The push for cloud computing in the Commonwealth public service is growing, with the Department of Finance, having successfully trialed a panel contract for delivering cloud-based data centre services for contracts up to $80,000, now completing a round of industry consultation before launching a new federal cloud procurement model, expected to come into force by October.
This comes on the back of the National Commission of Audit Report that noted that public cloud computing could deliver savings of 20-30% when compared to buy-and-install computer infrastructure. The Commission recommended that government adopt a "cloud-first" approach at least for low risk, generic IT systems.
The advantages of cloud computing are well known, with savings as well as scalability, allowing new e-government services to be rolled out quickly, economically and with lower risk.
While private sector use of cloud computing is already well advanced, Commonwealth and state governments have been slower to make the move. There are several government specific reasons for this that will need to be addressed in any proposal to implement a cloud solution.
Is cloud suitable?
The first issue for any IT project contemplating using the cloud is whether cloud deployment is suitable. As not all government IT systems are low risk or generic, the cloud may not deliver the required service for many projects.
Government policy framework
Even when cloud can be considered, there is the Government regulatory framework to navigate, before the cloud can be used.
Cloud providers that want to supply the Commonwealth Government need to demonstrate their ability to adhere to the Government's Protective Security Policy Framework and the Information Security Manual.
They also need to be across the Australian Signals Directorate's guidance on when cloud computing should be used.
Any cloud computing deployment needs to comply with the Attorney General's Australian Government Policy and Risk Management Guidelines for storage and processing of Australian Government information. As part of that policy any "sensitive" and other personal information can only be stored in an offshore cloud with the express approval of the minister responsible for that data and the Attorney General (although this requirement is currently under review).
Data sovereignty issues are often cited as a key concern for many would-be cloud computer users, with many cloud provider contracts allowing the provider to move customer data as they see fit.
Further, concerns that provisions of the US Patriot Act might allow US authorities to access data held by US-owned clouds (even if the physical computer infrastructure is outside the US), has led many potential customers to look to more conventional deployments.
While cloud vendors argue that it's highly unlikely that would happen, there is still a risk that it could. And, with the recent NSA spying scandal and in a post-Snowden world, there is heightened sensitivity regarding data access by foreign powers.
Some vendors have attempted to overcome these concerns by hosting local cloud services.
Data stored in clouds (public or private) needs to be kept safe and must comply with the recent amendments to the Privacy Act 1988, which enhance the privacy obligations for agencies. In particular, the data storage arrangements must comply with:
- APP8—cross–border disclosure of personal information, and
- APP11.1—security of personal information.
A recent survey of cloud provider contracts revealed that many cannot provide security guarantees for their service.
Data breach notification is also an area that is currently being considered in the privacy space. Many cloud provider contracts do not require the provider to notify the customer if there is a data breach.
Contractual risk allocation
Most cloud providers use standard form service level agreements, and negotiating amendments can be difficult. Some key areas of contractual risk allocation that need to be reviewed by an agency looking to implement a cloud-based solution include:
- data security levels and liability for data loss
- service level guarantees, monitoring and remedies for failure to achieve them
- dispute resolution arrangements, including the jurisdiction
- the ability of the provider to unilaterally vary the terms of the contract, and
- transition out arrangements.
In the past, these issues often meant that the cloud was not considered. While they still present some challenges, they are no longer viewed by Commonwealth or state governments as barriers to cloud computing.
The states and territories have made significant headway with cloud computing. NSW, Victoria and Queensland are all pushing ahead to deploy cloud-based systems, and require cloud-based services to be considered in ICT procurement. For example:
- NSW recently required its agencies to evaluate cloud-based services as part of their ICT procurement plans and signed a contract with SAP to transition 15 agencies onto its locally hosted cloud system
- Victoria's recently refreshed ICT plan calls for public cloud-based services to be evaluated for the delivery of any new or updated computer systems, and
- Queensland adopted a "cloud first" approach to computing, meaning that any new State computer system needs to be deployed in a cloud, on a pay-as-you-go basis, unless there is a compelling reason to buy or build the systems.
The fundamental flexibility and economics of cloud computing mean it will continue to be an attractive option for suitable ICT projects. It will be interesting to see the Department of Finance's policy response in formulating its procurement model and examine how it navigates these regulatory, policy and risk issues. We will continue to keep agencies informed of any developments in this area.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.