Govt cloud guides give mixed message

The Australian Government Information Office (AGIMO) has launched three draft cloud guides that suggest any commitment to the cloud will come under strict conditions and using few providers.

Cloud hovers over Parliament House

The guides cover privacy, legal requirements and financing a cloud project, bringing together relevant laws, policies and checklists.

The tone of the documents reflect a very reserved acceptance that cloud will become part of the Government’s systems agenda.

The Privacy guide argues that cloud computing has the potential to enhance privacy rather than reduce it – and that privacy outcomes depend on how cloud is used.

However, debate on broader privacy risks seems to override the upbeat flavour of using cloud-based applications.

"If privacy issues cannot be adequately addressed, it would not be appropriate to transfer personal information, especially 'sensitive information', into the public cloud," the guide states.

The guide also uses the words "adequately" and "appropriate" several times, which could further hit hot buttons with risk-averse public sector agencies.

Short of storing or archiving material in the public domain, cloud is shaping as a no-go zone for many agencies and their hopes of innovating with new apps.

Uncommercial terms

The 18-page Legal primer reiterates the cautions in the privacy guide but combines these concerns with the significant security and sovereignty guidelines addressed by the Defence Signals Directorate (DSD), National Archives and access by the Auditor-General.

As well it argues for provisions in contracts that vendors and cloud service providers are likely to deem uncommercial, such as:

• no exclusion for indirect and consequential losses (such as those that flow from data loss and misuse);
• no limit to liability for breach of privacy, security or confidentiality obligations;
• an indemnity from the provider in respect to data loss or misuse as a result of the negligent, illegal or wilfully wrong act or omission of the cloud provider or its personnel; and
• a separate liability cap for data loss or misuse that is sufficiently high to cover potential liability arising from an occurence.

Agencies are also recommended to take into account service level agreements, business continuity and exit clauses in service contracts.

Other aspects of the “Better Practice Guide” to negotiating contracts seem contrary to public cloud fundamentals such as a suggestion that “storage of data [take place] on specified hardware that is unique to the agency” and “restricting the locations/countries in which agency data may be held”.

Some suggestions will be confronting for vendors, such as a right to audit and access premises where agency data is held and requirements for immediate notification of security intrusions or requests from foreign government agencies for access to data.

The few cloud providers ready to sign-off on these additional requirements will have to up their own insurance when considering pitching for government cloud business.

Accounting for cloud

The Financial guide reflects the change in expenditure type from capital to operational.

Where an agency brings forward a new expenditure proposal for Government approval, the accompanying business case should identify the extent of any capital investment for ICT or operating expenditure required and be reflected in ICT investment advice provided to AGIMO each year, the guide notes.

At odds?

The excessively cautious tone of the guides could also be at odds with separate moves being vigorously promoted by the Gillard Government to free up trade in cloud computing under the Trans Pacific Partnership Agreement.

Regional agreements assuring acceptable privacy protections for Australians and their data will facilitate free trade, through more ready access to regional public cloud solutions.

But privacy is one of the major regulatory barriers to deployment of public cloud.

Insisting on uncapped liability for privacy, security and confidentiality breaches and removing customary exclusions for consequential losses could throw a wet blanket on the willingness of cloud providers to do business with Australian Government agencies.

AGIMO has invited comments on the draft guides.