Commission of Audit recommends ‘cloud-first’ policy



news The new Coalition Government’s Commission of Audit (CoA) has strongly recommended the Federal Government adopt a “cloud-first” IT infrastructure procurement policy, in a move which would clear up Canberra’s often-confused approach to the issue and see it follow other jurisdictions such as Queensland, New South Wales and Victoria.

Section 10.7 of the CoA’s report (available in full online) highlights the fact that there is currently a global trend for organisations to move away from owning and operating ICT assets to more flexible and cost-effective cloud computing models.

“Public cloud computing offers the greatest savings by amortising costs over millions of users globally,” the report states. “It can produce significant savings in the total cost of ownership, estimated at estimated 20 to 30 per cent of infrastructure costs. Private cloud facilities are more expensive but offer benefits such as increased security.”

“The emergence of cloud-based technology offers the potential for better efficiency and service standards across government. Savings are available across all three typical cloud service offerings: software, platform and infrastructure.”

However, the report noted, the Federal Government had been “slow” to adopt cloud computing, preferring to rely instead on bespoke, legacy systems. Concerns about the security and privacy of placing public data in the cloud as well as “general risk aversion” had impeded progress in this aea in the Federal Government, the report stated.

To rectify this situation, and in accordance with the approach being adopted outside of government, for example in the banking sector, the Commission recommended that a ‘cloud first’ policy, particularly for low risk, generic ICT services should be clearly articulated and enforced by the Government. “Over three to five years, this could progressively reduce ICT costs as cloud computing becomes the default option,” the report stated.

In order to make it easier for departments to source cloud services with confidence, the CoA proposes the Department of Finance establish a whole of government cloud computing provider panel to confirm the viability, capability and costs of large-scale cloud computing providers. Agencies could then obtain quotes for such services as the need arises.

Competition should be maintained in the market for cloud providers by adding new vendors and services as they become viable. This would also allow government to establish standards for such services. The range of offerings in such a panel would allow agencies to procure public or private cloud computing services, with appropriate levels of security.

On the face of it, the audit’s recommendations would appear to bring the Federal Government’s IT procurement policy in line with similar policies recently enacted in other jurisdictions such as Queensland, NSW and Victoria, which are using cloud computing solutions to deal with systemic and ongoing IT service and project delivery crises.

In addition, a new cloud computing policy has the potential to remove some roadblocks to cloud adoption in the Federal Government.

In July last year, the Federal Government released a new cloud computing security and privacy directive (PDF) which requires departments and agencies to explicitly acquire the approval of the Attorney-General and their relevant portfolio minister before government data containing private information can be stored in offshore facilities. Data which doesn’t include personal information — and thus isn’t subject to privacy regulations — won’t suffer the same conditions.

Unlike existing cloud computing policies used in the Federal Government, the policy did not emanate from either the office of the whole of government chief information or technology officers, key parts of the Australian Government Information Management Office which helps set central government IT strategy and policy. Such policies have tended to favour removing impediments to cloud computing adoption, rather than adding barriers.

Instead, the new policy appeared to be a document created by the Attorney-General’s Department, as part of the Protective Security Framework which it administers to help ensure the physical and information security of the Federal Government as a whole.

The policy was immediately criticised on Twitter by Steven Stolk, the chief information officer of minor agency the Australian Sports Commission. And key IT supplier Microsoft has also written to the Federal Government that the Attorney-General’s cloud guidelines had “added an additional hurdle for agencies’ consideration of cloud computing services.”

However, it is not immediately clear what steps the CoA would recommend any cloud computing policy implement to go past existing structures inside the Federal Government for dealing with cloud computing.

The Department of Finance and its AGIMO unit have already published centralised cloud computing procurement guidelines, and a cloud computing supplier panel of the type recommended by the CoA already exists. In addition, success Federal Governments have already declared ‘cloud-first’ policies, which have appeared to have little impact on Federal Government procurement outcomes.

Cloud computing lobby group OzHub, which counts Macquarie Telecom, VMware, Infoplex, Alcatel-Lucent and F5 Networks on its member list, immediately welcomed the CoA’s recommendation.

