blog Your writer hasn’t quite had time to go into the in-depth critique of the New South Wales Government’s new cloud computing policy that he would have liked, due to a little time-consuming phenomenon which we like to call the goddamned Federal Election (thank God it’s over). However, Marten Hauville, a technical business consultant at local firm buildpartner, has examined the document in detail, and found it extremely lacking. He’s published an extensive blog post with his analysis. A few key paragraphs:
“There is absolutely minimal reference in the paper, to important cloud components such as Deployment Models and no mention whatsoever of Essential Characteristics. Where is the assessment and statement on Public, Private; or Hybrid: relating to underlying IT strategy, business drivers, technology strategy, risk appetite, legal and security requirements? Surely an IT Policy paper should be based on an overarching IT Strategy? Can I at least get some due diligence? It isn’t like data sovereignty in the cloud and data privacy are new, this concern has been around for a while.
Even key related government papers, such as Cloud Security documents from Defence Signals Directorate (DSD), Australian Federal Government Cloud Policy Guides and ACMA Chairman Chris Chapman mention that data security issues that are highly important in any cloud implementation. Why then, does the NSW Government paper overlook these and other basic essential NIST cloud defined components? Only references are to outdated (in perspective and approach) IT documents from within the NSW Government are referenced with in the Cloud Services and Policy Guidelines document. Shouldn’t a government policy document be referencing basic Cloud Security requirements as recommended by DSD, Federal Government and Industry Bodies?”
Look, to be honest, I found Hauville’s post on this issue to be a little rambling. He goes into many different areas, and I’m not sure that he’s made a cohesive argument here. However, I will say one thing: In his blog post, Hauville references most of Australia’s major publicly available resources on cloud computing, and correctly points out that the NSW Government’s new cloud computing policy does not. This, in and of itself, is enough for other observers to be questioning the policy’s details. This is definitely one policy which should be built on what has come before.
Does this invalidate the policy? No, it doesn’t. In my opinion, the NSW Government is aware of many of the issues Hauville raises in his blog post, and the policy does seem to draw on some of the resources Hauville mentions, even if it does so explicitly. However, the consultant has a point — this new cloud policy issued by the NSW Government isn’t precisely a ‘thought bubble’, but it’s not the detailed thought leadership position it could have been either. It could have been a lot more powerful, referenced and argued, than it is.