South Australia’s Auditor General says governance around state government cloud computing needs to be strengthened after finding some agencies are failing to do risk assessments or even talk to their ICT teams before procuring services.

The review looked at seven agencies maintaining 178 cloud computing capabilities, mainly around finance and operational activities, and including 118 services that held sensitive information.

“The state’s current cloud computing approach could be strengthened through increased collaboration between agencies and centralised reporting to either the Department of the Premier and Cabinet or some form of inter-agency forum,” auditor general Auditor general Andrew Richardson said.

“The aim would be to help agencies while they move their services to the cloud by providing guidance, risk mitigation strategies, a more consistent approach to managing cloud computing and the integration of security governance.”

Of the total number of cloud services identified, 131 held data within Australia. Data was held outside Australia in 29 and 18 used a combination of onshore and offshore storage.

Three of the agencies said they had experienced minor security incidents related to cloud service providers over the last three to four years.

Six of the agencies said they expected to increase their use of cloud computing within 24 months but four said they didn’t have the internal  resources to support the services.

Agencies rated data security as the most important consideration when evaluating a cloud solution, followed by cost and vendor reputation.

Gaps in governance

In November 2018, SA released the Whole of Government ICT Strategy 2018, which sets the strategic direction for government cloud computing services.

The audit found that six of the seven agencies reviewed said they had formal policies and procedures for incident management in line with the strategy and one had a draft policy that was yet to be formalised.

The review found that some agencies didn’t do risk assessments or involve their ICT in cloud projects.

Of the seven agencies we reviewed, three advised us that they did not sufficiently engage their ICT team in the evaluation and implementation of their cloud service proposals”

SA Auditor General

“Of the seven agencies we reviewed, three advised us that they did not sufficiently engage their ICT team in the evaluation and implementation of their cloud service proposals,” the report says.

Three didn’t have formally documented polices and procedures for procuring and managing cloud services and two didn’t regularly review or monitor user access.

Six didn’t annually review their provider’s independent assurance reports.

For the seven agencies reviewed, the total cloud services costs were around $30 million a year, with six agencies  currently spending more than $1 million annually on their cloud services.  

Risks and benefits

The report says cloud computing can offer flexibility, efficiency and strategic benefits including better collaboration.

But there are also risks. These include lack of transparency from providers, reliability issues, lack of portability and risks around data breaches. There’s also a risk that costs can blow out with regard to additional services and storage and connection upgrades.

While most cloud services are outsourced, risk remains with the agency.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter