The Australian government recently released its Government Information Security Management Guidelines, which no longer require government agencies to get the approval of two ministers prior to entering into offshore cloud contracts. Instead the document suggests several steps for evaluation and risk management.
In July 2013, the Australian government released guidelines requiring the two minister approval process. It was intended to put safety measures in place to prevent agencies from moving to the cloud without regard for safety and privacy issues. In this policy, both the agency minister and attorney general had to approve cloud contracts.
“Where there are risks to personal information, the potential impacts are broader than just financial considerations and include loss of public confidence and trust in Government,” the guidelines state. “Where these risks are calculable and manageable, relevant Ministers are to accept those risks before an agency head can enter into such an arrangement. Agency heads wanting personal information (as defined in the Privacy Act 1988) to be stored and processed in outsourced onshore public cloud or offshore arrangements, are to seek Ministerial approval (both the relevant agency’s Minister and the Attorney-General as the Minister responsible for privacy and protective security).”
Martin Welsby, founder of the Australia-based company Ooki, tells the WHIR in an email that “the two minister sign-off was to ensure that data requiring a level of security would not be unnecessarily exposed to threat, be it human, technological or legal.”
“The likelihood of any agency minister, as an individual, signing off use of overseas Cloud services, against the judgement of the Australian Signals Directorate Information Security Manual and the Attorney Generals Protective Security Policy Framework is zero,” Welsby said.
The approval process now requires agency heads to consider the risk assessment before outsourcing IT.
“Agency heads are ultimately responsible for managing risk within their agency, and their understanding and acceptance of any risk manifested through outsourced ICT arrangements, including Cloud,” the updated guidelines state.
“While OrionVM is an Australian company and proud of the Australian origin of our technology – we have a global plan to disseminate our business and service clients throughout the world,” Daniel Pfeiffer, VP Marketing and Partnerships, Australian wholesale IaaS provider OrionVM told the WHIR in an email. “This measure incentivizes that expansion and helps the industry grow as a whole. Anything that fuels the positive growth of the cloud industry is a step in the right direction. We are still in the early days of adoption and a change in policy that removes barriers is a good thing. Ultimately it’s positive news for us as an Australian company and this latest development is simply an extension of what’s currently happening in the marketplace. People are edgy about having their data offshore and they want to force things to stay onshore, so it’s natural to see mixed reactions to the news. We’ve seen similar sentiment in Europe.”
The cloud firstinitiative in Australia has prompted many government agencies to move to cloud services in order to save money. The Australian Commission of Audit introduced a mandatory “cloud first” policy, citing savings to the government of 20 to 30 percent. The policy applies to all low-risk information and communications. Government spending was identified as an area for growth by the Australian Communications and Media Authority report in March.
“I think the change will help governments move data to the ‘appropriate clouds’ and create further demand which is good for the industry. Departments should have a set of guidelines that classify data types and departments should be able to operate within that without extra Ministerial approval,” Craig Deveson, CEO of Australia’s Cloud Manager Inc. told the WHIR in an email. “With increased competition locally there is less need to move data offshore because the cost differences between locally hosted and offshore continues to come down.”
ZDNet reported that the Australian IT industry seems to be divided over this new policy due to data sovereignty and citizen privacy concerns. Data breaches in offshore providers could result in Australian citizens having to follow the laws of other countries such as the US with huge service providers such as Amazon and Microsoft.
A US judge recently ruled that data housed in Ireland by US-based Microsoft was not safe from US warrants. Similar issues could arise with Australian data being housed offshore being subject to the laws of the country where the services are headquartered.
Welsby found some of the comments in the ZDNet article seem to miss the point of the new policy. He has been involved with the government for the last six years and participated specifically with large-scale managed and cloud services. Welsby says AGIMO and the Department of Finance have already been using cloud for public domain data and use offshore hosts such as AWS for its sites.
“Consider that the DCaaS MUL, Data Centre as a Service (DCaaS) Multi Use List (MUL), in the last two years has secured $1.5M of cloud services from a federal IT budget of over $8B, and the significant majority of that has been for services holding an Unclassified or lower security rating, the two minister approval process is the least of any Australian providers concerns,” Welsby says. “I have spoken to fed agency CIOs and Chief Architects who continue to state that they are not allowed to use cloud services, regardless of where they are located. I have spoken to Chief Architects who did not know the DCaaS MUL, a fed government initiative, existed. This is almost two years after the MUL was launched.”
Resellers such as Bulletproof are in favor of the lighter restrictions since they use AWS and other offshore providers to keep costs lower. Welsby points out the time involved in the governmental decision process (typically longer than non-government customers, even without the old restrictions) could negate profits and is the reason why smaller service providers and resellers don’t typically focus on government. Many of the providers at the recent HostingCon Australian Symposium in Sydney instead focus on SMBs.
In contrast, the ZDNet article received commentary against the new policy from Peter James, chairman and co-founder of Australian cloud computing provider Ninefold, who argued that offshoring data should require a much higher level of sign-off approval than keeping data in Australia.
“That is why the existing ‘onshore’ arrangements for outsourcing government data are preferable to ‘offshore’ deals and in turn, that is why the existing ministerial sign-offs that apply when data is sent offshore are an important consumer safeguard,” James told ZDNet.
Although the merits and downsides of the policy are up for debate, only time will tell whether concerns about making government data easier to move offshore is a positive or just another government faux pas.