“A cloud-first policy is the right way to go and the Australian Government should take immediate steps to implement these recommendations,” said Matt Healy, Chair of OzHub. “Australia is already ranked as one of the world’s most cloud-ready economies and the government is poised to realise the efficiency benefits of a cloud-first policy.”

“The Australian industry is ready, and has invested deeply in data centres that provide the cloud computing infrastructure. Further, the rollout of the NBN and 4G networks as well as increased use by federal and state governments will only further develop cloud computing to the point where it’s business as usual.”

Of course, I strongly agree that the Federal Government should be pushing heavily into using cloud computing platforms, and I think most progressive thinkers (and even many conservative voices) in the IT sector would agree. Over the long term, cloud computing platforms will increasingly become bog normal, due to their inherent advantages over the traditional way of doing things.

However, I don’t think the CoA has really provided any detail here about how such a strategy should be pursued. The Federal Government already has policies and panels in this area. And yet, because of the lack of high-level ministerial interest to drive it, adoption of cloud computing has been tepid compared with other jurisdictions. A stronger approach is needed if change is to be witnessed here. That’s not an opinion — that’s just what the evidence to date clearly shows.


  1. I dont have a problem with cloud services, but who has jurisdiction? If you use Amazon, as an example, the US Government claims the data under their laws, as you are buying services connected to the USA. Ditto for every other cloud service I can think of.

    As an example, look at the Megaupload situation. Non resident, never set foot in the US, with his company never having a presence in the US, but because the servers holding the companies data is in the US, they claim jurisdiction.

    Thats my worry in a nutshell. Most of these cloud companies have ties to the US, who want the data for themselves. What happens if the servers are seized by the US in some raid? Cloud services have many benefits, but there are also negatives as well that havent been worked through yet. Is it really a good idea to have sensitive Government data in that environment yet?

    Personally I think Governemt services being cloud first are still a few years away. There are too many questions that havent been answered.

    • To be fair, the CoA did mention, from the extracts that Renai has provided, did mention, at least in passing, that in order to mitigate these issues you would use a “Private Cloud.”

      In other words the government could arrange a scheme where they use an off the shelf cloud product and fill out two or three data centers throughout the country with equipment. This equipment would then allow them to leverage the advantages of IaaS while also being assured of where the data is stored. This scheme would naturally be available to all government organisations, maybe both state and federal, to utilise, potentially as a GBE.

      If the Australian government wasn’t interested in such a policy, it wouldn’t be too hard to fulfil this niche from a private company (high standards of data security, Australia only data centers, etc) for a private company and resell this to the government.

      I realise that when someone says “Cloud” you immediately think of AWS or Azure, but any provider who provides IaaS can be leveraged by the government, it doesn’t have to be the big players.

      • Fair enough, but they basically do that already. The main data servers for Govt information arent stored in places like the ATO, or Centrelink head offices, its stored elsewhere and staff access the information offsite. Basically, cloud services.

        My problem is the risk of losing control of the information. I used the Megaupload example for good reason – it highlights a lot of the risks cloud services of any kind raise. Who’s responsible for the information stored, who has rights to access it, and who can stop them. We’ve all read the story around MU, and what the US has done to him can potentially happen to a lot of other cloud services. They just need a justification for it, and they’ve shown they are willing to use very loose connections.

        One thing I will question is the size of the company needed. Do people understand how much information the Government holds? To provide cloud services means accessing a lot of that, and THATS not a small ask. I’d be willing to bet that the number of companies that could provide a satisfactory tender for the services would be under 10 companies. Most of which would be multinationals.

  2. I don’t see how it can work in Ozz. With (public) IT infrastructure that is bandwidth constrained (#MTM) and not even inplace for most of the population to have access too.

    Watch the QLD experience. I suspect the QLD Government is headed for yet another IT disaster, “in the Cloud”. No state wide connectivity and restricted bandwidth.

    I have not even mentioned security and ownership (law) rights. Responsibility also comes to mind.

    Try setting up a multi gigabyte off site backup using something like Crashplan. Weeks later you might have it fully populated. Very small is fine but “enterprise”! Not unless you have your own high performance links and local data centre/s. (A NBN for the Government and nothing for the people!)

    Pie in the sky (a financial disaster) unless their is infrastructure.

Comments are closed.