AGIMO reveals cautious cloud guides
The Australian Government Information Management Office (AGIMO) has released its better practice guides for cloud computing, which warns agencies about the financial, legal and security issues for cloud. Analysts and industry leaders, however, have warned that barriers to cloud computing identified in the reports are holding Australia back.
The guides, released yesterday by AGIMO on its blog, start by extolling the benefits of cloud computing for government agencies, but advises that a shift brings with it new challenges and pitfalls.
AGIMO warned that agencies will need to negotiate contracts with cloud providers differently than traditional tenders, with a view to making them shorter, more transparent and hypersensitive when it comes to the security of information and the privacy of citizens.
Financial considerations AGIMO put forward include the need for constant usage monitoring in the form of daily reporting to avoid bill shock and analyse potential "hidden costs" that a vendor may spring on an agency by charging extra for the use of multi-tenanted infrastructure. AGIMO also warned about contract lock-in.
"[Agencies must ensure] the contract with the cloud vendor does not 'lock' the agency into a relationship with the vendor beyond the duration of the contract," AGIMO wrote.
AGIMO also highlighted privacy and security concerns when storing data in the cloud, and made particular note that agencies should decide whether or not to store personal information in the cloud on a case-by-case basis. It also stressed that all agencies and vendors ought to comply with the Information Privacy Principles (IPPs) set forth by the Office of the Australian Information Commissioner (OAIC).
"Cloud computing does not necessarily have to be privacy invasive, but moving data into the cloud means that the data will move outside of the direct control of the agency and may, in some instances, be processed and stored outside of Australia. Different levels of indirect control of this data are possible depending on the type of cloud service selected and the legal protections put in place by the agency.
"Agencies need to be aware of their privacy and data security obligations when transferring personal information into any cloud environment. If privacy issues cannot be adequately addressed, the OAIC advises that it will not be appropriate to transfer 'personal information' into a public cloud," AGIMO wrote. It further stated that the OAIC requires all agencies looking to move to the cloud complete a privacy impact assessment prior to the signing of a contract to ensure these issues are addressed.
In addition, AGIMO placed an explicit ban on vendors using government data stored in their clouds in data mining exercises.
"Agencies should ensure that the provider is contractually prohibited from using the data for any of the provider's own purposes — such as advertising or other commercial services — as this is likely to be inconsistent with the IPPs and the intentions of the agency in entering the agreement," AGIMO wrote in its legal best practice report.
Agencies should ensure that provider staff and sub-contractors sign confidentiality agreements to ensure that personal data viewed in conjunction with general operations is not disclosed to any third parties. Concerns over data storage and cross-border replication should also be addressed in new contracts with vendors.
"Agencies should consider whether the engagement of a cloud service provider that may store or process personal information offshore can allow agencies to retain the degree of control necessary for the sharing of personal information to constitute a use, rather than a disclosure.
"In most cases, the information can still be sufficiently within the control of the agency for the sharing to constitute a use even if it is hosted outside of Australia, provided that effective contractual protections are put in place by the agency, such as ensuring the agency has the right under the contract and in practice to access or recover the information at all times," AGIMO wrote in its privacy guide.
Australia to go cloud first?
Despite the warnings and cautionary advice put out by AGIMO, Ovum's research director for Asia Pacific IT, Steve Hodgkinson, believes that the risks around public cloud adoption, particularly at the enterprise and government levels, are still being overstated, and that Australia is in a position to implement its own "cloud first" policy, similar to that of the United States Government.
Hodgkinson told ZDNet Australia today that "we have a bizarre situation where the novel, new risks of public cloud services are being overstated by regulatory and advisory bodies."
"That's fine to some degree," he added, "because it's good to be cautious, but it's bad in a context of the fact that the very real, near and present risks of the current ICT approach in government is a bigger issue that is being swept under the carpet."
Hodgkinson said that cloud is no less secure than traditional on-premise computing typically implemented by government agencies, and added that a detailed look into audit reports will tell the true tale.
"When you look at auditor-general reviews [for example] about the current quality issues of IT within agencies, the much bigger risk to be worried about is the existing risks for security, backup, disaster recovery, aging assets, staff turnover and the lack of skills, and how all those things are getting worse in the context of budget cuts," he said.
The Ovum analyst added that if Australia steps back from its current cloud position to look at this big picture, it would have the ability to implement a cloud-first policy.
"I think that the US Government's cloud-first approach is so much more admirable to go about this. It puts innovation and transformation on the front foot. We still have a stance in state and federal government in Australia where the general perception is more one of 'cloud is risky' and 'you should be careful' rather than it's something that should definitely be encouraged."
He added that a cloud-first policy would particularly benefit mid-tier agencies currently struggling with funding for their own IT services.
It isn't just Australia that's struggling with cloud, either. Suzanne Campbell, CEO of the Australian Information Industry Association, said yesterday that firm barriers to the appropriate adoption of cloud computing are still firmly in place all around the globe.
Campbell told industry leaders including Communications Minister, Senator Stephen Conroy, and ex-CIO of the US Government, Vivek Kundra, that the barriers to using cloud computing in industry and government are still firmly in place and that Australia needs to get past them before the economy suffers from a long-term disadvantage.
"There are compelling reasons to act now. Cloud technologies allow [small to medium enterprises] to innovate, access new innovations and position them to compete globally by greatly reducing barriers across the marketplace. Consumer interest is quickly increasing and the influence of mobility interfaces is greatly expanding ... and the NBN [National Broadband Network] provides the foundation enabling capacity for the adoption, development and delivery of cloud services.
"Cloud computing is a disruptive technology with rapidly growing demand — Australia will quite simply be left behind if we do not address these issues," Campbell said in her address.
The issues Campbell referred to include lingering industry concerns over privacy, sovereignty and security of data stored in a public cloud environment. Concerns also exist within the industry about storing data in offshore-based clouds and the implications of foreign security legislation like the US Patriot Act. According to Campbell, these concerns aren't exclusive to Australia.
"Issues such as cybersecurity and safety, privacy and jurisdiction run deep. The notion that we can secure a single, universally agreed approach within the Australian industry — let alone between international governments — is not one we will reach today, but we will certainly be starting that journey.
"Indeed, Nokia Siemens recently noted that a 'country by country approach is not sufficient to address the challenges ahead. There is a need to achieve a global understanding of the risks, have a global coordination strategy' and adopt risk management at the global level."
Given that the concerns around cloud are global, Australia needs to be thinking globally when it comes to the new model, she said.
"[We need to make] sure that the decisions we make in Australia are not made in isolation, are not made without reference to best practice across the world and are not made in ignorance of global lessons already learned and the benefits realised.
"And I think that in our industry, perhaps more so than any other industry at this point in time, we know that these outcomes cannot be delivered in isolation. Good technology solutions cannot simply be tacked onto any given project in the hope that it will then become successful," she said, adding that more needs to be done so that IT decision makers are given a seat on boards and panels.
"The IT industry needs to sit in the boardroom as business plans are created, and with government as policy is developed. In a hugely competitive global economy, anything less is to risk a stasis, from which we may never recover."
The Australian Information Industry Association (AIIA) is no stranger to making its voice known to government about what it regards as poor cloud decisions. After AGIMO last year revealed its own draft guide for agencies looking to adopt cloud computing, the AIIA slammed the draft, calling it overly cautious on behalf of the government.