NSW cloud policy inadequate, says consultant



blog Your writer hasn’t quite had time to go into the in-depth critique of the New South Wales Government’s new cloud computing policy that he would have liked, due to a little time-consuming phenomenon which we like to call the goddamned Federal Election (thank God it’s over). However, Marten Hauville, a technical business consultant at local firm buildpartner, has examined the document in detail, and found it extremely lacking. He’s published an extensive blog post with his analysis. A few key paragraphs:

“There is absolutely minimal reference in the paper, to important cloud components such as Deployment Models and no mention whatsoever of Essential Characteristics. Where is the assessment and statement on Public, Private; or Hybrid: relating to underlying IT strategy, business drivers, technology strategy, risk appetite, legal and security requirements? Surely an IT Policy paper should be based on an overarching IT Strategy? Can I at least get some due diligence? It isn’t like data sovereignty in the cloud and data privacy are new, this concern has been around for a while.

Even key related government papers, such as Cloud Security documents from Defence Signals Directorate (DSD), Australian Federal Government Cloud Policy Guides and ACMA Chairman Chris Chapman mention that data security issues that are highly important in any cloud implementation. Why then, does the NSW Government paper overlook these and other basic essential NIST cloud defined components? Only references are to outdated (in perspective and approach) IT documents from within the NSW Government are referenced with in the Cloud Services and Policy Guidelines document. Shouldn’t a government policy document be referencing basic Cloud Security requirements as recommended by DSD, Federal Government and Industry Bodies?”

Look, to be honest, I found Hauville’s post on this issue to be a little rambling. He goes into many different areas, and I’m not sure that he’s made a cohesive argument here. However, I will say one thing: In his blog post, Hauville references most of Australia’s major publicly available resources on cloud computing, and correctly points out that the NSW Government’s new cloud computing policy does not. This, in and of itself, is enough for other observers to be questioning the policy’s details. This is definitely one policy which should be built on what has come before.

Does this invalidate the policy? No, it doesn’t. In my opinion, the NSW Government is aware of many of the issues Hauville raises in his blog post, and the policy does seem to draw on some of the resources Hauville mentions, even if it does so explicitly. However, the consultant has a point — this new cloud policy issued by the NSW Government isn’t precisely a ‘thought bubble’, but it’s not the detailed thought leadership position it could have been either. It could have been a lot more powerful, referenced and argued, than it is.

Image credit: Dimitri Castrique, royalty free


  1. Here are my comments on Martin’s Blog:

    Hmmm … I don’t believe that the policy, or any policy really, needs to be a “everything you needed to know about this topic but were afraid to ask” kind of a guidebook.

    I’m a member of the NSW ICT Advisory Panel … so I didn’t write the policy but I did have some input into it.

    The aim of the policy in my understanding was to set some basic direction and guidance and then to put cloud services procurement firmly in the context of the generalized policy that applies to any ICT procurement. There is no need, for example, to revisit the NIST definitions … these are now well accepted and commonly known. You are right, however, that the policy could perhaps have included a ‘For Further Reference’ section at the back so that readers could be pointed in the direction of relevant bedtime reading. I believe, however, that the team is creating a repository of useful reference/guidance material which is available to practitioners to support experience sharing etc.

    Matters of data sovereignty, information privacy, record keeping etc. etc. are business requirements that apply to ANY ICT procurement … in-house ICT, in-house shared services, outsourced managed service, outsourced private cloud or public cloud service. There is no need to ‘call these out’ as being unique or specially applicable to cloud services (only). The policy simply seeks to put cloud services on a level playing field to other ways of sourcing ICT capabilities.

    Essentially it up to any executive responsible for any ICT procurement to ensure that the services procured are fit for business purposes and compliant with the relevant business and regulatory requirements and obligations.

    The problem is that the more explicit and detailed the policy is in terms of the mechanics and specifics of cloud services procurement, implementation, integration, operation and retirement/exit then the more it become used as a barrier to cloud services adoption by folks with vested interests. Making everything explicit implies that the risks and issues apply only to cloud services … not to other sourcing options. Also, a more detailed policy becomes unstable because the specifics are very fast moving – so you end up chasing your tail with updates every day. The better path is to keep the policy guidance at a high level and then promote experience sharing and transparency across the agencies to accelerate organizational learning and the sharing of good practices, lessons learned etc.

    Find things that work and discover things that don’t quickly and at low cost. Do more of the things that work and less of the things that don’t. Propagate proven solutions across agencies through peer interactions.

    Over-prescriptive policies don’t really help because they are usually not in-tune with front-line hands-on experiences, are too conservative/inflexible and often produce unintended perverse consequences.

Comments are closed.