Microsoft criticises AG Dept’s cloud rules



news Global technology giant Microsoft has asked the Federal Government to review a controversial policy enacted by the Attorney-General’s Department last year which which require departments and agencies to explicitly acquire the approval of the Attorney-General and the relevant portfolio minister before government data containing private information can be stored in offshore facilities.

In July last year, the Federal Government released a new cloud computing security and privacy directive (PDF) which requires departments and agencies to explicitly acquire the approval of the Attorney-General and their relevant portfolio minister before government data containing private information can be stored in offshore facilities. Data which doesn’t include personal information — and thus isn’t subject to privacy regulations — won’t suffer the same conditions.

Unlike existing cloud computing policies used in the Federal Government, the policy did not emanate from either the office of the whole of government chief information or technology officers, key parts of the Australian Government Information Management Office which helps set central government IT strategy and policy. Such policies have tended to favour removing impediments to cloud computing adoption, rather than adding barriers.

Instead, the new policy appeared to be a document created by the Attorney-General’s Department, as part of the Protective Security Framework which it administers to help ensure the physical and information security of the Federal Government as a whole.

The policy was immediately criticised on Twitter by Steven Stolk, the chief information officer of minor agency the Australian Sports Commission.

“The new policy from AG to have any public cloud with personal info approved by Minister & [Attorney-General] is a real barrier to use public cloud,” wrote Stolk on his Twitter account. “The flow chart shows all flow that has personal info going to the Minister!” And then, the CIO added: “The process just seems too risk averse. Privacy risk outways security, which can be assessed at the agency level.”

Although the Australian Sports Commission represents a relatively minor part of the Federal Government’s IT spend, Stolk himself is a veteran in government technology circles. The executive has served the ASC as CIO for four and a half years, and has also held senior technology positions at the Civil Aviation Safety Authority, as well as at IT services company KAZ (now part of Fujitsu).

In a submission in December (PDF) to the Department of Communications’ Public Consultation on Deregulation Initiatives in the Communications Sector, first reported by iTNews this week, Microsoft — a major cloud computing player as well as a major supplier of traditional software to the Federal Government — went out of its way to criticise the new rules.

“We understand that the Federal Government, quite rightly, has a requirement for strong protective security policies and practices, particularly in relationship to sensitive and classified information assets,” the letter from the company’s local managing director Pip Marlow stated. “We do, however, also feel that agencies should be able to leverage security guidance to make their own risk-based assessments on whether to utilise cloud services.”

Microsoft wrote that the Attorney-General’s cloud guidelines had “added an additional hurdle for agencies’ consideration of cloud computing services.”

“This guidance has not only added a procedural barrier into the consideration of offshore-hosted cloud services for non-security classified data; it has created confusion around the privacy requirements of agencies and putting the Federal Government’s internal guidance on cloud at odds with the more constructive guidance of the Office of the Australian Information Commissioner,” Microsoft wrote.

“While this is not regulation that falls within the Communications portfolio, we feel it is worth drawing the portfolio’s attention to, given the Minister’s express desire to have a “more aggressive take-up” of cloud within government agencies.

The situation comes as the adoption of cloud computing services appears to have largely stalled within the Federal Government, despite the fact that the previous Labor administration had attempted to take steps to remove impediments to the development of cloud projects within departments and agencies.

In comparison, Australia’s State Governments have moved ahead rapidly with the development of cloud computing services, with NSW, Victoria and Queensland all taking formal “cloud-first” stances on the deployment of the new paradigm of services. It is, however, apparent that the states are taking this stance because of the fact that their IT project and service delivery capabilities have fallen far behind where the Federal Government is. Most Federal departments and agencies are believed to have more modern IT systems than those found in the state governments. Cloud computing is offering the states the chance to leapfrog the need to upgrade many of their ailing IT platforms.

Prior to the Federal Election, the Coalition promised it would encourage Federal Government agencies to use cloud services, in an effort to operate their IT functions more efficiently. However, no concrete steps appear to have been taken to meet this aim since the September election.

I’m not surprised Microsoft has taken this stance, and I wouldn’t be surprised to hear that other cloud computing giants such as Google and agree. I wrote about the policy in July last year:

“I’m in two minds about this. Firstly, and I’m sure this is the aim of the policy, this document explicitly opens up cloud computing use for non-personal and non-sensitive data, meaning that Federal Government departments and agencies now have implicit approval to use the cloud, including offshore cloud, for data storage. I have no doubt that this implicit approval is the main reason this new document was drawn up; and I’m sure it will have the effect of encouraging departments and agencies to host data in the cloud. This is a very good thing.

