The Defence Signals Directorate has released a document containing "thought provoking" questions for government organisations wanting to adopt cloud.
The document, discovered by ITnews, lists issues that it believes senior managers and technical staff need to discuss at length before making their way down the cloud path, giving a long list of concerns in overview, then diving into those concerns in depth.
It begins by telling agencies to ponder availability and business functionality questions such as: whether the vendor has a thorough and quick disaster recovery plan; what the network connectivity is like; whether the service level agreement (SLA) specifies appropriate levels of uptime and is scheduled outage included in those figures; whether the agency will be compensated for unacceptable levels; whether the vendor can really scale; and whether the vendor supports data portability.
It moves onto questions about the protection of data from third parties: how sensitive the data to be put into the cloud is; what legislative obligations are under the Privacy Act or other laws; what countries the data will be stored in and transited through; whether encryption will be used; whether storage devices will be thoroughly wiped at the end of life; whether the agency will perform its own monitoring; whether the agency still legally owns the data if it's transferred to the vendor's cloud; whether they can audit the vendor and its security measures; what sort of authentication is needed to access services; and what physical security will be used at sites.
It also considers the danger to data from other customers and employees of the vendor: is there adequate segregation between customer data? How thoroughly is data removed before a storage device is used for another customer? Do companies encrypt the data or does the vendor? What vetting is carried out for vendor employees? How does the vendor audit its employees? Is there adequate protection against human error? And what about the subcontractors?
In the case of a security incident, DSD thinks that the agencies need to consider: whether the vendor responds swiftly to requests with a maximum time specified in SLA; whether the vendor has an incident plan; whether its employees trained in security; whether the vendor will notify agencies of incidents; in the case of a breach, how much support the vendor will provide with investigations; whether the vendor will provide access to logs; and what the vendor will do if sensitive data makes its way into the cloud.
The DSD recommended that agencies' IT services should remain hosted in Australia, unless the data is publicly available, saying that agencies should choose a locally owned vendor or a foreign-owned vendor located in Australia that stores data in Australia. It also cautioned that foreign-owned vendors might have to provide access to data to the government of their homeland.
Those wanting to look at the comprehensive list of cloud questions should read the document, available on the DSD's site.