Australian IT industry divided over cloud policy overhaul

The Australian federal government's move to drop the requirement for agencies to get approval from two ministers before offshoring government data has been met with a mixed reception in the local marketplace, with fears over data sovereignty contrasted by suggestions the move is long overdue.

It was revealed recently that the Australian government was pushing ahead on a proposal to roll back the requirement for government agencies to get approval from two ministers before offshoring their data.

The requirement for government agencies to seek approval from their portfolio minister, along with the Attorney-General's Department, to offshore their data was introduced in a new cloud policy drawn up by the previous Labor government, and released in July 2013.

Now, as the government works to encourage its departments to move towards a cloud-first approach in the outsourcing of their IT services, the dual ministerial approval requirement could face the chopping block.

With many of the cloud service providers operating in Australia making use of datacentres overseas, however, some Australian-based stakeholders are warning that such a move could put government data at the mercy of foreign governments' laws and increase the dangers of data breach or loss.

Peter James, chairman and co-founder of Australian cloud computing provider Ninefold, is convinced that, although a cloud-first policy is "the future", dropping the dual ministerial approval requirement would ultimately impact the right of Australians to maintain control over their data.

"It is very encouraging to see the Federal Government look to the private sector to provide forward-thinking communications services like cloud computing," said James. "However the personal and private information governments receive through these new outsourced cloud arrangements has to be treated with the utmost safety and security.

"Furthermore, if there is a breach of privacy or the personal details of a citizen are compromised, then it is a fundamental right that the citizen can seek redress here in Australia rather than overseas courts," he said.

James said that while cloud computing is the way forward for government and industry in Australia, offshoring data should require a much higher level of sign-off approval than keeping data in Australia.

"That is why the existing 'onshore' arrangements for outsourcing government data are preferable to 'offshore' deals and in turn, that is why the existing ministerial sign-offs that apply when data is sent offshore are an important consumer safeguard," he said.

However, Mark Randall, chief customer officer of local cloud services provider Bulletproof, believes that far from putting Australian government data at risk, the new proposals are long overdue.

"I think in many ways it's kind of lagging events," he told ZDNet. "You look at where things are now and most of the global cloud providers actually have local datacentres in Australia anyway, which addresses the data sovereignty issue. All the ones that don't are certainly rumoured to be here fairly soon."

Although Bulletproof is based in Australia, it draws upon cloud infrastructure resources from Amazon Web Services — which has datacentres in Australia and other locations around the world — and VMware.

From Randall's perspective, dropping the dual ministerial approval would enable the local cloud services market to flourish.

"In terms of the change in the policy itself, I think it's a positive," he said. "Anything that helps the cloud industry grow is a good thing. I still think that we're at the very early stage of adoption and something that removes a slightly excessive amount of concern is going to be a good thing.

"Having said that, the proposal still has a stringent approval process in place, they still highlight that people looking to host offshore still need to consider the legal jurisdiction risks and still need to consider privacy laws and whether they are as robust as they are locally.

"The proposals aren't really changing those considerations, they're just moving the responsibility for approving those decisions, further down the government hierarchy," he said.

While cloud services provider Amazon Web Services possesses datacentres in Australia, affording it the ability to offer the Australian government the option of local data storage for their cloud services, many of the other big players in the local market do not have that luxury.

Google, which offers its cloud services platform in Australia, has datacentres in several countries around the world — many of them in North America — but not in Australia, potentially exposing Australian clients' data to the rule of US law.

In fact, even if a provider's datacentre is located in Australia, but the operating company is headquartered in the United States, the data may still be open to US government access.

In late July, a United States judge ruled that even if data was stored overseas, if the company storing it is US-based it could be up for grabs for seizure by the US government.

The ruling means that international users of cloud services providers such as Microsoft, Apple, Google, and Facbook — all companies headquartered in the US — are not immune from having their data handed over to the US government for law enforcement for intelligence purposes.

Microsoft was one of the US-headquartered companies operating in Australia to voice concerns late last year over the previous Labor government's cloud policy requirements, in its submission to the Department of Communications' review of deregulation initiatives in the communications sector.

"We understand that the Federal Government, quite rightly, has requirement for strong protective security policies and practices," said Microsoft in its submission. "We do, however, also feel that agencies should be able to leverage security guidance to make their own risk-based assessment on whether to utilise cloud services."

The company said that the requirements outlined in the previous government's offshore IT arrangements guideline document posed an "additional hurdle for agencies' consideration of cloud computing services".

These guidelines, released in June 2013, added the requirement for agencies to seek both the approval of their portfolio minister and the Attorney-General before entering into arrangements for the hosting offshore of any information that is privacy protected.

"This guidance has not only added a procedural barrier into the consideration of offshore hosted cloud services for non-security classified data; it has created confusion around the privacy requirements of agencies and putting the Federal Government's internal guidance on cloud at odds with the more constructive guidance of the Office of the Australian Information Commissioner," the company said.

The federal government's push to drop the dual ministerial approval process comes as it also moves to pass legislation that would force telecommunications companies in Australia to retain customer data for up to two years to allow government agencies to access metadata without a warrant as part of law enforcement investigations.