Cloud Computing in the Victorian Public Sector

(1)

39 Torrens St Braddon ACT 2612 Australia T 61 2 6281 9400 E [email protected] W www.aiia.comau

Cloud Computing in the Victorian

Public Sector

AIIA response

(2)

1. Introduction

1.1 About AIIA

The Australian Information Industry Association (AIIA) is the peak national body representing Australia’s information technology and communications (ICT) industry. Since establishing 35 years ago, the AIIA has pursued activities aimed to stimulate and grow the ICT industry, to create a favourable business environment for our members and to contribute to the economic imperatives of our nation. Our goal is to “create a world class information, communications and technology industry delivering productivity, innovation and leadership for Australia”.

We represent over 400 member organisations nationally including hardware, software,

telecommunications, ICT service and professional services companies. Our membership includes global brands such as Apple, EMC, Google, HP, IBM, Intel, Microsoft, PWC, Deloitte, EY and Oracle; international companies including Telstra, Optus; national companies including Data#3, SMS

Management and Technology, TechnologyOne and Oakton Limited; and a large number of ICT SME’s.

1.2 Submission Overview

The AIIA appreciates the opportunity to provide comments on this important issue. This submission addresses the government’s discussion paper on Cloud Computing in the Victorian Public Sector in two parts.

The first part looks at key considerations before cloud adoption. AIIA recommends:

 Any additional standards or guidelines on cloud computing should be consistent with existing national and international approaches (see Attachment A);

 Government adopt a cloud service provider certification process to streamline risk assessment processes and reduce administrative burden and cost. AIIA highlights current jurisdictions already adopting this practice; and

 Benefits of cloud computing should not be forgotten in the context of risk assessment. The second part of this submission looks at key considerations after cloud adoption. AIIA recommends:

 The government develop clear incident handling guidelines. This should be done through appropriate industry consultation and engagement. AIIA identifies similar guidelines already in place.

 The government develop standard contract terms and conditions for cloud computing through appropriate consultation and engagement with industry.

While AIIA supports the need for guidelines to support procurement of cloud services, we strongly advocate that these do not provide unnecessary barriers to the take up of these services which provide a secure and cost efficient alternative to traditional ICT operational and support models.

(4)

2. Key considerations before cloud

adoption

2.1 Any standards or guidelines on cloud computing should be

consistent with existing national and international approaches

There are a number of standards or guidelines on cloud computing already available across Australia and internationally. As such consistency and harmonisation must be a priority for any additional standards or guidelines. This is particularly important due to the global nature and reach of cloud computing.

AIIA has identified several resources available nationally and internationally on cloud computing that the government may find useful. See Attachment A.

2.2 Government maintain a cloud service provider certification list

to streamline risk assessment processes and reduce

administrative burden and cost

Some jurisdictions have created specific certification programs to provide a standardised approach to secure storage of government information in the cloud.

For example, at the Commonwealth level, the Australian Singles Directorate (ASD) is conducting certification activities for all government agencies to leverage, through the Information Security Registered Assessors Program. This program provides government agencies with a higher level of confidence in undertaking cloud service procurements and helps standardise government

expectations of service providers.

In the US, the Federal Risk and Authorization Management Program (FedRAMP) provides a baseline to initiate, review, grant and revoke security authorisations for cloud services used by government agencies. Similarly, in the UK cloud services can receive Pan Government Accreditation status to ensure they meet certain security requirements for the storage of government information. The UK has also established G-Cloud frameworks for government procurement of cloud services and

CloudStore, an online marketplace to facilitate the procurement of cloud services by government agencies.

A similar model could be adopted by the Victorian Government. Although agencies will have different needs and therefore risks, a certification program will ensure a baseline for protecting government information. Agencies with unique or additional risk mitigation requirements can deal with these issues separately. This will help streamline the risk assessment process and minimise administrative burden and cost for both government and the cloud service provider.

2.3 Benefits of cloud computing should not be forgotten in the

(5)

A further important benefit is the potential reduction of IT costs. On the consumer side, cost reductions by using cloud computing result from the fact that traditional corporate IT infrastructure is in most instances underutilised due to over-provisioning. This is because it is necessary to provide capacity to handle data peaks, future expected loads and to prepare for cases of unanticipated growth in demand. On the provider side, cost reductions are achieved via an increased efficiency of the data centres run by cloud computing providers (e.g. through economies-of-scale). Due to their global scale and the possibility to aggregate the demand of multiple users of cloud computing, especially in public clouds, providers have much lower operating costs than companies that operate their own IT infrastructure.

Another important benefit is the transfer of IT expenditures from capital expenditures to operating expenditures that has an important impact on companies’ investment capacity, in the medium and long run. Users of cloud services do not have to build up their own server infrastructure, nor do they have to invest important quantities of capital in IT infrastructure and software as in the past. Investments in IT infrastructure are thus reduced significantly.

Leveraging their purchasing power, agencies can also drive common standards and achieve secure

cloud service solutions at a lower cost. In addition, cloud services improve the responsiveness,

flexibility and agility of agencies and in doing so enable more responsive service delivery.

2.4 Risk assessment gaps that should be addressed

AIIA supports the use of a risk assessment tool to determine suitability of cloud technology. Overall AIIA considers that risk assessments should not be a pass/fail approach and that one size does not fit all. The primary question is the purpose and function of the cloud.

