Agency CIO questions new Fed cloud rules

Australian Sports Commission CIO Steven Stolk has spoken out against the Federal Government's requirement for agency CIOs to get sign off from two separate ministers before storing sensitive data in the cloud.

Two locks.

Stolk tweeted his personal opinions about the requirement last week:

“The new policy from AG to have any public cloud with personal info approved by Minister & AG is a real barrier to use public cloud.”

"...the process just seems too risk averse.  Privacy risk outways security, which can be assessed at the agency level."

The policy [pdf] sets out in explicit terms exactly what hoops agencies need to jump through before taking advantage of cloud storage options.

While stressing his views were personal and not the views of his agency, Stolk said there was a “disconnect” between the approach of the Attorney-General’s department and that of the Australian Government Information Management Office.

“Back in Ann Steward’s [former GCIO] day, the mantra was go forth and prosper and beg forgiveness later. She said that many a time,” Stolk told ITnews.

“The true savings of the cloud is if you can get into in the public cloud; otherwise the cost savings are marginal -- if they are there at all.

"The procedural requirement to use the public cloud means it’s just too hard,” he said.

AGCTO John Sheridan, who leads Finance’s Technology and Procurement Division, defended the policy in response to a question from ITnews at last week's Technology in Government Summit.

“I don’t find it confusing at all. And I don’t think the people who are responsible for administering it find it confusing,” Sheridan said.

He said the policy reflected a need to address specific government security concerns. 

“One of them is sitting in the transit lounge in Moscow airport at the moment,” Sheridan added.

"An understanding that you need the right level of security – and this is how government wants to do it, is one that any right-thinking IT person is going to support.”

Onerous requirements

However Stolk claimed the bar had been set too high in practice.

“The case you would have to put up, would be onerous, in my view. So who is going to try?" he told iTnews.

He cited a software-as-a-service application used by one of his business groups, called SmartSheet, for online collaboration.

It did not contain any Privacy Act related information, he said, but runs on Amazon’s US-based services, not its Australian-based services.

“Generally that means, I can’t do it,” he said.

“I’ve got to get Ministerial approval just to maintain a spreadsheet of information – there’s no personal information – but because it’s in America, the business group will have to consider the approval process outlined in the policy or pull the data down.”

He said the policy seems to have put privacy “above” security.

"That may well be justified – but in doing so, I think it is contradicting the agenda. It makes it impractical to go to the public cloud.”

The double-Ministerial approval policy is scheduled for review in 12-24 months’ time.