Govt policy requires two ministers for cloud storage sign-off

Federal Government CIOs hoping to store sensitive data in an offshore or onshore public cloud will have to obtain approval from two ministers before proceeding, under a new policy released by the Attorney General’s Department late last week.

Australia's Attorney General, Mark Dreyfus.

The policy [pdf] sets out in explicit terms exactly what hoops agencies need to jump through before taking advantage of cloud storage options.

Unclassified information that is publically available - such as website content and media releases, and unclassified information that doesn’t contain personal information about citizens - can be stored and processed in an onshore or offshore public cloud, provided an appropriate risk assessment has been completed and documented.

This differs little from the Australian Government cloud computing policy handed down by the Australian Government Information Management Office (AGIMO) in April 2011.

But for agencies looking to apply the same approach to sensitive or personal information, the bar is set considerably higher.

Agency CIOs will need to satisfy their own portfolio minister and the Attorney General that there are sufficient technological controls in place to protect that data, before proceeding.

For classified information, the policy rules out offshore or onshore public cloud options altogether, with the exception of international information sharing arrangements and the kinds of accredited systems that might be run in Australian embassies.

The paper represents the most clearly articulated policy on cloud computing in the Australian Government to date, with the Privacy Act providing the line of demarcation between what data can be stored in offshore public clouds.

The policy also plays an active role in IT governance for Attorney General Mark Dreyfus and his department.

This latest development means that Dreyfus, as both Attorney General and Special Minister for State (with oversight of AGIMO and its strategic ICT responsibilities), will have an effective veto on any risky public cloud deployments.

Previously agencies would have sought cloud computing guidance from the National Cloud Strategy, developed in unison by the Department of Broadband, Communications and the Digital Economy and AGIMO.

The effort required for a double-Ministerial approval would suggest that classified information and any data subject to the Privacy Act will likely remain in Australian data centres, at least until the policy is reviewed in 12-24 months time.