Vietnam Issues Guidelines On Cloud Computing For E-Government Deployment

Updated: May 24

On April 3, 2020, Vietnam’s Ministry of Information and Communication (MIC) issued Official Letter No. 1145/BTTTT-CATTT to provide guidelines on a set of technical criteria and specifications for cloud computing solutions for e-government deployment (the “Guidelines”).

State agencies and organizations will rely on these Guidelines to assess and select solutions or lease cloud computing services for the development of e-government. Private-sector entities are also encouraged to refer to these Guidelines when setting up and deploying their own cloud computing platform solutions.

The set of technical criteria and specifications include two groups of criteria: Group 1 – technical criteria and specifications, and Group 2 – criteria for information security.

Group 1 includes criteria, specifications, and features related to: (1) virtual machines, (2) storage devices, (3) networks and software-defined networking, (4) physical machines, (5) administration and operation, and (6) integration and other relevant requirements.

Group 2 includes requirements related to: (1) basic requirements on information security features and (2) requirements for setting up security configurations for cloud computing infrastructure.

These two groups are specified in detail in the Guidelines and its annexes. Annex 1 related to Group 1 sets out the minimum technical criteria and specifications for cloud computing infrastructure, and sets out a table to describe features, criteria, and specifications for each specific feature. If a feature has only one criterion or technical specification, a cloud computing solution is evaluated as “passing” when the solution provides that feature and “not passing” if the solution does not provide that feature. If a feature has many different criteria and specifications, that feature is evaluated as “passing” when all criteria and technical specifications are met or “not passing” when at least one of the criteria or technical specifications is not achieved. Similarly, Annex 2 related to Group 2 sets out the minimum technical criteria and specifications for information security of cloud computing infrastructure.

The Guidelines also provide the concept of cloud computing (definition and basic characteristics of cloud computing), the classification of methods for deploying cloud computing (public cloud, private cloud, hybrid cloud, and multi-cloud) and the classification of cloud computing service provision models: IaaS (Infrastructure as a Service) – suitable for private cloud deployment; PaaS (Platform as a Service) – suitable for public cloud deployment; and SaaS (Software as a Service) suitable for public cloud.

Furthermore, the Guidelines provide two options for deploying a cloud computing platform: self-deployment, administration, and operation; or leasing professional cloud computing services from other companies.

With regard to the option of self-deployment, administration, and operation, state agencies and organizations are required to have an experienced, capable team to build, administrate, operate, maintain, and ensure information security of the platform. Therefore, they are recommended to implement the second option of leasing professional cloud computing services.

However, for certain information systems with specific requirements and which require system administrators to self-manage and operate, state agencies and organizations need to consider hiring professional enterprises to build cloud computing infrastructure. After the system is built, the professional enterprises will hand it over, transfer technology, and provide training and guidance on system administration and operation.

With the option of leasing professional cloud computing services, the MIC recommends that state agencies and organizations prioritize the selection of cloud computing service providers which meet technical criteria and specifications and are on the list announced by the MIC. Selected cloud computing service providers must comply with relevant laws and regulations on network information security, comply with stipulated technical standards, and fulfill technical criteria and specifications stipulated in these Guidelines.

For further information, please contact:

Thomas J. Treutler, Partner, Tilleke & Gibbins

Register here for your monthly Asia legal updates