Australian government's offshore cloud policy revealed

Australian government's offshore cloud policy revealed

Summary: The Australian government has quietly asked industry to comment on a proposal that would drop the need for agencies to get approval from two ministers to offshore government data.


The Australian government is pushing ahead with plans to drop the controversial policy for agencies to get approval from their portfolio minister and the attorney-general before moving government data offshore, according to a draft policy document distributed to the industry.

In July 2013 in the dying days of the former Labor government, a new cloud policy was introduced to encourage cloud adoption within government, but one critical factor of the policy means that agencies could only begin to move government data to offshore clouds if approval is obtained by both the relevant portfolio minister and the attorney-general.

The approach has been criticised by Microsoft Australia, among others, for stating that it created additional hurdles for agencies moving to the cloud, but the policy had been supported by local cloud operators, and privacy advocates concerned about the off-shoring of data to the United States in the wake of the Edward Snowden revelations about the National Security Agency's access to datacentres owned by US companies, or located in the US.

The policy appears to be on the way out, however, and ZDNet can reveal that the Australia government has already begun consulting with industry dropping this controversial policy. According to draft document obtained by ZDNet, the approval will lie solely with an agency head or delegate to approve a risk assessment before outsourcing any IT, including cloud.

(Image: Screenshot by Josh Taylor/ZDNet)

The document, titled "Information Security Management Guidelines: Risk management of outsourced ICT arrangements (including Cloud)", is designed to guide agencies in assessing the risk of offshoring IT services and unclassified Australian government information.

According to the paper, agencies should consider the legal powers to access or restrict access to data, the complications arising from data being simultaneously subject to multiple legal jurisdictions, the lack of transparency and ability to directly monitor operations overseas, and the difference in business and legal cultures in nations other than Australia.

For moving the cloud offshore, the paper says agencies need to understand the different cloud models, and assess the risks for each vendor the agency intends to use.

The assessment process
(Image: Screenshot by Josh Taylor/ZDNet)

The government asks agencies in the paper to consider the potential threats, and potential outcomes should data be compromised in a cloud hosted overseas including what an unintended disclosure might look like, and what the impact of a loss of confidence would be.

The government said that potential threats include data breaches, loss, account hijacking, insecure APIs, DDoS attacks, malicious insiders, shared technology vulnerabilities, and abuse of cloud services.

But the paper notes that risks can be potentially mitigated through contractual arrangements with vendors that specify security requirements, although that may not be enough.

"In some cases, it may be impractical or impossible for the agency to verify if the service provider is adhering to the contract. This can be addressed through the use of third party audits, including certifications."

The Australian Information Industry Association's response (PDF) to the policy this week indicates it welcomes the removal of the dual ministerial approval process.

"AIIA agrees that the decision-making responsibility should rest with the agency head rather than the minister in these circumstances," AIIA CEO Suzanne Campbell said.

The AIIA also advocated that the government explore a centralised cloud procurement model similar to the NSW and Victorian governments that would allow vendors to be verified and approved by a central authority and allow the government to set the terms of engagement with cloud vendors.

"The advantage of a centralised approach is that it provides a transparent, standardised framework that can be used by all agencies," Campbell said.

"AIIA believes this level of guidance and support will build the confidence of agencies to take up cloud services and provide government with an appropriate level of control and additional risk mitigation."

The policy is likely to form part of the Australian government's revised cloud computing policy due for release in the next few weeks, Communications Minister Malcolm Turnbull revealed yesterday.

Topics: Cloud, Government, Government AU, Australia


Armed with a degree in Computer Science and a Masters in Journalism, Josh keeps a close eye on the telecommunications industry, the National Broadband Network, and all the goings on in government IT.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • An irresponsible decision from the responsible minister

    Is this just about removal of unnecessary red tape, or is AG George Brandis trying to isolate himself and the relevant minister from blame when off-shored data is lost or compromised?
  • Ask the Irish

    Ask the Irish if they thing storing data in a foreign owned cloud was a good idea (no fault of MS either).
  • I don't think this will change much.

    You might get a few cowboys taking it on public cloud offerings, ones that don't do thier risk assessments very often. But the Irish decision mentioned above will give everyone pause.

    Security is one problem, but funding is the other.

    Cloud is opex, and gov it relies on capex. All the project dollars are capex, not opex. Also, they get all the opex dollars to run a system from depreciation.

    The necessary oversight will be costly, so the potential savings (if any) are not going to be that large. Value for money test in government isn't about what is cheaper, it is about 'bang for buck'. Agencies are going to end up needing more staff to manage a cloud based solution than an internally hosted one - especially if they have to run internally hosted solution concurrently with cloud based ones.
  • What's so difficult about having an Australian cloud?

    I don't see the need to offshore our own data anyway. Haven't we got perfectly good Australian cloud service providers that the government should be employing, most of which I'd expect offer a fully onshore variant of the service? Its an accident waiting to happen and this is in my opinion just a lazy attitude to information security. If the existing ministers don't understand information security properly I suggest we rethink who is suitable for a ministerial role. Most companies worth their salt have a CIO (Information), even a CISO (Information Security) and they are becoming increasingly high profile. Maybe the political parties need to ensure they select candidates that are more competant in 21st century skills rather than going after the specialist spin doctors who can kiss 20 babies per second and can turn a straightforward yes/no question into a 15 minute diatribe about how to opposition are cretins.