Attorney General firmly spells out government cloud security policy


By Julian Bajkowski

Federal Attorney-General, Mark Dreyfus QC has drawn a firm line in the sand over how government buyers can adopt cloud computing solutions by stipulating a comprehensive set of security and risk assessments agencies must now adhere to before buying externally hosted computing and data storage capacity.

The Attorney General late Friday released the government’s official internal cloud computing policy, which leans substantially towards using domestic deployments to rein-in known risks associated with data sovereignty and privacy protections.

The key upshot of the new government cloud computing policy is that it is now firmly bound within the Protective Security Policy Framework (PSPF) that was issued by the Attorney General’s Department (AGD) almost a year ago.

(For a concise and plain-English rundown of the PSPF by AGD National Security Resilience Division First Assistant Secretary, Mike Rothery, click here)

The strong, specific and definitive position of the AG’s Department on how various kinds of government data may or may not be used in the cloud is likely to present new challenges to some applications vendors which have been pushing the agencies to move to subscription licencing models that often rely on overseas hosted instances.

Under the new cloud policy, government buyers could potentially require sign-off from two government ministers to ensure accountability and assessments from risks depending on the kind of information proposed to be sent to the cloud.

The PSPF was the biggest overhaul of government security classifications, information security management standards to date and heralded the conscious move “risk-based” approach to security rather to replace the increasingly complex, onerous and compliance driven Protective Security Manual that was in essence a pre-internet (let alone cloud) document.

Importantly, the classification overhaul removed a key demarcation between national security and non-national security classified information and replaced it with a single, more streamlined system that takes account of the fact that the bulk of sensitive government information often relates to the private sector and sensitive personal information covered by the privacy act.

The PSPF overhaul was largely driven by the fact that agencies are increasingly expected to deliver services online and also stipulates the need to factor in “Business Level Impacts” when assessing the potential for negative consequences in the case of breaches or so-called data spills.

Those impacts now also include reputational damage, the risk of litigation and the potential loss of trust from customers and partners.

“The policy will aid decision-makers in determining when to allow the use of offshoring or outsourcing on a case-by-case basis,” Mr Dreyfus said.

While the new policy is being sold as bolstering the National Cloud Computing Strategy released in May this year, the realpolitik of the document is that it compels agencies to perform a more stringent set of risk-based checks.

It also strongly re-asserts the role of the Attorney General’s Department as the lead agency with which custody of government security policies, including information security, ultimately rests.

While technology services vendors have been pushing hard for agencies to enter into cloud-style deals to generate new sales and cost savings, it is understood that some offerings marketed as fit for government use have sometimes prompted more questions than answers from those checking the fine print on data sovereignty.

The strengthened security position is likely to benefit leading local and global cloud companies like Telstra and Amazon Web Services that have played a longer cycle strategic game by investing in onshore hosting facilities rather than selling on price and speed alone.

Telstra remains well-placed to pick-up more government cloud-computing work because it can potentially offer customers, especially smaller to mid-size agencies, a full suite of bundled applications, voice, video, carriage, compute and storage services.

Aside from its exiting backhaul and hosting infrastructure, Telstra’s huge portfolio of property assets in the form of exchanges – which could be liberated of copper PSTN infrastructure under the National Broadband Network – give it a geographic footprint that is hard to rival.

The AG’s cloud computing policy is also a sign that a the government is starting to regard cloud installations as a maturing offering that buyers can now realistically take advantage of in an informed and considered way rather than relying on less concrete guidance.

But it has been a time coming. Cloud was considered one of the glaring omissions in the first sweep of Gershon review that imposed a now lifted moratorium on new data centre deals at a time when the government was fast running out of capacity.

Those pushing the cloud cause as a means to enable more efficient government are similarly singing the AG’s vision as one that they are wholly in tune with.

“This Government is an enthusiastic supporter of new technology such as cloud computing, especially where it not only facilitates government business but helps us get the best value for the tax payer dollar,” Senator Kate Lundy, Minister Assisting for Innovation and Industry and Minister Assisting for the Digital Economy said.

“Cloud technology offers not just agility, flexibility and scalability, but also cost savings. In fact, cloud computing is fundamentally changing the way we think about communications technology.”

Senator Lundy said that combined with the rollout of the National Broadband Network, cloud computing held “the potential to revolutionise how we consume and use digital technology.”

A joint statement from Mr Dreyfus and Senator Lundy said that the government now holds much unclassified data which – subject to a risk assessment – can be stored in a public cloud.

Under the latest arrangement :

  • information that doesn’t require privacy protection can be stored and processed in outsourced and offshore arrangements after an agency level risk assessment
  •   privacy protected information can only be stored and processed in outsourced and offshore arrangements with suitable approvals in place. The relevant portfolio Minister, and the Minister responsible for privacy and the security of Government information, currently the Attorney-General, will also need to agree to the arrangements.
  • security classified information cannot be stored offshore unless it is in special locations (such as Australian Embassies) or under specific agreements.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter

Leave a comment:

Your email address will not be published. All fields are required