At the Cloud and Computing Expo in 2010, Andrew Solomon then the A/G Assistant Commissioner at the OIAC gave a presentation about opportunities and challenges that cloud technology would present for government agencies and for citizens. He addressed the need to get the nexus right between cautiousness and advancement, stating:
‘Our office understands the need to balance the protection of personal information with other important goals such as innovation and business growth. With creativity and cooperation, it is always possible to achieve such aims in a privacy enhancing, rather than a privacy intrusive, way.’
Several years later agencies are still trying to address that balance. In 2014, the Department of Finance released the third version of its report: Australian Government Cloud Computing Policy: Smarter ICT Investment. The report outlined the need to embrace the technology, adopting a cloud-first approach while simultaneously maintaining the safety and security of its citizens. It also outlined that cloud technology would allow government departments to reduce expenditure, increase productivity and develop better services. The report encouraged cloud technology investment, provided the technology could meet the following criteria:
- Fit for purpose
- Delivers value for money
- Provides adequate protection of data
What is ‘adequate protection of data?’
The last point is perhaps the reason that the government had been so cautious in wholeheartedly backing cloud in the previous incarnations of the framework. Given that government data is of a highly sensitive and personal nature, policy makers around the globe have been slower to adopt the cloud than their corporate counterparts – we’ve all seen the effects of a data breach. In 2016 Australia had its largest security breach when the Red Cross had the files of over half million donors files leaked, what was worse, they weren’t sure for how long the information was out there. Over in the US, earlier in the same year a hacker leaked over 600,000 social security numbers, which greatly increased the risk of identity theft for those compromised.
The Protective Policy Security Framework
Given the interconnectivity of cloud systems, the potential for havoc is amplified. To ensure that stringent security measures are met, the Attorney General’s department released the Protective Policy Security Framework. The purpose of the document is to ‘assist Australian Government entities to protect their people, information and assets, at home and overseas,’ in other words companies looking to make the switch to cloud need to meet the criteria of the framework.
Australia’s Cyber Security Strategy best practice recommendations
Australia’s Cyber Security Strategy, released in 2016 also mentioned that the Australian Cyber Security Centre had ‘provided further guidance on cloud computing practices.’ This guidance provides an extensive list of guidelines for government staff, on an individual, departmental and transnational level. It urges users to think about the sensitivity, the purpose and the integrity of the data and to employ careful best practices when establishing networks and using data in their day-to-day role. It also covers topics such as:
- Business drivers to cloud computing adoption
- Risk management
- Security considerations
- Maintaining business functionality
- Protection from unauthorised access by a third party
- Protection from unauthorised access by a rogue ex-employee
- Handling security incidents
These sections ultimately help senior stakeholders to determine whether the purported cloud solution can meet business goals with ‘an acceptable level of risk.’
The Digital Transformation Agency released cloud.gov.au, a way for ‘government to release, monitor and grow user-facing digital services.’ The platform is currently hosting The Digital Marketplace, The Government Service Performance Dashboard and The Media Release Service with a further ‘37 apps in production and 255 apps in development.’ Given how new this program is, it’s too early to assess whether the legislation and the frameworks have struck the right balance. However, if Australia wants to meet the goals outlined by the ambitious ICT strategy, then the careful adoption of cloud technology is a step in the right direction. If you would like to know more about cloud technology in government, then you should check out the Cloud 2017 @ CeBIT program today.