Australian government's offshore cloud policy revealed

The Australian government is pushing ahead with plans to drop the controversial policy for agencies to get approval from their portfolio minister and the attorney-general before moving government data offshore, according to a draft policy document distributed to the industry.

In July 2013 in the dying days of the former Labor government, a new cloud policy was introduced to encourage cloud adoption within government, but one critical factor of the policy means that agencies could only begin to move government data to offshore clouds if approval is obtained by both the relevant portfolio minister and the attorney-general.

The approach has been criticised by Microsoft Australia, among others, for stating that it created additional hurdles for agencies moving to the cloud, but the policy had been supported by local cloud operators, and privacy advocates concerned about the off-shoring of data to the United States in the wake of the Edward Snowden revelations about the National Security Agency's access to datacentres owned by US companies, or located in the US.

The policy appears to be on the way out, however, and ZDNet can reveal that the Australia government has already begun consulting with industry dropping this controversial policy. According to draft document obtained by ZDNet, the approval will lie solely with an agency head or delegate to approve a risk assessment before outsourcing any IT, including cloud.

The document, titled "Information Security Management Guidelines: Risk management of outsourced ICT arrangements (including Cloud)", is designed to guide agencies in assessing the risk of offshoring IT services and unclassified Australian government information.

According to the paper, agencies should consider the legal powers to access or restrict access to data, the complications arising from data being simultaneously subject to multiple legal jurisdictions, the lack of transparency and ability to directly monitor operations overseas, and the difference in business and legal cultures in nations other than Australia.

For moving the cloud offshore, the paper says agencies need to understand the different cloud models, and assess the risks for each vendor the agency intends to use.

The government asks agencies in the paper to consider the potential threats, and potential outcomes should data be compromised in a cloud hosted overseas including what an unintended disclosure might look like, and what the impact of a loss of confidence would be.

The government said that potential threats include data breaches, loss, account hijacking, insecure APIs, DDoS attacks, malicious insiders, shared technology vulnerabilities, and abuse of cloud services.

But the paper notes that risks can be potentially mitigated through contractual arrangements with vendors that specify security requirements, although that may not be enough.

"In some cases, it may be impractical or impossible for the agency to verify if the service provider is adhering to the contract. This can be addressed through the use of third party audits, including certifications."

The Australian Information Industry Association's response (PDF) to the policy this week indicates it welcomes the removal of the dual ministerial approval process.

"AIIA agrees that the decision-making responsibility should rest with the agency head rather than the minister in these circumstances," AIIA CEO Suzanne Campbell said.

The AIIA also advocated that the government explore a centralised cloud procurement model similar to the NSW and Victorian governments that would allow vendors to be verified and approved by a central authority and allow the government to set the terms of engagement with cloud vendors.

"The advantage of a centralised approach is that it provides a transparent, standardised framework that can be used by all agencies," Campbell said.

"AIIA believes this level of guidance and support will build the confidence of agencies to take up cloud services and provide government with an appropriate level of control and additional risk mitigation."

The policy is likely to form part of the Australian government's revised cloud computing policy due for release in the next few weeks, Communications Minister Malcolm Turnbull revealed yesterday.