Agencies told to rule out public cloud

Representatives from Australian Government agencies have been warned not to consider using public cloud services for any material other than information in the public domain.

Rob Livingstone

Academic, author and former chief information officer Rob Livingstone told a Trend Micro Cloud Security Conference in Canberra today that he advocates "the death of the public cloud" for government users.

Although the public cloud offered compelling cost advantages, he argued a trusted private cloud should be the default position.

“A lot of cloud business happens in the US because of its size and economic imperatives,” he said.

“But they don’t suffer any of the international jurisdictional issues, given the fact that most public platforms providers are in the US. They don’t have to worry about where the data is because it is in the US, typically within the legal jurisdictions of the US.”

Livingstone referred to several immature approaches to privacy and security highlighted by a recent iTnews report to argue his case.

“Is the public cloud off the agenda? It probably should be for anything that’s important or where data security and privacy is a concern,” he said.

Even where a service is delivered from a data centre in Australia, he added that the vendor could be subject to unauthorised overseas incursions if it were owned by a multinational company or where there was a controlling interest.

Most US-based companies would be subject to the laws of their country such as the Patriot Act in the US which implies the data is potentially vulnerable to US inspection.

Less palatably China or a central European country may have a controlling stake in one of the public cloud offerings, he said.

Livingstone considered a hybrid private G-Cloud arrangement as a better option for agencies, only when security and privacy processes are bedded down.

Even with an onshore G-Cloud, with its ownership and operation cleared, Livingstone raised concerns that this could lead to a “concentration of risk”. If a central core piece of G-cloud infrastructure fails it will affect many parties, he said.

“At the end of the day these are oversighted by human beings with admin rights,” he added.

Livingstone wondered whether there was a risk of diminishing returns from the larger consolidations, citing US research which found that large organisations (with turnover of at least US$1 billion) found the build of a private cloud "too expensive".

“So it’s a bit of a myth that private cloud is always cheap,” he said. “Also, if you are an agency, state government or local government, someone is likely going to be managing it for you. Are you going to trust them to look after your data?”

Integrated approach required

Livingstone was also highly critical of current government policy approaches to IT policy.

He felt there was a disconnect between the Federal Government's data centre policy, its cloud computing policy and the policies of State and Territory Governments.

Livingstone said the Australian Government’s Data Centre Strategy for 2010-25 made "a lot of good references" but did not explicitly dive into cloud technologies.

At the same time, AGIMO’s Data Centre as a Service strategy did imply future cloud capabilities.

“The issue I have is that the two are intertwined,” Livingstone said.

“All cloud technologies are inextricably intertwined and fully integrated with everything to do with data centres. Why is there no umbrella integration between the two?"

He warned there was a risk of missed opportunities if the Federal Government persisted with this fragmented view.

He proposed that states and territories be included in any national cloud debates and called for a "national advisory capacity for all levels of Government".