Cloud computing in tax administrations (i)


A cloud computer as a service is not a new idea. In 1961 the scientist John McCarthy foresaw that “computing must, one day, be organized as a public service, such as the telephone system[1] .” Also, since the 1990s, the public has access to utilities based on the Internet, such as Yahoo!, Google, Gmail, Facebook, YouTube, etc. Salesforce brought the concept of providing services remotely to companies, followed by, which in 2002 launched the Amazon Web Services (AWS) platform. This platform offers external storage, computational resources and business functionalities.

Currently, cloud computing is rooted especially in private companies. “New” companies such as Netflix, Uber and Airbnb are already born without an IT operating department. Traditional companies also already use cloud computing to some extent, such as Shell, NASDAQ, Ticketmaster, and Unilever.

NIST[2] defines cloud computing as “a model that allows ubiquitous, convenient and on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released, with minimal administrative effort or interaction with the service provider.”

The technologies that enable cloud computing are: virtualization technologies (redundancy and fault tolerance); grid computing; broadband networks; data center technologies; Web technologies; Multitenant technologies (allows an application to be configured to support access by multiple user groups of different companies).

Organizational motivations

The adoption of cloud computing is based on some organizational motivations[3] :

Costs reduction

Ownership of the technological infrastructure can have a decisive impact on organizational budgets. Two costs stand out: the investment (computers, data centers, storage, network equipment, etc.) and its maintenance and operation. The main operational costs are:

  • Technical staff to maintain the operational infrastructure
  • Updates and corrections that introduce additional cycles of tests and developments
  • Accounts of electricity, telecommunications and capital expenditures for the implementation of refrigeration and energy systems
  • Security and access control measures required to reinforce the protection of the IT infrastructure
  • Administrative staff to control licensing and support contracts
  • Capacity planning

It refers to the process of determining and providing future demand for IT resources, products and services for the organization. A disagreement between the available IT resources and their demand can result in an inefficient (excess capacity) or inept system to meet the needs of users (capacity shortage). Both cases are problematic, in the first case due to the costs of investment and the maintenance of unused infrastructures; in the second, the overall performance of the institution is affected, in addition it is difficult to obtain additional computer skills in the short term, especially for the public area. The cloud concepts provide the operational flexibility required.

Institutional agility

Institutions need to adapt and evolve satisfactorily against internal and external changing factors. “Institutional agility” is the measure of an institution’s ability to respond to change.

Exemplifying, in the tax administrations, it is possible to identify the need to carry out in the short term a special program or non-repeatable campaign, which requires computer resources to be released (partially or totally) at the end of the activity. Institutional agility is required for the obtaining quickly these resources, since the unavailability or delay can affect the intended results, as well as freeing them and their associated costs at the end of the campaign.

Service delivery models

A “delivery model” represents the set of packaged services offered by a cloud computing provider. There are basically three models of delivery services[4] , according to Figure 1:

Figure 1: Cloud computing delivery models. Source: Microsoft Azure (adapt.)

  • IaaS (Infrastructure as a Service): is the provision of a computer infrastructure accessible and managed from Internet. The user increases or reduces according to his demand and pays for what he uses. The resources are basically a Data Center and its equipment, such as servers, storage, firewalls, etc. The responsibility of the provider is to manage the infrastructure offered and the user acquires, installs, configures and manages its own software (such as operating system, database, and applications).
  • PaaS (Platform as a Service): the PaaS service is a complete development and implementation environment, which supports the life cycle of an application and includes infrastructure (IaaS) and operating system, middleware, development tools, database, Business Intelligence (BI) and other agreed tools. The supplier acquires, maintains the licenses and manages the tools it supplies (depending on the agreed agreement).
  • SaaS (Software as a Service): allows users to obtain a complete solution, such as a payment role application, office tools or an ERP. All the underlying infrastructure – from computers to operating systems, application middleware and data – remain in the Data Center of the cloud service provider. Regulated by a service contract, the supplier guarantees the agreed quality, safety and availability.

The provision of cloud services is contracted with very well defined parameters, which characterize the services, prices, technical conditions, verification methods, fines, termination, etc. Some typical parameters of cloud service contracts are:

Figure 2: Some features of cloud service contracts Source: “Whatscloud”[5](adapt.)

Cloud service providers

The number of companies providing cloud services is increasing, with a myriad of service differentials. At an international level, we can mention Amazon (AWS), Microsoft (Azure), Google (Cloud Platform), IBM (Cloud), Verizon (Cloud), Oracle, etc. Some companies provide specialized clouds for clients, such as clouds dedicated to the public sector and the intelligence agency community[6] . Business software companies, such as Oracle and SAP, create versions of their products for operating in the cloud and also offer them in their own clouds (SaaS).

Choosing a cloud service provider is a strategic issue, especially for public agencies such as tax administrations, which also includes legal variables and local availability. Adopting cloud services initially in a limited way, for example as data warehouses, can be a good strategy to know and deepen the technologies involved.

Risks and challenges

Like any new technology that involves changes in work processes and management models, cloud computing brings risks and challenges that must be known and mitigated so that the benefits can be assumed by the institutions[7] . Some are general, to be treated by all institutions. Others are inherent to public institutions, due to their unique characteristics.

i) General

a) Additional security vulnerabilities

Placing government data in the cloud means that the data security will be shared with the provider of cloud services. It is important to discuss with the supplier all aspects related to security, aiming to implement measures to mitigate them, reflecting what was agreed in the contract. The confidentiality of the data is critical for the tax area and cryptography techniques must be applied. Recent publication in The Wall Street Journal points out that the biggest security problems in the cloud are due to incorrect configuration of software, usually due to the inability of the technicians involved[8] .

b) Operational control reduced

Obviously, operational governance in the cloud will be lower than that obtained in own data centers. As examples, a cloud service provider may not respect established service level agreements, threatening the quality of the contractor’s services; a long geographical distance between supplier and contractor can introduce latencies and band restrictions. These problems can be mitigated with formal contracts, service level agreements, monitoring and technical inspections. Everything contracted must be monitored for conformity validation.

c) Limited portability between cloud service providers

There are no formal standards for the use of cloud services, which can make it difficult to migrate from one service to another. In general, cloud service contractors adopt their own strategies so as not to depend on a single provider or to use multiple providers. The tax administration of the United Kingdom is an example.

d) Reaction to change

Reactions to change are those that represent cost, loss or threat, whether real or merely based on perceptions. In the case of cloud computing, the sense of loss of direct control over the IT environment and the reduction trend of the IT staff are the biggest threats.


[2]  National Institute of Standard and Technology, of the United States.

[3] this publication is used as a source of many concepts and ideas in this document. Its full reading is recommended to those who are interested in cloud computing technology.

[4]  Concepts adapted from



[7]  Information from the portal was used as a reference


2,268 total views, 3 views today

Disclaimer. Readers are informed that the views, thoughts, and opinions expressed in the text belong solely to the author, and not necessarily to the author's employer, organization, committee or other group the author might be associated with, nor to the Executive Secretariat of CIAT. The author is also responsible for the precision and accuracy of data and sources.

1 comment

  1. Liana Reply

    thanks for info

Leave a Reply

Your email address will not be published.

CIAT Subscriptions

Browse through the site without restrictions. Consult and download the contents.

Subscribe to our electronic newsletters:

  • Blog
  • Academic offer (Only in spanish)
  • Newsletter
  • Publications
  • News alert

Activate subscription

CIAT Members

Representatives, Correspondent and Authorized staff (TA)