Head in the Cloud: A new Secure Cloud Strategy
A new vision and guidance to support the uptake of cloud-based services across the Australian government.
What you need to know
The Secure Cloud Strategy was released last week. It replaces the former Australian Government Cloud Computing Policy.
The Secure Cloud Strategy aims to support agencies to consolidate and accelerate their transition to cloud-based services.
It identifies existing security and procurement frameworks as key opportunities for reform and proposes initiatives to drive change in these areas.
What you need to do
To support the transition to cloud-based services, you can:
- Read the Secure Cloud Strategy
- Look out for DTA guidance material and training opportunities
- Engage with the Cloud Knowledge Exchange
- Look out for changes to the Cloud Services Panel
- Assist your agency to develop a Cloud Strategy
Introduction
Last week, the Digital Transformation Agency (DTA) released a new vision for cloud-based service utilisation across the Australian government. The Secure Cloud Strategy identifies the "building blocks" that will support agencies to harvest the benefits of cloud-based services while continuing to meet their security and assurance needs. The Strategy replaces the Australian Government Cloud Computing Policy released in 2014.
The Strategy acknowledges that current security and procurement frameworks are not conducive to the widespread adoption of cloud-based services by agencies. It points to long-term panel arrangements, inflexible product catalogues, information security policies, the IRAP assessment and ASD certification processes as key barriers.
The Strategy proposes initiatives to overcome these barriers and drive change. The reforms address three key areas: knowledge, risk and shared capability.
The case for cloud
The Strategy puts forward a "case for cloud" centred upon three key benefits: agility, operational effectiveness and visibility.
The Strategy suggests that cloud-based services provide agencies with the agility and flexibility they need to respond to changing demands. It contrasts cloud services with traditional technology solutions which require "big upfront investments" to enable rapid scale up and down.
Cloud-based services support operational effectiveness and visibility by enabling the automation of processes, self-service and real-time monitoring. They also benefit from regular and remote upgrades and fixes, reducing the costs of maintenance and support.
Knowledge
The Strategy identifies a need for a common understanding of the offerings, capabilities and benefits of cloud-based services. The Strategy defines seven principles to encourage a consistent, "best practice" approach to cloud implementation across agencies. The principles challenge prevailing thinking and practice around IT service design and delivery. The principles are:
- Make risk based decisions when applying cloud security
- Design services for the cloud
- Use public cloud services as the default
- Use as much of the cloud as possible
- Avoid customisation and use services "as they come"
- Take full advantage of cloud automation practices
- Monitor the health and usage of services in real time.
The Strategy compels agencies to articulate a vision and strategy for cloud adoption. It suggests that a "one-size-fits-all approach" will not fulfil agencies' individual needs and that agencies need to develop a plan to demonstrate how they will transition to, and derive benefit from, cloud-based services. The DTA will provide toolkits and advice to help agencies develop their "Cloud Strategy".
Risk
The Strategy recognises that agencies' approach to cloud-based services is largely driven by security and procurement frameworks.
The Australian government has a risk-based information management framework underpinned by the Protective Security Policy Framework (PSPF) and the Information Security Manual (ISM). The PSPF and ISM outline risks and threats to government data and services and propose mandatory and optional treatments to reduce risk. Technology services (including cloud-based services) currently undergo assessments to identify risk and test compliance against the PSPF and ISM. Assessments are undertaken by assessors certified by the Australian Signals Directorate (ASD) under the Information Security Registered Assessors Program (IRAP) and passed through a certification authority. The ASD is the certification authority for cloud-based services. Currently, any cloud-based products that handle UNCLASSIFIED:DLM or PROTECTED information must be certified by ASD. The Strategy identifies that this single source certification "creates bottlenecks and confusion" and that the security assessment and certification process is a significant barrier to the accelerated use of cloud.
The Strategy proposes that the ASD certification model could be extended to enable agency-based assessments. It suggests that this could be achieved through a "layered certification model" which would involve IRAP assessment and agency certification in the first instance, and ASD certification when specific risks exist or further advice is required. The Strategy also promotes the sharing of these assessments through a Common Assessment Framework to avoid duplication and facilitate iterative assessments and security improvements, while at the same time reducing the certification burden on the ASD.
The Strategy notes the rapid iteration and release cycle of cloud-based services and suggests that the current Cloud Services Panel is not equipped to refresh at the same rate. It recommends the redevelopment of the Cloud Services Panel to create a commodity procurement pathway (such as a catalogue-based e-procurement approach) to enable agencies to access a wider range of cloud-based services.
Shared capability
The Strategy encourages agencies to share knowledge, capability and expertise. The DTA has committed to developing a Cloud Knowledge Exchange to connect agencies and provide access to resources and information to support cloud adoption.
The Strategy identifies that the public sector workforce needs the skills to "build, modernise, implement manage procure and govern cloud services". It suggests that there is currently a skill shortage in these areas and proposes the establishment of a new job capability within the DTA's Building Digital Capability program. It also points to industry as an important source of education and capacity building for the transition to cloud-based services.
FAQ: Can agencies transfer and store personal information offshore?The short answer is yes. The Australian Privacy Principles (APPs) do not prevent the transfer or storage of personal information outside of Australia. However, APP 8 provides that agencies must take reasonable steps to ensure that the overseas recipient does not breach an APP. This may include conducting due diligence investigations prior to entering into an arrangement with an offshore provider and contractually compelling a contractor to comply with the APPs. This includes the security requirements at APP 11. Agencies should be mindful that some information will be subject to data protection provisions in other legislation which place limits on its ability to be transferred or stored offshore. |
Authors: Amanda Ludlow, Partner; Tess Hemming, Senior Associate; Cale Woods, Lawyer
Key Contacts
We bring together lawyers of the highest calibre with the technical knowledge, industry experience and regional know-how to provide the incisive advice our clients need.
Keep up to date
Sign up to receive the latest legal developments, insights and news from Ashurst. By signing up, you agree to receive commercial messages from us. You may unsubscribe at any time.
Sign upThe information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.
