Ovum's public sector research director has blamed poor planning for government agencies' conservative approach to cloud computing.
Steve Hodgkinson sought to inject “balance” into an increasingly caustic debate about the cloud risks at a meeting with vendors and agency personnel in Canberra.
“There’s a lot of talk about cloud computing but little action, locally,” he said. "While the momentum is growing, it remained “an innovative niche thing” for large enterprises."
Hodgkinson described cloud computing as an evolution of the shared services model that reached a larger scale of users.
Users were demanding “faster, better, cheaper, easier” ways of accessing their services, he said, noting that many already used cloud or cloud-like applications like Facebook.
But the cloud market was saddled with concerns about security and maturity due to varying levels of maturity, investment and scale of vendors, he said.
Hodgkinson argued that agency audit reports had documented many non-cloud systems that failed security tests, with weaknesses in multiple information system controls.
“Even though there is a perception that cloud computing is unsafe, we are already running environments that aren’t as safe as we’d like them to be anyway," he said.
“When we get to this whole bogey of security, privacy, record keeping requirements etc, the experience of people that have long used these services is that those are not show-stoppers,” he said.
“The requirements can be met. They need to be worked through, and they require a lot of effort, but they can be met.”
He said many users were surprised that the security standards of some cloud vendors were higher than those they had in place internally.
“Security in a mature cloud service environment is high. Why would we be surprised that a mature services provider will make it as secure as they can?"
Hodgkinson said the traditional stumbling block of data jurisdiction, due to cloud providers' off-shore data centres, was also being addressed.
There were many examples of public cloud services where data was replicated onshore in order to comply with local records-keeping obligations, he said.
Hodgkinson urged any cloud adoptors in the public sector to adopt a more thorough approach to information classification and management to assure compliance with privacy and public record-keeping legislation and a clear plan for local back-ups and disaster recovery.
Agency chief information officers needed a 'plan B', he said, which needed to include “pre-nuptial” agreements to ensure that the cloud did operate like any other utility, with standards that prevented vendor lock-in.
“You must be able to get your data back," he said.