Can AGIMO guide government into the cloud?

By necessity, governments are risk averse and slow to move to new trends. While technology can move quite quickly, some new trends are flash in the pan and disappear as quickly as they appear. Others sound like they’ll be the Next Big Thing but fade to obscurity. So when the federal government puts time and effort into developing guidelines around a specific technology, we can be reasonably assured they are serious about it. 

The adoption of cloud technologies is moving forward rapidly and offers significant opportunities for cost reduction, improved operational performance and higher reliability. But those benefits don’t come for free — which is why the Australian Government Information Management Office has released a series of documents that provide government departments with guidance about choosing, paying for and managing cloud services.

Cirrus clouds CC 3.0 BY-SA by Fir0002

The federal government’s Better Practice Guide for Cloud Computing covers three major areas: legal issues, financial considerations and privacy concerns. The documents are short  — just a few pages each — and provide advice that is technology agnostic and in plain English.

Legal advice

Perhaps the most complex part of migrating to a cloud solution is negotiating the maze of legal obligations covering everything from privacy to liability and indemnity. Not surprisingly, “Negotiating the Cloud — Legal Issues in Cloud Computing Agreements” is easily the longest of the three guideline documents.

This guide serves as a fitting introduction to the government’s advice as it defines cloud services as either providing software, platforms or infrastructure as services. Given that the majority of government staff aren’t technologists, this is very useful and the definitions are written in plain, jargon-free language. The guide looks at a number of very complex topics including protection of information, liability, performance management, ending the arrangement and dispute resolution.As the government holds a large volume of confidential, personal data for all of us, the issues of information protection are given attention first. Although governments are extremely risk averse, the document is pragmatic in its approach: for example, in dealing with issues of data location, it advises that the government’s privacy obligations for Commonwealth contracts from the Office of the Australian Information Commissioner are used.

In order for the government to enforce contract provisions with cloud service providers, consideration is given to allowing auditors to have access to systems in order to ensure that all security and reliability obligations are being met. The difficult matter of compensation for failure to meet obligations is also covered. Security issues are covered in detail including physical, logical and communications security. Again, the advice is presented in plain language so that it can be understood by non-technical personnel. The deletion and destruction of data are also covered — an area often forgotten by organisations looking at the entire data lifecycle.

The most complex and contentious issues in any contract are usually around limitations of liability and indemnity. Although cloud computing is a relatively new phenomenon, these legal precepts have been around for a long time and the government has mature advice.

Importantly, processes are suggested for the termination of cloud service agreements and how to resolve disputes.

Financial considerations

Many cloud service providers sell their services on the basis of cost savings. However, the guidelines provide some very prudent advice. In particular, they ensure that procurement departments aren’t caught out by the many claims that cloud solutions are always cheaper than their on-premise counterparts.

A key recommendation of the financial guideline is that capital expenditure is likely to be transferred to operational spending. There is also advice on how to make longer-term financial plans so that the departmental budget isn’t unexpectedly impacted in the future. 

Keeping your privates protected

Almost every critic of cloud services bases part of their argument on privacy issues. Interestingly, the “Privacy and Cloud Computing for Australian Government Agencies” document opens with the assertion that cloud computing “has the potential to enhance privacy safeguards” used to protect personal information held by Government agencies. This goes against common wisdom but reflects the range of perspectives on cloud solutions.

Of greater complexity is the need to ensure that data is appropriately segregated, so that information pertinent to one government department is not made available to other departments inadvertently.There are several other documents that need to be considered with this guide, including information from the Defence Signals Directorate and the National Archives.

When considering the privacy issues, the government makes it clear through this guideline that regardless of the location of the cloud service, the important factor is compliance with Office of the Australian Information Commissioner privacy principles. For example, with regards to the storage of personal data, service providers must comply with IPP 4 — Storage and security of personal information.

The privacy guideline also deals with the contentious issue of transborder data flows, and looks at the impact of the USA Patriot Act — which gives the US Government access information to in specified circumstances irrespective of the geographical location, and without necessarily advising the agency. – Anthony Caruana

This story originally ran in the February-March 2012 issue of Government Technology Review.