However, it should also be obvious that creating a situation where two ministers need to explicitly agree in certain cases where personal data could be kept offshore creates a massive bottleneck situation, which will probably create a whole host of ancillary issues. After all, it’s easy on paper to divide these different types of data (non-private, private and security-classified) into separate categories, but I think the Government will find in practice that they can be somewhat intermingled. For example, if you’re operating a website from the cloud with a login capability (or even one that sets cookies to intelligently identify those using it), can that data be kept offshore or not? There are thousands of these kinds of use cases which IT staff will need to grapple with; and taking an issue all the way up to your Minister, not to mention then to the Attorney-General, is a high bar indeed.

A policy which stipulates that only one individual in the whole Federal Government can approve the use of IT assets in a certain manner is, by definition, asinine and irrational. [Then-Attorney-General Mark Dreyfus] doesn’t even have a personal background in technology. It seems ridiculous that he would be the only arbiter of which of the millions of datasets the Federal Government holds can be kept in the cloud, and which can’t.”

There is little doubt that this policy will eventually be repealed, or that at the very least Federal Government CIOs will work out how to work around it. The march of cloud computing technologies in the Federal public sector will not be stopped wholesale by the Attorney-General’s Department. The business case for the use of such technologies is simply too strong, in many cases.

Image credit: Microsoft


  1. two words microsoft : Patriot Act

    actually a few more words microsoft: Stored Communications Act

    A little known U.S. Act that classifies all data older than 180 days as abandoned, which means it can be accessed at any time, without warrant or just-cause. (how old are your older untouched gmail and hotmail messages)

  2. “The business case for the use of such technologies is simply too strong, in many cases.”

    Not everything is about the business case Renai. We’re talking about peoples private information.

    This policy is too restrictive, it creates a huge bottleneck in process, but just because it’s cheaper to store my information “in the cloud”(I hate that term) doesn’t mean it’s a good idea. There are real concerns as mentioned by Nobby, around data sovereignty that need to be seriously addressed.

  3. Change the policy to local hosted cloud services only and everyone will be happy. It will create investment in local server farms. It will create employment, It might help in getting a better NBN.

  4. When did data sovereignty stop being an issue?

    That ministerial approval is required is simply a signal to all involved that only the most compelling reasons will be countenanced. It won’t create a bottleneck because hardly any cases will get that far.

    • Quite right – no Minister is going to sign off that they are responsible for a privacy breach in the cloud (it’d be like strapping on a political grenade around your neck and never being sure when the pin will be pulled).

  5. Ummm… l o g i c . . . Ah!

    microsoft AND offshore AND cloud = NOT security

    google AND offshore AND cloud = NOT security

    (microsoft OR google) AND offshore AND cloud = NOT security

    m y h e a d h u r t s . . . Ah!

    NOT(microsoft OR google OR offshore) NOR cloud = security


  6. Given that it is utterly impossible to prevent a hosting provider or some other agency with host level access from accessing your data, I think there is no situation in which anything vaguely private should be stored on the cloud overseas. Encryption doesnt work in this case as a simple memory dump will reveal all your keys.

    By all means put data on hosted servers in your own country, preferably with conditions where company management goes to jail in case of leaks related to the hosting. Otherwise, surely the govt is big enough to run its own datacentre that provides vms to all fed and maybe state govts.

    The cloud is inherently unsecureable as someone else has the physical equipment. If you care about actual privacy, you simply cannot use it.

  7. Renai – go and find out if Microsoft is lobbying the US government against the Patriot Act. It would be hypocritical of them if they were not.

  8. This is about more than IT decision-making.

    The Australian market is big enough to get some in-country cloud solutions for IaaS. In fact I think that Azure and AWS will be here soon or already are here.

    Frank hit on a key point. The real push here by the Feds is to influence the industry to build IaaS and cloud solutions here in Australia. There are local vendors that deliver this now, and more global vendors are adding their solutions to the mix.

    The “cloud” is impacted by international regulatory issues as many of you have noted. I think its smart for Australia to put up some roadblocks regarding their private data going offshore. National private data is turning into an export commodity in the modern world – there is every reason to protect it and push industry to create local cloud deployments in-country!

Comments are closed.