The take up of public cloud by Australian government agencies remains slow, with major security concerns still prevalent. Despite specific directives surrounding the use of public cloud in the policy and risk management guidelines for the use of outsourced or offshore cloud arrangements released in July 2013, security issues have yet to be fully resolved, according to First Assistant Secretary, National Security Resilience Policy Division at the Attorney-General's Department, Mike Rothery. "At this stage, the advice from the Australian Signals Directorate is that public cloud environments cannot be satisfactorily secure for classified information," Rothery told the audience at the GovInnovate conference in Canberra on 27 November 2013. "Some of the things that are different about public cloud is the ability to know what's happening in the back office, and that's…about knowing who [the users] are and where they are. "The other issues are about legal complexity, and some of that legal complexity comes from sovereignty issues and by that we mean which country's laws apply." The policy's two-pass approval requirements to store personal or private information in outsourced or offshore facilities may be a reason for its slow take up. Agencies must seek authorisation from both their portfolio minister and the Attorney-General to store such information in the cloud under the Policy created by the previous Labor Government.
"I think Ministers have written themselves in…because they see that the consequences of a large data spill of citizen data are way beyond the CIO and perhaps beyond the CEO, and come to the very issue of trust between government and the citizen, and therefore Ministers wanted to be involved in the decision making," said Rothery. Despite its release in July, only one application for agency use of a public cloud has so far been made under the new arrangements and it is currently up with Ministers, said Rothery. "We are therefore too early in testing that policy…to be able to tell you how it will work and how elegant it will be. "We will have to work on that with Australian government agencies to see how we streamline and optimise [the risk management policy]." Despite the additional requirements now imposed on Federal Government agencies, "the policy is not a prohibition", according to Rothery. "The reason we put this document out is to clarify to agencies how they can demonstrate that they're managing the risk." "[We are trying to] make sure we get those security questions asked early, so we're not trying to fix the problem once the data has left the building." The complexity of the cloud policy came under criticism in the Coalition Government’s ICT Policy which was released in August 2013, prior to the election. This Policy is currently being translated into a “refreshed Government ICT or E-government Strategy”, expected to be released in 2014, according to a recent Secretaries’ ICT Governance Board meeting communique. "While departments and agencies have a notional obligation to consider cloud services where these are relevant to a need, the process required to demonstrate a business case and obtain approval, coupled with onerous legal and security hurdles, have led many observers to interpret the existing rules as a decision to largely avoid the cloud," states the new Government's ICT Policy. The Coalition is currently conducting a wide-ranging audit of all areas of the Government, which may also recommend changes to existing ICT policies. The outcome of the audit is expected to be released in draft form in January 2014, with a final report due in March 2014.
For more information, please contact the Editor (02) 9955 9896.