DTA pushes Commonwealth to adopt more cloud

The Digital Transformation Agency is pushing for greater cloud adoption across the public service, giving agencies more power over certifications in its rewrite of the federal government's cloud strategy.

Newly-appointed assistant minister for digital transformation Michael Keenan unveiled the strategy [pdf] at the Indonesia-Australia Digital Forum in Jakarta today. It came alongside a new digital transformation and public sector modernisation committee of cabinet that will deal with digital service delivery issues.

The new strategy replaces the 2014 cloud computing policy, which brought about a “cloud first” mandate that demanded agencies “adopt cloud where it is fit for purpose, provides adequate protection of data and delivers value for money”.

“The strategy is designed to support agencies looking to adopt cloud services, and address the barriers and security concerns around moving to cloud,” Keenan said today.

“We don’t need to reinvent the wheel for every individual agency to access cloud-based services and a whole-of-government approach will save time and money.”

The DTA has spent the best part of a year reworking the policy to better understand the barriers to cloud adoption and help agencies make the best investment decisions.

And while the “cloud first” mandate remains, the DTA has tweaked the policy to better reflect how cloud has come to be the industry standard for delivering digital services, removing the need for “big upfront investments” and helping agencies better respond to changing demands.

“All agencies must use cloud services for new services or modernisation of services whenever the cloud services are fit for purpose, provide value for money and demonstrate appropriate risk management,” the strategy states.

In the event that there is “no suitable commercially provided cloud service”, agencies are required to design applications to be “cloud ready, maximising automation, portability and resilience”.

A further six principles have also been introduced to guide agency implementation of cloud services:

• Make risk-based decisions when applying cloud security, such as separating high and low value information into different environments.
• Consider public cloud over any other cloud deployment model, ensuring that the service has appropriate security for the information being handled.
• Use cloud services as much as possible for new capabilities or modernisation of existing services. Regardless “agencies must approach their own developments to be cloud enabled”.
• Configure services instead of customising them.
• Take full advantage of cloud automation practices to “manage demand and availability to meet user expectations of performance and reliability”.
• Ensure that real-time monitoring is used to monitor the health of cloud services.

Agency cloud strategies mandated

Using the DTA's document as a starting point, agencies will be required to develop their own cloud strategy to avoid a one-size-fits-all approach.

This will consist of a “value case, workforce plan, best-fit cloud model and service readiness assessment” that best meets their needs.

“The value opportunity, portfolios of application and systems, investment cycles and maturity of each agency is unique and cannot be covered under a whole-of-government cloud strategy,” the strategy states.

It also suggests that agencies look at their business models to see if “targeted change programs are required".

The DTA will establish a "community of practice" to assist agencies in establishing their strategies and preparing their IT environments for cloud services.

“It will include training and advice to agencies to build confidence and capability, and assist in addressing organisational barriers to a cloud operating model such as funding and governance,” the strategy states.

The DTA also plans to introduce a dashboard of cloud services in use across government to "provide enhanced transparency of cloud usage and compliance across government and support clearer guidance regarding the costs, service suitability and government status in a cloud environment".

It similarly intends to build a whole-of-government "cloud knowledge exchange" for agencies to collaborate and reuse common capabilities.

Reusable cloud assessments

The strategy identifies a number of barriers to the adoption of cloud services, including siloed approaches, applications and services that aren’t optimised for cloud, and skills shortages.

It also seeks to address issues confronting the Australian cloud provider market, while maintaining the government’s security and accountability posture.

One “significant barrier” to adoption is the Australian Signals Directorate’s certified cloud services list, which requires any cloud service with an unclassified DLM or protected workload to be certified.

The DTA found that ASD doesn't have the capability to undertake certification "against every cloud service and agency may wish to use”, and having a single accountability for cloud certification “creates bottlenecks and confusion”.

“Continuing with the current approach with existing resources will not achieve the government's objectives to accelerate the use of cloud,” the strategy states.

To address this the DTA will introduce a layered cloud certification model to provide greater opportunity for agency-led certifications, which will reuse "practices already in place for certification of ICT systems".

A common assessment framework will also be created for “agencies to assess, measure and compare the service’s ability to meet the government need and share this for reuse”.

“The framework will provide a clear and consistent approach to cloud assessments that articulates, to both agencies and cloud service providers, the measures used to determine usability in a government context,” the strategy states.

The DTA is also aiming to redevelop the existing cloud services panel after its infrequent refresh cycle was found to be an issue.

The agency is similarly looking at introducing common and shared platforms for agencies to collaborate and access information in a protected environment, as well as federated access management, and integrated service management.

Separately, agencies had expressed “confusion regarding accountability for assessments and a lack of transparency in the process”, while industry found the delays between the initial IRAP assessment and certification as well as the financial impact “frustrating”, the DTA said.

Funding models that don’t align with the cloud service model and push agencies to use CapEx to purchase cloud alongside cumbersome head agreements were also highlighted as issues.