AGIMO has opted to retain direct control of policy around cloud computing, abandoning the idea of industry-led cloud certification.
In late December, the Australian Government Information Management Office (AGIMO) released a 24-page draft report (pdf) into how the Australian Government might certify cloud services for use by Australian Government agencies.
AGIMO offered five possible scenarios for how the Government might determine whether a cloud service fits the bill.
The Office is aiming for a standardised approach to certification, but ruled out a Government-managed accreditation scheme for cloud providers to avoid costs.
Conversely, AGIMO does not trust the industry to manage a self-certification scheme - even if third party regulation provided a baseline assurance - as it would “not provide sufficient assurance to meet Australian Government security requirements.”
AGIMO instead feels a sufficient compromise would be the extension of its Data Centre as a Service (DCaaS) Multi-User List in the medium term (March 2013) and to later adopt the Australian Government Commercial Service Provider Assurance Framework (AGCSPAF) [pdf] for the longer term from December 2013.
The short-term fix
The DCaaS trial remains subject to review and is confined to contracts worth less than $80,000 that run for less than 12 months.
The draft document did not elaborate as to how DCaaS might be adapted from March 2013 to certify a wider range of cloud providers. Nor did it outline the additional cost implications - which had been cited as a reason to rule out two other options.
DCaaS had previously targeted the hosting requirements of smaller agencies, but to date has not addressed use of more divisive enterprise SaaS applications.
[See Australian Government CTO John Sheridan's recent speech on DCaaS for more detail.]
The long-term idea
The paper indicated that in the "long term" AGIMO will move cloud certification to AGCSPAF.
AGCSPAF [pdf] establishes four assurance levels for the provision of broadly-defined data management and authentication services by commercial providers.
For each level of assurance the framework specifies performance outcomes and standards to be achieved by cloud providers. As appropriate, and particularly for higher assurance services, the framework is also more specific about what requirements need to be met for the cloud service to conform.
The framework is run by the Secretaries' ICT Governance Board (SIGB), set up in 2009 as a response to the Gershon Report.
AGCSPAF observes that Australia's Defence Signals Directorate (DSD) has recommended against outsourcing IT services and functions outside of Australia, unless agencies are dealing with data that is all publicly available.
DSD strongly encourages agencies to choose either a locally-owned vendor or a foreign-owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australia. Current government policy, as outlined in the Cloud Computing Strategy and supporting documents, is to not store sensitive or personal information in the public cloud.
Who runs Australia's cloud policy?
AGIMO's centralised approach runs counter to the more progressive approach to cloud policy outlined by the Department of Broadband, Communications and the Digital Economy (DBCDE) and the Australian Prime Minister, Julia Gillard.
Speaking at her Digital Economy Forum in October 2012, Gillard recommended:
“a genuine government-industry partnership, and for us to embark on a cloud computing strategy.”
Significantly, Gillard asked Communications Minister Stephen Conroy to take the lead on the issue.
A key finding from Senator Conroy’s Cloud-NBN forum [pdf] held in August 2012 was that cloud solutions could have the potential to improve, rather than imperil, data security, given the greater resources and expertise of major cloud vendors.
Another was that data should "not be treated as a homogeneous entity, but clearly differentiated between highly sensitive data which should not leave the organisation, less sensitive information which can be stored in Australian clouds and non-sensitive data which can be processed or stored overseas."
Conroy also endorsed the National Standing Committee on Cloud Computing (NSCCC) in bringing together government, consumer, industry and business community interests to explore these issues, and confirmed the Government’s commitment to participating in the creation of global cloud standards.
What are your thoughts on the Australian Government's cloud computing policy? Should cloud policy remain within Finance/AGIMO or be the domain of the DBCDE? Have your say below...
