Australia needs a cloud computing regulator


This article is by Sam Higgins, research director at Longhaus, a leading Asia-Pacific ICT industry analyst firm covering Australia and near shore markets. This article first appeared in the firm’s Longview journal (PDF) and is published here with its permission.

analysis In June 2010 Microsoft held an industry analyst event in Sydney. In attendance was Greg Stone, chief technology officer for Microsoft in Australia and New Zealand.

Amongst other things Longhaus discussed with Stone were issues relating to standards, data sovereignty and regulation of the global cloud computing market. One particular element of that discussion was market supervision and in particular what happens when cloud providers fail; and who is responsible for mitigating this risk? It was a topic that also received attention from Laura Smith of in August.

Compared with other utility or critical industries, it is reasonable to say that information technology is only lightly regulated. If you step beyond technology manufacturing, of which there is little in Australia, and telecommunication service providers being monitored by the Australian Media and Communication Authority (ACMA), this is especially so.

Instead, most ICT companies — including the new breed of cloud computing providers — are left under the broad watch of the Australian Securities and Investment Commission (ASIC) and the Australian Competition and Consumer Commission (ACCC). A simple search of the current policies of ASIC, ACCC and ACMA reveals that beyond email scams and spam, none of these organisation is paying sufficient attention to the new industrial phenomenon that cloud computing represents.

Indeed, even the reported government policy thinking to date appears limited to how to exploit cloud computing for the sake of internal efficiency or security, rather than about what the reality of paying an offshore firm not required to be registered for Goods and Service Tax (GST) means for Australia’ s taxation revenue. If one was to assume for a moment that cloud computing, in all its “as-a-service” forms, will become the dominant model for provision of ICT, then like any core element of economic prosperity, be it water, power, health, travel or of course money, this increasingly attractive market requires oversight.

The truth is cloud computing as a dominant model for ICT services is not an assumption. It is fast becoming a reality, with 62 percent of large Australian organisations from Longhaus’ 2010 ICT Adoption and Priorities Study indicating cloud computing would be a priority to manage cost of ICT in the next financial year. It is therefore critical that policy makers and buyers start asking at least two simple questions: What standards or policies are in place to ensure that cloud providers manage their assets appropriately to protect businesses from the risk of a collapse? And what recourse is there for a business that is locked into a long-term contract with a cloud provider?

The answers today to both questions are: “None”. The current system relies almost exclusively on the “power of the market”. This is a power we clearly saw abused by individuals and institutions alike on Wall Street that contributed, if not caused, the most recent global financial crisis.

Like the financial, water and power systems, ICT has specialised considerations that require expert knowledge and insight in order to be effectively managed in the long term. It makes sense that ICT services of the global reach and wide-scale adoption that cloud computing currently presents should also be subject to scrutiny by third-party organisations that have the requisite skills and capability to provide proper oversight. It is not acceptable to simply leave the complexities of cloud computing and their associated need for large scale capital refreshes and long range marginal costing models to ASIC or the ACCC.

Take the Australian Prudential Regulation Authority (APRA) as an example. Funded primarily by industry but created within a regulatory framework that arises from the “four pillars” policy, its mission reads as follows: To establish and enforce prudential standards and practices designed to ensure that, under all reasonable circumstances, financial promises made by institutions we supervise are met within a stable, efficient and competitive financial system.

It is through this mission, enabled by the collection of essential statistics regarding the viability of every financial institution operating within Australia, that was a key mechanism in preventing Australia’ s banking system from over-leveraging and accepting excessively high toxic debt. Arguably Australia’s regulatory mechanism worked to prevent excessive impacts of the Wall Street disease from infecting its own financial system.

The same is true of all the other core elements of economic prosperity mentioned above. Each of which has specialised regulatory frameworks that include the following features:

  • Industry associations to represent key players and their economic interests to government and the regulator;
  • Formalised user or consumer groups to advocate on behalf of buyers to government and the regulator;
  • A “reserve” or element of government participation or ownership, such as the Reserve Bank in financial markets, or the Universal Service Obligation legislation in telecommunications;
  • An independent industrial ombudsman to monitor complaints and handle mediation of disputes which in turn provides a crucial lead indicator of potential trouble;
  • A formally regulated industry monitor or watchdog to consider matters such as anti-competitive behaviour, foreign investment levels and transactions, price monitoring, standards compliance and to gather key statistics and report on the viability of the “system” overall; and
  • Minimum industrial standards for interoperability, fairness, other reasonable buyer protections and service obligations.

It is time that the Australian ICT Industry created an appropriate regulatory model for cloud computing and once again showed the world its ability to create resilient and innovative environments for effective business — just as was done when the G8 turned to the APRA model as the basis for global financial regulation.

The alternative is that inevitably when the Enron, WorldCom, Lehman Brothers, Pyramid Building Society, HIH or OneTel-like collapses finally hit the global or local cloud computing market, it is with little doubt that questions will be raised about why our political and industrial masters left such critical services unregulated and under-supervised for so long.

Image credit: Jason Morrison, royalty free


  1. I don’t even know where to begin…

    Bringing “government regulation” in drives out competition and innovation. You’re talking about regulating a nascent industry that hasn’t even gotten off the ground yet.

    This type of silly “regulate the internet” stuff is beyond comprehension. If you’re a cloud storage provider here in Australia and you have to comply with some stupid APRA-type watchdog and their rules established by consultants from the “Fat 4” who know nothing of practical IT then your company will never be competitive. It costs money to comply with standards, so you’ll immediately drive startups out of the industry. Do you see many new innovative insurance companies or banks popping up?

    Secondly, how can you regulate your little corner of the internet when a company like will simply never have to comply? You’re jut putting your own start-ups at a disadvantage – the counter-argument that it will ensure “quality” is a non-sequitor, just because its regulated doesn’t make it entirely risk free.

    This non-sensical “call to arms” for Australia to “show the world” how it can create a well run, blah blah blah is laughable. Australia is a cloud computing backwater – it is leading in nothing. There isn’t really a single leading edge cloud services provider in this country that I’m aware of. To then suggest that if we make a moribund industry adopt some draconian regulatory regime (as though the lack of regulation has been what’s been holding back entrepreneurship and innovation) is mind boggling.

    Australia is behind because there are no incentives to innovate or invest in this kind of technology. If the government offered data centre providers the ability to fast-track depreciation of assets,early write-offs of old plant or sizable tax incentives to build green data centers, then we’d have the faciities to host this type of stuff. As it stands, we have a government that is trying to build an anti-competitive fibre network using large amounts of debt funding and then slow it down by content filtering it. A heavily regulated cloud computing industry with a government watchdog would give us the trifecta of stupidity, so who knows, it might happen after all.

    • Agree.

      Even when tightly regulated and controlled, companies will still fail, and customers will still be faced with the same issues. You can have all the contractual and regulatory frameworks you like in place, but if the company goes belly up, they mean nothing.

      Though it is a component, cloud computing isn’t about data storage. It is about processor time.

      Want to run up a test server for a couple of weeks, without the expense of a real server? Pay a cloud provider a couple of hundred bucks to run it in their server farm. No “data” per se need be involved.

      If you are going to use the cloud purely for data storage you can do that, but then you are creating more potential issues for yourself. Any ICT professional with an ounce of intelligence will never consider that storing data in one location is “safe”.

      In a cloud model, you might run from one providers storage, and have a secondary backup with another provider, plus their backups, and your own backups. You spread the risk.

      Like in any business process, you make an assessment based around risk mitigation and business continuity.

      The cloud is only as risky as how much risk you choose to move into the cloud.

Comments are closed.