06 February 2018


The new Commonwealth Secure Cloud Strategy from the Digital Transformation Agency (DTA) states
The case for cloud is no secret to industry or government. A move to cloud computing - away from on premise owned and operated infrastructure - can generate a faster pace of delivery, continuous improvement cycles and broad access to services. It can reduce the amount of maintenance effort required to ‘keep the lights on’ and refocus that effort into improving service delivery.
Cloud, however, is a new way of sourcing Information Communication and Technology (ICT) services and many agencies will have to change the way they operate to make the most of this new model. In the Australian Government, a number of factors can get in the way of agencies realising their cloud aspirations, from a shortage of knowledge and experience, decades old, stubborn operating models and a struggle to sell the case for cloud across the business.
The Secure Cloud Strategy has been developed to guide agencies past these obstacles and make sure everyone has the opportunity to make the most of what cloud has to offer. This is not a simplistic ‘lift and shift’ view of the transition. Instead, the strategy aims to lay the foundations for sustainable change, seizing opportunities to reduce duplication, enhance collaboration, improve responsiveness and increase innovation across the Australian Public Service.
Some agencies have already embraced the cloud model. A coordinated approach for further adoption will make sure government derives the maximum value from this shift. The strategy will ensure experience and expertise is not locked-up and create opportunities to reuse and share capabilities through increased collaboration.
The strategy is based around a number of key initiatives designed to prepare agencies for the shift to cloud and support them through the transition:
  • Agencies will develop their own cloud strategies. There is no one-size-fits-all approach to implementing cloud. Agencies will use the Secure Cloud Strategy as a starting point to produce their own value case, workforce plan, best-fit cloud model and service readiness assessment.
  • Cloud implementation will be guided by seven Cloud Principles: − make risk-based decisions when applying cloud security − design services for the cloud − use public cloud services as the default − use as much of the cloud as possible − avoid customisation and use cloud services as they come − take full advantage of cloud automation practices, − monitor the health and usage of cloud services in real time.  
  • A layered Cloud Certification Model will be created. The certification model creates greater opportunity for agency-led certifications, rather than just ASD certifications. It creates a layered certification approach where agencies can certify using the practices already in place for certification of ICT systems. 
  • Service procurement will be aligned with the ICT Procurement Review Recommendations. As cloud services move more rapidly than services available through panels traditionally do, the recommendations in the ICT Procurement Review align well with creating a better pathway for cloud procurement. 
  • cloud qualities baseline and assessment framework will be introduced to clarify cloud requirements. The cloud qualities baseline capability and assessment framework will enable reuse of assessments. 
  • A Cloud Responsibility Model will be developed to clarify responsibilities and accountabilities. Traditional head agreements cannot cover all cloud services and their frequent variations. A shared capability for understanding responsibilities, supported by contracts, will address unique cloud risks, follow best practice and maintain provider accountability. 
  • A cloud knowledge collaboration platform will be built. The platform will enable secure sharing of cloud service assessments, technical blueprints and other agency cloud expertise, to iterate on work already done rather than duplicating it. 
  • Cloud skills uplift programs will be designed. Increase government skills and competencies for cloud aligned with the Australian Public Service Commission Digital Skills Capability Program and create the pathways to leverage industry programs to enhance cloud-specific skills in the Australian Public Service. 
  • Common shared platforms and capabilities will be explored including: − Federated identity for government to enable better collaboration in the cloud. − A platform for PROTECTED information management to reduce enclaves in agencies, and continue to iterate cloud.gov.au as an exemplar platform. − Service Management Integrations services to enable agencies to manage multi provider services.
These platforms will include the integration toolkits that enable agencies to seamlessly transition between the cloud services. 
These initiatives will be supported through a Digital Transformation Agency-led community of practice that will support agencies to plan and transition their environments for cloud. It will include delivering training and advice to agencies to build confidence in their ability to manage cloud services. 
The Australian Government has an ambitious agenda to transform its digital service delivery. Cloud offers reusable digital platforms at a lower cost, and shifts service delivery to a faster, more reliable digital channel. Cloud services have the opportunity to make government more responsive, convenient, available and user-focused.
The Strategy comments -
Myth: Privacy reasons mean government data cannot reside offshore
“Generally, no. The Privacy Act does not prevent an Australian Privacy Principle (APP) entity from engaging a cloud service provider to store or process personal information overseas. The APP entity must comply with the APPs in sending personal information to the overseas cloud service provider, just as they need to for any other overseas outsourcing arrangement. In addition, the Office of the Australian Information Commissioner’s Guide to securing personal information: ‘Reasonable steps’ to protect personal information discusses security considerations that may be relevant under APP 11 when using cloud computing.” https://www.oaic.gov.au/agencies-and-organisations/agency-resources/privacy-agency-resource-4-sending-personalinformation-overseas 
Additionally, APP 8 provides the criteria for cross-border disclosure of personal information, which ensures the right practices for data residing off-shore are in place. Our Australian privacy frameworks establish the accountabilities to ensure the appropriate privacy and security controls are in place to maintain confidence in our personal information in the cloud.
'The Ethics of Cloud Computing' by Boudewijn de Bruin and Luciano Floridi in (2017) 23(1) Science and Engineering Ethics 21-39 comments
Cloud computing is rapidly gaining traction in business. It offers businesses online services on demand (such as Gmail, iCloud and Salesforce) and allows them to cut costs on hardware and IT support. This is the first paper in business ethics dealing with this new technology. It analyzes the informational duties of hosting companies that own and operate cloud computing datacenters (e.g., Amazon). It considers the cloud services providers leasing ‘space in the cloud’ from hosting companies (e.g, Dropbox, Salesforce). And it examines the business and private ‘clouders’ using these services. The first part of the paper argues that hosting companies, services providers and clouders have mutual informational (epistemic) obligations to provide and seek information about relevant issues such as consumer privacy, reliability of services, data mining and data ownership. The concept of interlucency is developed as an epistemic virtue governing ethically effective communication. The second part considers potential forms of government restrictions on or proscriptions against the development and use of cloud computing technology. Referring to the concept of technology neutrality, it argues that interference with hosting companies and cloud services providers is hardly ever necessary or justified. It is argued, too, however, that businesses using cloud services (banks, law firms, hospitals etc. storing client data in the cloud, e.g.) will have to follow rather more stringent regulations.