For completeness additional areas of consideration should include:

 Physical security of data centres need to be taken into account. Currently there is lack of consistency in physical security practices;

 The paper appears to advocate a risk assessment per project. AIIA recommends a streamlined certification process or at a minimum, risk assessment per cloud service model type to reduce duplication;

 Privacy around financial records for credit card transactions. Although the discussion paper addresses privacy for record keeping generally, financial transactions can be subject to additional obligations and therefore specific guidance may be required;

 The government could also better leverage self-assurance, such as putting in place regular meetings to discuss issues. This would also assist parties better understand their respective needs and risks.

(6)

3. Key Considerations after Cloud

Adoption

3.1 Standardisation

In our view there is an opportunity for the risk assessment process for cloud procurements to more explicitly leverage globally recognised ISO international standards. These include ISO 27001 for information security management, ISO 31000 for risk assessment and ISO 27018 for handling of personally identifiable information. The ISO 27000 range of standards have become the generally accepted standard for cloud services, they are aligned with industry and government practice and are typically the standards that purchasers/end users require of cloud service providers. Taken together, they cover the requisite governance, physical, information and personnel controls and management processes appropriate to cloud services. Our members along with Australian government have been active participants in the development of these standards through Standard’s Australia’s ISO Committee JTC1/SC27. Adoption of the ISO 27000 range of standards would help ensure that processes and information management related to these services are to a consensus international baseline. It would streamline assurance and procurement processes and minimise the burden of local compliance requirements on international cloud service providers, while enabling domestic cloud service providers to more effectively offer their solutions to a global market.

We also support the use of a centralised cloud procurement model similar to approaches adopted by the Commonwealth and NSW governments. A similar centralised approached has been adopted by the UK G-Cloud framework. The model incorporates:

 A centralised method of vendor qualification, incorporating assurance checks, ‘framework agreements’ and security accreditation as required;

 The ability of Government to set the terms of engagement, ensuring policy considerations are incorporated;

 Standardised solution category definitions, i.e. Infrastructure as a Service, Software as a Service etc. or alternative category methodologies capturing more specific components such as data centres, network management, server management, end-user computing etc. The advantage of a centralised approach is that it provides a transparent, standardised framework that can be used by all agencies. AIIA believes this level of guidance and support will build the confidence of agencies to take up cloud services and provide Government with an appropriate level of control and additional risk mitigation.

Through appropriate consultation and engagement with industry, standardised terms and conditions would provide a general position and proposed remedies on common legal issues arising out of cloud computing agreements. AIIA is willing and able to assist the government in this process. AIIA has worked closely with several State Governments to develop appropriate procurement guidelines and standardised contractual arrangements for ‘as a service’ / cloud services.

(7)

The Queensland government has already adopted something similar with their, Information Security Incident Management Guideline, although this is not cloud specific.

Similarly, the Commonwealth ADS, in their Cloud Computing Security Guides recommends implementing and annually testing an incident response plan covering data spills, electronic discovery, and how to obtain and analyse evidence e.g. time-synchronised logs, hard disk images, memory snapshots and metadata. They reference Securosis Cloud Forensic 1011_{, which outlines how}

to track what occurred.

AIIA would be happy to provide industry perspective input into an incident handling consultation process.

(8)

4. Attachment A: Compendium of major

cloud computing resources

Australian Commonwealth Government The National Cloud

Computing Strategy

Developed in partnership between government, industry and consumer groups, the

Strategy outlines a vision for cloud computing in Australia and provides a range of

useful guidelines in support of the implementation and use of cloud computing

services.

Australian Government Data Centre Strategy 2010-2025

Aims to improve and optimise government use of data centre facilities over a fifteen year period through the aggregation and standardisation of entities data centre requirements via the Data Centre Facilities Panel. The strategy identifies a number of trigger points such as asset refresh cycles, end of outsourcing contracts, end of life for data centre, or expansion of data centre capacity that place

mandatory obligations on entities to use the Data Centre Facilities Panel. Entities considering infrastructure cloud services such as Infrastructure and Platform as a Service (IaaS and PaaS) are advised to contact the Data Centres team at

[email protected]

Protective Security Policy Framework

The Protective Security Policy Framework provides a whole-of-government approach for the way the Australian Government protects its people, information and physical assets. The policy is the Government’s principle document outlining entities mandatory obligations for the protection of information including the management of security risks associated with electronic data transmission, aggregation and storage.

Information Security Manual

The Information Security Manual is a part of the Protective Security Policy Framework providing a principles and risk-based approach to the security of government information and communications technology systems. The manual articulates mitigating strategies and processes for entities to reduce the security risks to the Government’s information assets.

ICT Customisation and Bespoke Development Policy

The ICT Customisation and Bespoke Development Policy aims to reduce the

percentage of customised and bespoke ICT solutions across government. The policy places a mandatory obligation on entities to consider existing government or commercial off-the-shelf ICT solutions, such as cloud services.

(9)

Other Australian States and Territories NSW

NSW Government Cloud Services Policy and Guidelines

Provides guidance to agencies about key considerations to be aware of when evaluating cloud services.

General authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the State

This general authority gives approval for the transfer of records outside of NSW for storage with or maintenance by service providers based outside the State.

However, this permission is given on the condition that an appropriate risk

assessment has been made and the records are managed in accordance with all the requirements applicable to State records under the State Records Act 1998.

Queensland ICT-as-a-service policy

Provides that Departments adopt an ICT-as-a-service strategy and source ICT services, in particular for commoditised services, from industry providers in a contestable market where this is feasible and represents value for money. Cloud Computing

Implementation Model

An addendum to the ICT Strategy, the model states the preferred option is to use a cloud-based solution for all future information and communication technology (ICT) investments.

Cloud Computing in the Victorian Public Sector