Subscribe to our Newsletter
By necessity, governments are risk averse and slow to move to new trends. While technology can move quite quickly, some new trends are flash in the pan and disappear as quickly as they appear. Others sound like they’ll be the Next Big Thing but fade to obscurity. So when the federal government puts time and effort into developing guidelines around a specific technology, we can be reasonably assured they are serious about it.
The adoption of cloud technologies is moving forward rapidly and offers significant opportunities for cost reduction, improved operational performance and higher reliability. But those benefits don’t come for free — which is why the Australian Government Information Management Office has released a series of documents that provide government departments with guidance about choosing, paying for and managing cloud services.
The federal government’s Better Practice Guide for Cloud Computing covers three major areas: legal issues, financial considerations and privacy concerns. The documents are short — just a few pages each — and provide advice that is technology agnostic and in plain English.
Perhaps the most complex part of migrating to a cloud solution is negotiating the maze of legal obligations covering everything from privacy to liability and indemnity. Not surprisingly, “Negotiating the Cloud — Legal Issues in Cloud Computing Agreements” is easily the longest of the three guideline documents.
In order for the government to enforce contract provisions with cloud service providers, consideration is given to allowing auditors to have access to systems in order to ensure that all security and reliability obligations are being met. The difficult matter of compensation for failure to meet obligations is also covered. Security issues are covered in detail including physical, logical and communications security. Again, the advice is presented in plain language so that it can be understood by non-technical personnel. The deletion and destruction of data are also covered — an area often forgotten by organisations looking at the entire data lifecycle.
The most complex and contentious issues in any contract are usually around limitations of liability and indemnity. Although cloud computing is a relatively new phenomenon, these legal precepts have been around for a long time and the government has mature advice.
Importantly, processes are suggested for the termination of cloud service agreements and how to resolve disputes.
Many cloud service providers sell their services on the basis of cost savings. However, the guidelines provide some very prudent advice. In particular, they ensure that procurement departments aren’t caught out by the many claims that cloud solutions are always cheaper than their on-premise counterparts.
Of greater complexity is the need to ensure that data is appropriately segregated, so that information pertinent to one government department is not made available to other departments inadvertently.There are several other documents that need to be considered with this guide, including information from the Defence Signals Directorate and the National Archives.
When considering the privacy issues, the government makes it clear through this guideline that regardless of the location of the cloud service, the important factor is compliance with Office of the Australian Information Commissioner privacy principles. For example, with regards to the storage of personal data, service providers must comply with IPP 4 — Storage and security of personal information.
The privacy guideline also deals with the contentious issue of transborder data flows, and looks at the impact of the USA Patriot Act — which gives the US Government access information to in specified circumstances irrespective of the geographical location, and without necessarily advising the agency. – Anthony Caruana
This story originally ran in the February-March 2012 issue of Government Technology Review.