Government rolls back dual ministerial offshore cloud approval

The Australian federal government has rolled back the dual ministerial approval process that had been required for agencies to move their cloud IT infrastructure offshore.

Government departments will no longer need to seek ministerial approval from their portfolio minister and the attorney-general to move their cloud-based IT services offshore, with the Australian federal government rolling back the requirement which was introduced by the previous Labor administration.

According to the Information Security Management Guidelines: Risk management of outsourced ICT arrangements (including cloud) document (PDF), government departments need only seek the authorisation of their own agency head in order to offshore their cloud services.

"Agency heads or delegates are to consider the risk assessment before entering into an outsourced ICT arrangement," it said. "Agency heads are ultimately responsible for managing risk within their agency, and their understanding and acceptance of any risk manifested through outsourced ICT arrangements, including cloud."

The move comes after ZDNet revealed early last month that the government had distributed a draft policy to industry stakeholders outlining a new cloud policy that rolled back the requirement.

Now, the final policy document confirms the rollback, and outlines several other IT outsourcing processes and information security management guidelines.

The document said that the policy for security of information is promulgated through the Protective Security Policy Framework (PSPF), and the Information Security Manual (ISM), which together require agencies to adopt a risk management approach to cover all areas of protective security. This includes the procurement and management of IT services.

"Each agency is to document that they have calculated and accepted the associated security risks to Australian government inform in accordance with the PSPF, ISM before entering into outsourcing ICT arrangements," the document said.

"Agencies can outsource their ICT arrangements; however, responsibility for the risk remains with the agency head," it said.

The policy also directs agencies to consider the nature of the legal powers to access or restrict access to data held in offshore datacentres, the complications arising from data being simultaneously subject to multiple legal jurisdictions, lack of transparency, and the difference in the business and legal cultures of other nations.

The document said that in the absence of international, Australian, or industry standards relating to cloud, there is a greater responsibility on agencies to undertake due diligence.

The local cloud services industry has been divided over the push to remove the dual ministerial approval process, with some Australian cloud providers warning that the move could impact Australians' data sovereignty.

Peter James, chairman and co-founder of Australian cloud computing provider Ninefold, said last month that although a cloud-first policy is "the future", dropping the dual ministerial approval requirement would ultimately impact the right of Australians to maintain control over their data.

Meanwhile, local cloud players that utilise offshore datacentres regard the move as a positive force, allowing the Australian cloud industry to flourish.

"In terms of the change in the policy itself, I think it's a positive," he told ZDNet in August. "Anything that helps the cloud industry grow is a good thing. I still think that we're at the very early stage of adoption and something that removes a slightly excessive amount of concern is going to be a good thing."