Did you know that one in three public sector organisations have no plans for adopting cloud-based technology?
And although migration to the cloud is said to reduce on-site maintenance and IT support requirements, 36% of public sector firms surveyed in the 2016 Cloud Adoption survey stated that confusion and uncertainty was holing them back.
So we decided to open the discussion on some of the concerns that understandably come with government cloud migration. This post will look at how the public sector can balance innovation with privacy concerns.
The backdrop for balancing innovation and privacy
‘Our office understands the need to balance the protection of personal information with other important goals such as innovation and business growth. With creativity and cooperation, it is always possible to achieve such aims in a privacy enhancing, rather than a privacy intrusive, way.’
Back in 2014, Andrew Solomon the then A/G Assistant Commissioner at the OIAC gave a presentation on the opportunities and challenges of cloud technology. And it could be more pertinent years later.
Setting aside the reservations some government agencies have currently, in 2014, the Department of Finance released the third version of its report: Australian Government Cloud Computing Policy: Smarter ICT Investment. The report outlined the need to embrace the technology, adopting a cloud-first approach while simultaneously maintaining the safety and security of its citizens. It also outlined that cloud technology would allow government departments to reduce expenditure, increase productivity and develop better services. The report encouraged cloud technology investment, provided the technology could meet the following criteria:
- Fit for purpose
- Delivers value for money
- Provides adequate protection of data
Considering it is the uncertainty of migrating to the cloud that is stopping many government agencies from utilising the technology, it will be worth looking at why.
When has government not been ‘adequately protected?”
The adequate protection of data is perhaps the reason that the government has been so cautious in wholeheartedly backing cloud in the previous incarnations of the framework.
Given that government data is of a highly sensitive and personal nature, policy makers around the globe have been slower to adopt the cloud than their corporate counterparts – we’ve all seen the effects of a data breach. In 2016 Australia had its largest security breach when the Red Cross had the files of over half million donors files leaked, what was worse, they weren’t sure for how long the information was out there. Over in the US, earlier in the same year a hacker leaked over 600,000 social security numbers, which greatly increased the risk of identity theft for those compromised.
The Protective Policy Security Framework
Given the interconnectivity of cloud systems, the potential for havoc is amplified. To ensure that stringent security measures are met, the Attorney General’s department released the Protective Policy Security Framework. The purpose of the document is to ‘assist Australian Government entities to protect their people, information and assets, at home and overseas,’ in other words companies looking to make the switch to cloud need to meet the criteria of the framework.
Australia’s Cyber Security Strategy best practice recommendations
Australia’s Cyber Security Strategy, released in 2016 also mentioned that the Australian Cyber Security Centre had ‘provided further guidance on cloud computing practices.’ This guidance provides an extensive list of guidelines for government staff, on an individual, departmental and transnational level. It urges users to think about the sensitivity, the purpose and the integrity of the data and to employ careful best practices when establishing networks and using data in their day-to-day role. It also covers topics such as:
- Business drivers to cloud computing adoption
- Risk management
- Security considerations
- Maintaining business functionality
- Protection from unauthorised access by a third party
- Protection from unauthorised access by a rogue ex-employee
- Handling security incidents
These sections ultimately help senior stakeholders to determine whether the purported cloud solution can meet business goals with ‘an acceptable level of risk.’
The Digital Transformation Agency released cloud.gov.au, a way for ‘government to release, monitor and grow user-facing digital services.’ The platform is currently hosting The Digital Marketplace, The Government Service Performance Dashboard and The Media Release Service with a further ‘37 apps in production and 255 apps in development.’ Given how new this program is, it’s too early to assess whether the legislation and the frameworks have struck the right balance. However, if Australia wants to meet the goals outlined by the ambitious ICT strategy, then the careful adoption of cloud technology is a step in the right direction.
As Sean Grimes, Agilisys IT Services Director states: “changing any IT system has inherent challenges, and moving to the cloud is no different”. We hope this post assisted your agency in the migration to the cloud. Have you got any further concerns about cloud-based technology? Let us know in the comments below and we’ll cover it a future post.