformas a Service

When considering any aspect of Platform as a Service (as defined in this standard) an agency must consider the Service Management aspects of the service(s) on offer.

The following environmentsshould beconsidered when assessing a Platform as a Service:

  1. Test and Development Environments
  2. Software as a Service Extension Environments
  3. Cloud Integration Environments
  4. Mobile Application Environments

These environments are defined as follows, and should include the following elements to meet the minimum requirements of this standard:

Test and Development Environments

These allow agencies to test/develop new services/solutions on a standard platform without the need to establish their own in-house environment. Solutions should be sufficiently scalable to ensure different agency needs can be met.

Any response to a market engagement should provide a complete list of Test and/or Development environments and/or services that a customer can take advantage of.

Software as a Service Extension Environments

Platforms that allow agencies to extend Software as a Service solutions and/or environments with agency specific customisations that have been deemed to be business critical in the delivery of services but which are not available natively within the Software as a Service solution provided. Any response to a market engagement should provide a complete list of Software as a Service Extension Environment(s) and/or services that a customer can take advantage of.

Cloud Integration Environments

Platforms that allow agencies to integrate on premise and/or legacy systems and solutions with cloud based services either for transition to full as a service offerings or to prolong the life of business critical on premise systems that cannot be migrated for technical or other valid business reasons. Any response to a market engagement should provide a complete list of Cloud Integration Environment(s) and/or services that a customer can take advantage of.

Mobile Application Environments

Provision of environments that permit agencies to deliver services to mobile devices either for internal consumption through MDM/MAM solutions or externally to citizens. Solutions that wish to respond to this environment should also review the NSW Government Mobile Device and Application framework. Any response to a market engagement should provide a complete list of Mobile Application services that a customer can take advantage of.

3.2.Service level and complexity

The following requirements use case tables are separated into two service levels–silver and gold, reflecting the complexity of the Platform as a Service solution required:

Silver:StandardPlatformas a Service.

Gold: Advanced/Complex Platform as a Service.

3.3.Requirements tables

The following tables set out the recommended business and technical requirements for NSW Government. They provide a consistent approach for all NSW Government agencies regardless of their size.

Explanations for each element of the following use cases are provided at section 3.4.

1

Platform as a Service Solutions Standard

3.3.1 Silver (standard) – Use Cases / Scenarios

‘Use cases’ for Platform as a Service that are anticipated in agencies are included in the table below. The corresponding requirement sections of this standard are ticked in the columns.

Use Case / Scenario
SILVER / Platform as Service Requirements / Service Management
Underlying infrastructure / Commissioning services / Testing services / Management tools for platform / Self-service administration / Full-service administration / Cloud compliant hosting facility / NSW Government Data Centre / Onshore/offshore management / Service level management / Multi-service broker provision
Test and Development Environments /  /  /  /  /  /  /  /  /  / 
Software as a Service Extension Environments /  /  /  /  /  /  /  /  /  / 
Cloud Integration Environments /  /  /  /  /  /  /  /  /  / 
Mobile Application Environments /  /  /  /  /  /  /  /  /  / 

3.3.2 Gold (complex) – Use Cases / Scenarios

‘Use cases’ for Platformas a Service that are anticipated in agencies are included in the table below. The corresponding requirement sections of this standard are ticked in the columns.

Use Case / Scenario
GOLD / Platform as Service Requirements / Service Management
Underlying infrastructure / Commissioning services / Testing services / Management tools for platform / Self-service administration / Full-service administration / Cloud compliant hosting facility / NSW Government Data Centre / Onshore/offshore management / Service level management / Multi-service broker provision
Test and Development Environments /  /  /  /  /  /  /  /  /  /  / 
Software as a Service Extension Environments /  /  /  /  /  /  /  /  /  /  / 
Cloud Integration Environments /  /  /  /  /  /  /  /  /  /  / 
Mobile Application Environments /  /  /  /  /  /  /  /  /  /  / 

1

Platform as a Service Solutions Standard

3.4.Elements of this standard

3.4.1Platform as a Service requirements

Underlying infrastructure

All Platform as a Service solutions must comply with the NSW Government Infrastructure as a Service Standard for solution infrastructure. Any response to a market engagement must demonstrate their service can deliver against compliance with the (IaaS) standard.

Commissioning services

Services that assist the customer in transitioning to the as a service environment. For the purposes of this standard, commissioning services will include design services – ensuring the service is designed to deliver the required outcomes; commissioning services – ensuring the service is commissioned in accordance with the design and customer requirements; transition services – ensuring services are transitioned to the service from their existing environment(s). Any response to a market engagement should provide a complete list of commissioning services that a customer can take advantage of.

Testing services

Provision of testing services that comply with international testing standards that can be made up of testing systems that require human intervention or not; professional services to perform and/or manage testing of ICT environments. In responding to any market engagement, suppliers should be able to provide a full list with appropriate rate cards of all services they are able to offer within this element of this standard.

