Australia mandates* cloud use by government agencies

*Unless cloud is insecure, expensive or can't do the job

Sydney harbour bridge poking out of the clouds

Australia's Department of Finance has updated its Cloud Policy to say “... agencies now must adopt cloud”.

Those italics are the Department's, and it also has some qualifications for the edict, namely that cloud should only be adopted “where it is fit for purpose, provides adequate protection of data and delivers value for money.”

The Policy [PDF] refers to guidelines for assessing security and value for money, but is silent on just what “fit for purpose” represents.

More explicit is the suggestion that organisations consider cloud when upgrading or replacing systems, with the policy offering the following guidelines on when to adopt the cloud:

  • Use ICT refresh points as a trigger for evaluating cloud services;
  • Adopt public cloud services for testing and development needs and for hosting public facing websites;
  • Evaluate private, community, public or hybrid cloud services for operational systems as defined by information requirements;
  • Consider opportunities to develop/adopt cross entity or portfolio cloud services and/or build on initiatives established by other entities.

Microsoft has welcomed the Policy. But cloud business coalition OzHub has urged the government to set targets for cloud adoption and expressed concern that the Attorney-General's Department's Information Security Management Guidelines may not exactly encourage agencies to adopt cloud.

The A-G's guidelines offer the following questions as aides to assessing the risk presented by cloud:

  • How could the confidentiality, integrity and availability of Australian Government information be affected?
  • What is the aggregated value of the information holdings to the agency?
  • What would an unintended disclosure look like? What would an event or incident look like?
  • What would be the impact of loss of confidence in the integrity of your information? For example, the integrity of the Hansard record.
  • How could an unintended disclosure of Australian Government information occur in an outsourced or offshore arrangement? What are the sources of risk? What threats are there?

The guide [PDF] also suggests, among many warnings, that “Cloud services can facilitate malicious agendas through the exploitation of Cloud infrastructure.”

That fragment alone appears to have the potential to invoke the security caveat in the Finance Department's Policy for many agencies, under many circumstances. ®




Biting the hand that feeds IT © 1998–2019