blog In one of the most bureaucratic moves we’ve seen in quite some time, the Federal Government has released a new cloud computing security and privacy directive which require departments and agencies to explicitly acquire the approval of the Attorney-General and the relevant portfolio minister before government data containing private information can be stored in offshore facilities. Data which doesn’t include personal information — and thus isn’t subject to privacy regulations — won’t suffer the same conditions. The new policy itself is available online in PDF format, and we’ve also got a media release issued by the Attorney-General himself, Mark Dreyfus, jointly with Kate Lundy in the Senator’s new role as Minister Assisting for the Digital Economy. Dreyfus tells us:
“The policy will aid decision-makers in determining when to allow the use of offshoring or outsourcing on a case-by-case basis,” Mr Dreyfus said. “I have paid special attention to the security of personal information, which people expect will be treated with the highest care by all organisations, but by government in particular,” Mr Dreyfus said.
“Safeguards have been incorporated so that before personal information can be stored in the cloud, the approval of the Minister responsible for the information, and my own approval as Minister for privacy, must be given. This is to ensure that sufficient measures have been taken to mitigate potential risks to the security of that information.
I hope to get the time later on to do some more analysis of this policy; I’m sure the devil is in the details. However, I will note that for now, I’m in two minds about this. Firstly, and I’m sure this is the aim of the policy, this document explicitly opens up cloud computing use for non-personal and non-sensitive data, meaning that Federal Government departments and agencies now have implicit approval to use the cloud, including offshore cloud, for data storage. I have no doubt that this implicit approval is the main reason this new document was drawn up; and I’m sure it will have the effect of encouraging departments and agencies to host data in the cloud. This is a very good thing.
However, it should also be obvious that creating a situation where two ministers need to explicitly agree in certain cases where personal data could be kept offshore creates a massive bottleneck situation, which will probably create a whole host of ancillary issues. After all, it’s easy on paper to divide these different types of data (non-private, private and security-classified) into separate categories, but I think the Government will find in practice that they can be somewhat intermingled. For example, if you’re operating a website from the cloud with a login capability (or even one that sets cookies to intelligently identify those using it), can that data be kept offshore or not? There are thousands of these kinds of use cases which IT staff will need to grapple with; and taking an issue all the way up to your Minister, not to mention then to the Attorney-General, is a high bar indeed.
A policy which stipulates that only one individual in the whole Federal Government can approve the use of IT assets in a certain manner is, by definition, asinine and irrational. Dreyfus doesn’t even have a personal background in technology. It seems ridiculous that he would be the only arbiter of which of the millions of datasets the Federal Government holds can be kept in the cloud, and which can’t. I’ll be interested to hear the thoughts of those who work in the public sector on this situation.
Good. We already get non-stop bombarded as a country by Indian spammers because of telco’s outsourcing everything overseas, making our data easy target. Last thing I want is Government data being grabbed some asshole Indian spam kings.
The word PRISM comes to mind. It’s the AG’s dept that know what all the other countries are capable of, so they have to be able to say “no you can’t put aussie’s personal info over there, country X will steal it for SIGINT”.
Hmmm … Cloud Services? Yes … but … yes … but … yes … but … no. The need to protect data entrusted to government agencies goes without question, but the unspoken premise behind this policy is that the status quo of in-house and dedicated outsourced ICT is safe, trustworthy, affordable and sustainable.
How would it be if agencies were required to complete the full risk management assessment for their existing ICT arrangements – which would then require approval by TWO ministers in order to certify the agency to continue daily operations?
Most Ministers would naturally be very wary to get trapped into this little minefield. Some agencies, of course, are fully ship-shape … but many are not due to under-investment, ageing assets, skills shortages, sub-scale operations etc. … and budget realities prevent necessary remedial investment. This would be a no-win scenario.
The policy is well intended, but its effect is to increase the focus on Type I (false positive) procurement errors while increasing the risk of Type II (false negative) procurement errors – which perpetuate the inefficiencies and risks of the status quo. Sign-off from TWO ministers? Sounds like more hassle than its worth … safer just to carry on with customized development hosted in the existing ageing data center with un-patched infrastructure software and no tested backup or DR facilities. Better to stay under the radar and just cruise along mate! I know, lets do it as a common application shared between 5 agencies and run it on a multi-agency shared service center … that’d be excellent … keep us all busy for years.
I agree that any and all ICT sourcing decisions need to be subjected to a through risk assessment – cloud services are no different. It is dangerous to entrust data to unsafe environments and untrustworthy counter-parties under any sourcing approach. Full stop.
The only way this policy will work is if the Organizational Context section of the risk assessment is fulsome enough to accurately articulates the risks inherent in the status quo and the alternative sourcing strategies. This can provide the ‘burning platform’ from which cloud services would seem to be a leap to relative safety rather than a leap into danger. This, however, will require CIOs and Agency Heads to open the kimono on the trustworthiness and sustainability of their existing ICT environment …
Comments are closed.