news Global technology giant Microsoft has asked the Federal Government to review a controversial policy enacted by the Attorney-General’s Department last year which which require departments and agencies to explicitly acquire the approval of the Attorney-General and the relevant portfolio minister before government data containing private information can be stored in offshore facilities.
In July last year, the Federal Government released a new cloud computing security and privacy directive (PDF) which requires departments and agencies to explicitly acquire the approval of the Attorney-General and their relevant portfolio minister before government data containing private information can be stored in offshore facilities. Data which doesn’t include personal information — and thus isn’t subject to privacy regulations — won’t suffer the same conditions.
Unlike existing cloud computing policies used in the Federal Government, the policy did not emanate from either the office of the whole of government chief information or technology officers, key parts of the Australian Government Information Management Office which helps set central government IT strategy and policy. Such policies have tended to favour removing impediments to cloud computing adoption, rather than adding barriers.
Instead, the new policy appeared to be a document created by the Attorney-General’s Department, as part of the Protective Security Framework which it administers to help ensure the physical and information security of the Federal Government as a whole.
The policy was immediately criticised on Twitter by Steven Stolk, the chief information officer of minor agency the Australian Sports Commission.
“The new policy from AG to have any public cloud with personal info approved by Minister & [Attorney-General] is a real barrier to use public cloud,” wrote Stolk on his Twitter account. “The flow chart shows all flow that has personal info going to the Minister!” And then, the CIO added: “The process just seems too risk averse. Privacy risk outways security, which can be assessed at the agency level.”
Although the Australian Sports Commission represents a relatively minor part of the Federal Government’s IT spend, Stolk himself is a veteran in government technology circles. The executive has served the ASC as CIO for four and a half years, and has also held senior technology positions at the Civil Aviation Safety Authority, as well as at IT services company KAZ (now part of Fujitsu).
In a submission in December (PDF) to the Department of Communications’ Public Consultation on Deregulation Initiatives in the Communications Sector, first reported by iTNews this week, Microsoft — a major cloud computing player as well as a major supplier of traditional software to the Federal Government — went out of its way to criticise the new rules.
“We understand that the Federal Government, quite rightly, has a requirement for strong protective security policies and practices, particularly in relationship to sensitive and classified information assets,” the letter from the company’s local managing director Pip Marlow stated. “We do, however, also feel that agencies should be able to leverage security guidance to make their own risk-based assessments on whether to utilise cloud services.”
Microsoft wrote that the Attorney-General’s cloud guidelines had “added an additional hurdle for agencies’ consideration of cloud computing services.”
“This guidance has not only added a procedural barrier into the consideration of offshore-hosted cloud services for non-security classified data; it has created confusion around the privacy requirements of agencies and putting the Federal Government’s internal guidance on cloud at odds with the more constructive guidance of the Office of the Australian Information Commissioner,” Microsoft wrote.
“While this is not regulation that falls within the Communications portfolio, we feel it is worth drawing the portfolio’s attention to, given the Minister’s express desire to have a “more aggressive take-up” of cloud within government agencies.
The situation comes as the adoption of cloud computing services appears to have largely stalled within the Federal Government, despite the fact that the previous Labor administration had attempted to take steps to remove impediments to the development of cloud projects within departments and agencies.
In comparison, Australia’s State Governments have moved ahead rapidly with the development of cloud computing services, with NSW, Victoria and Queensland all taking formal “cloud-first” stances on the deployment of the new paradigm of services. It is, however, apparent that the states are taking this stance because of the fact that their IT project and service delivery capabilities have fallen far behind where the Federal Government is. Most Federal departments and agencies are believed to have more modern IT systems than those found in the state governments. Cloud computing is offering the states the chance to leapfrog the need to upgrade many of their ailing IT platforms.
Prior to the Federal Election, the Coalition promised it would encourage Federal Government agencies to use cloud services, in an effort to operate their IT functions more efficiently. However, no concrete steps appear to have been taken to meet this aim since the September election.
I’m not surprised Microsoft has taken this stance, and I wouldn’t be surprised to hear that other cloud computing giants such as Google and Salesforce.com agree. I wrote about the policy in July last year:
“I’m in two minds about this. Firstly, and I’m sure this is the aim of the policy, this document explicitly opens up cloud computing use for non-personal and non-sensitive data, meaning that Federal Government departments and agencies now have implicit approval to use the cloud, including offshore cloud, for data storage. I have no doubt that this implicit approval is the main reason this new document was drawn up; and I’m sure it will have the effect of encouraging departments and agencies to host data in the cloud. This is a very good thing.
However, it should also be obvious that creating a situation where two ministers need to explicitly agree in certain cases where personal data could be kept offshore creates a massive bottleneck situation, which will probably create a whole host of ancillary issues. After all, it’s easy on paper to divide these different types of data (non-private, private and security-classified) into separate categories, but I think the Government will find in practice that they can be somewhat intermingled. For example, if you’re operating a website from the cloud with a login capability (or even one that sets cookies to intelligently identify those using it), can that data be kept offshore or not? There are thousands of these kinds of use cases which IT staff will need to grapple with; and taking an issue all the way up to your Minister, not to mention then to the Attorney-General, is a high bar indeed.
A policy which stipulates that only one individual in the whole Federal Government can approve the use of IT assets in a certain manner is, by definition, asinine and irrational. [Then-Attorney-General Mark Dreyfus] doesn’t even have a personal background in technology. It seems ridiculous that he would be the only arbiter of which of the millions of datasets the Federal Government holds can be kept in the cloud, and which can’t.”
There is little doubt that this policy will eventually be repealed, or that at the very least Federal Government CIOs will work out how to work around it. The march of cloud computing technologies in the Federal public sector will not be stopped wholesale by the Attorney-General’s Department. The business case for the use of such technologies is simply too strong, in many cases.
Image credit: Microsoft