Management tools for platform

The service will have appropriate management tools that allow either the service provider to manage the network service or allow the customer to manage their networks. Any response to a market engagement should provide details of the tools used (or available including any recommendations), whether the tools are available to the customer, and to what extent the customer is able to self-manage their networks. The management tools will also provide inputs for service reporting requirements.

3.4.2Service Managementrequirements

Self-service administration

The ability to automatically provision and de-provision for all agency resources within the system, together with other appropriate administration and management tasks that can be delegated from the service provider that do not impinge on the solution being provided to other customers.

Full-service administration

All provisioning, de-provisioning, together with all other administration and management tasks required to operate the environment, are provided as part of the service offering. The only exception will be service management of the provider which remains the sole responsibility of the initiating agency.

Cloud compliant hosting facility

All relevant cloud services for the solution may be provisioned from a compliant hosting facility. Compliant hosting is defined as having the following attributes and/or capabilities:

  • The location of the hosting facility must be identified either by name and/or location (city and country) in any response.
  • The hosting location cannot be changed without first informing the agency concerned.
  • The service provider undertakes, maintains and provides access to SSAE 16 Service Organization Control (SOC) Type II reports (or equivalent) for the services and facilities in scope for the engagement.
  • The hosting facility must comply with minimum Tier 3, as defined by the Uptime Institute, ANSI TIA-942, or an equivalent industry standard.
  • The hosting facility must be certified against ISO 27001; compliance with the following international standards is desirable:
  • ISO 9001
  • ISO 27002
  • ISO 20000-1:2011
  • ISO 14001

Other desirable certifications may include, but are not limited to:

  • PCI-DSS v3.0 or later
  • Australian Signals Directorate
  • ASIO-T4
  • Uptime Institute
  • CSA

Also consider contractual obligations relating to the service provider allowing security assessments and treatment of outcomes as agreed with the client.

If the hosting facilities changes to a location that is deemed unacceptable either to NSW Government or to the agency and/or loses attributes and/or capabilities identified above, the agency may need to consider termination of services.

NSW Government Data Centre

All relevant services for the solution may be provisioned from one or both NSW Government Data Centre (GovDC). Depending on the service offering and agency requirements, it may be possible to ‘burst’ some elements of services to other location(s) subject to agreement with the commissioning agency.

Burst data centres must be deemed ‘compliant’. If the ‘burst’ data centre facilities change to a location that is deemed unacceptable either to NSW Government or to the agency, the agency may need to re-examine the ‘burst’ service or the full service.

Onshore/offshore management

All solution providers must be able to articulate where their services will be provided from, including any remote support services. For example, with a ‘follow the sun’ support model, the locations of each of their support sites around the globe need to be identified. Any changes to these need to be communicated to the customer agency promptly and if this causes issues, the agency has the right to cancel the service with appropriate notification.

Service level management

Agencies will retain ultimate responsibility for service level management in any solutions engagement, which would ordinarily be covered by a SLA. Agencies, service-brokers and solution providers need to agree all SLA reporting and other related activities as part of any transition-in process.

Multi-service broker provision

Any solution provider must work within the confines of a multi-service provider environment where either the agency or nominated provider will perform broker service provision. This will be defined as one provider being made accountable for the provision of all associated services, whether these are provided by the provider itself, or other third-party providers.

DOCUMENT CONTROL

Document history

Status: Released

Version: 1.0

Approved by: Executive Director, Strategic Policy

Approved on: 18 December 2015

Issued by: ICT Services,Service & Digital Innovation Division, Department of Finance, Services & Innovation (DFSI)

Contact: ICT Services,Service Digital InnovationDivision, Department of Finance, Services & Innovation (DFSI)

Email:

Telephone: (02) 9372 7445

Review

This standard will be reviewed as required.

APPENDIX A – ABBREVIATIONS AND DEFINITIONS

AIIAAustralian Information Industry Association

ASDAustralian Security Directorate

ASIOAustralian Secret Intelligence Organisation

CSACanadian Standards Association

GovDCGovernment Data Centre

ICTInformation & Communication Technology

ISO/TCInternational Organization for Standardization / Technical Committee

ITInformation Technology

MAMMobile Application Management

MDMMobile Device Management

OSOperating System

PCI-DSSPayment Card Industry – Data Security Standard

PTSProcurement & Technical Standards

RTCEReal Time Collaborative Editing

SLAService Level Agreement

Term / Definition
Test and Development Environments / Environments that are used for non-production testing, development and/or user acceptance of systems in production. Requirements may vary from production-like environments down to basic configurations. These environments may not be required all of the time, most likely they will be required on demand for periods of time and could be shared among many customers.
Software as a Service Extension Environments / Environments that are used to extend Software as a Service solutions to provide customer specific customisations/extensions without affecting the standard SaaS solution.
Cloud Integration Environments / Environments that are used by legacy in-house solutions to access cloud based elements and/or solutions.
Mobile Application Environments / Environments that are used to support mobile applications or provide extension for non-mobile applications to support mobile devices.

APPENDIXB– REFERENCES