Our organization, like most large public bodies, is locked into formal bureaucratic procedures and, by general standards, is highly risk-averse. In addition, like other organizations of the United Nations System, it has a unique attribute which makes moving to the cloud a much greater leap than for most other organizations: UN System organizations enjoy a special status.
In the aftermath of World War II, countries negotiating the Charter for the future United Nations agreed the organization should be in a position to function without interference from any single Member State. For this reason, a regime of privileges and immunities was developed. It is this special legal regime that ensures UN organizations are immune from the jurisdiction of national courts, that their premises cannot be entered by national enforcement agencies without their consent, and that their archives, including their data, cannot be accessed without their agreement.
In a similar vein, UN organizations are not of any single nationality; they are not registered under national laws. They are creatures of international law that belong to, and are governed by, all their Member States and they generally obtain their legal personality from the international treaties that establish them. In the case of the Food and Agriculture Organization (FAO), the organization acts for, and is governed by, a membership that consists of 194 Member Nations and the European Union (as a Member Organization), all of which have accepted the FAO Constitution, the establishing treaty.
Until a year or so ago, every single IT system in FAO was run in-house and everyone seemed content to leave it that way. The IT Division was the first to see the obvious benefits that cloud-based services could bring, especially for a highly decentralized organization (present in more than 100 countries) where building and maintaining a Wide Area Network and localized services such as email was expensive. The cost angle alone was reason enough to explore cloud options.
To move forward we had to analyze everything from efficiency promises to technical capabilities, costs and internal controls to confirm that the gains outweighed the potential risks, and taking into account our special status.
While FAO does not have the financial risks that commercial organizations need to consider, the reputational risk of exposing potentially sensitive or confidential data relating to our member countries is a major concern. In addition, we were aware that FAO's reputation as an impartial intergovernmental forum for addressing issues of global concern must be upheld.
We were also very conscious of our duty, like that of any other organization, to protect the personal data provided to us by our personnel and others. So, to promote moving to the cloud, we took three broad steps to tackle the legal, technical and procedural issues:
* First, the IT team learned to listen carefully to, and work closely with, the Legal team in FAO. Jokes about lawyers abound and it is easy for IT to perceive the Legal team as yet another bureaucratic obstacle to be bulldozed out of the way. But we recognized that Legal has genuine concerns that need to be understood and addressed.
The Legal view is indeed risk-averse, after all, one of the primary roles of the lawyers is to ensure "bad things" don't happen to the organization and, if they do, to minimize their impact. If you view it as a soccer team, IT can be seen as a striker trying to get goals while Legal is the goalkeeper making sure nobody scores against you. Good teams need a good striker and a good goalkeeper.
* Second, we needed to provide some certainty that, from an IT perspective, cloud-based systems were at least as secure as internal ones. What was interesting was the belief among business users that internal systems are secure systems.
Instead, the reality is that an IT team such as ours has little chance of competing with the highly industrialized IT processes of the big cloud players. The bottom line is our systems, from a purely technical perspective, would be more secure in the cloud than hosted internally. It's a philosophical question as to whether they are more secure overall since some may argue that cloud providers are also more likely to be attacked than an individual organization.
* Third, the IT and Legal teams jointly put in place a documented process with well-defined responsibilities for approving cloud services. This consists of what we call an Information Security Risk Assessment which is fundamentally a document template containing three sections.
- The first part, compiled by the business unit wanting to use a cloud solution documents the services affected and the FAO data that would be held or processed by those services.
- The second part, compiled by the IT Division, contains an assessment of the information security risks associated with the provider and their services.
- The third part, compiled by the Legal team, contains an assessment of the risks of exposure and the impact of such exposure, and an evaluation of relevant laws in the country where data would be stored or processed and the extent to which its privileges and immunities are likely to be upheld in the country. As well as identifying risks, expected mitigating actions are also documented, and the assessment is signed off by all three business units. In cases where highly sensitive data could potentially be held, the recommendations are transmitted to the senior management of the organization.
We now have several systems running as cloud services and this is slowly beginning to become a "normal" way of doing business, even if contract negotiations or modifications are still complex due to the need to match international legal principles with the national laws under which service providers operate.
The Legal team has had to develop approaches to address the concerns of service providers about their obligations to comply with national laws without undermining the special status of the organization. Experience has shown that some flexibility and open-mindedness is needed from us, as well as from providers, and that negotiations are to some extent simplified when the service providers are located in countries that have recognized the special nature of UN organizations in their national laws.
It's worth noting that the IT Division's role is subtly changing as a result of the wider use of cloud services, as it moves away from building systems to becoming a broker for buying IT services. The IT Division is now well-placed to execute this new role, having learned the legal context for the organization surrounding cloud services.
The IT and Legal units are now seen as the subject-matter experts within the organization, and together are bringing forward tangible benefits. Cloud services help the scattered personnel of this global organization stay connected. In addition, some of the more innovative cloud services are providing FAO with new tools, such as the ability to easily access and process data on top of massive cloud-based geospatial data sets, to meet the challenges that it was established to address, and, by so doing, are strengthening FAO's capacity to provide technical support to its primary clients: the member countries.
Paul Whimpenny, Senior Officer for Digital Strategy, and Donata Rugarabamu, Deputy Legal Counsel, at the Food and Agriculture Organization of the United Nations (FAO).
The views expressed here are those of the authors and do not necessarily reflect the views of the Food and Agriculture Organization of the United Nations (FAO).