Murky world of Privacy and Data Sovereignty

With the release of the NSW Government’s Cloud Services Policy & Guidelines paper today, a number of issues are evident. Particularly around Data Sovereignty and a total lacking of any semblance of agency procurement or supplier guidance. I understand this is not intended to be an IT strategy document, however it is meant to be a policy paper and procurement guide for both agencies and suppliers. Hopefully the following perspective will explain why it fails on both counts.

Incidentally, it amazes me with the release of this paper, that the head of the Australian Information Industry Association (AIIA) was quoted welcoming the paper as an:

” ‘as a Service’ Module to support procurement of cloud services”.

This sad 19 page government policy paper, is described as an ‘as a Service’ Module? Does it plug directly into the Amazon and OpenStack API’s? Do I get a large serve of DevOps with that, to go?Bill Lumbergh: Yeah, if you could just go ahead and put that in the cloud

First issue is that the NSW Government’s paper briefly mentions basic NIST definitions of Cloud Service Models: SaaS, PaaS and IaaS; however does not mention any specifics about how these could be leveraged or what data security and related legal aspects need to be considered around these. Potential for better data security improves as you move along the Cloud Deployment Model from SaaS to PaaS to IaaS.

Approach

There is absolutely minimal reference in the paper, to important cloud components such as Deployment Models and no mention whatsoever of Essential Characteristics. Where is the assessment and statement on Public, Private; or Hybrid: relating to underlying IT strategy, business drivers, technology strategy, risk appetite, legal and security requirements? Surely an IT Policy paper should be based on an overarching IT Strategy? Can I at least get some due diligence? It isn’t like data sovereignty in the cloud and data privacy are new, this concern has been around for a while.

Even key related government papers, such as Cloud Security documents from Defence Signals Directorate (DSD), Australian Federal Government Cloud Policy Guides and ACMA Chariman Chris Champan mention that data security issues that are highly important in any cloud implementation. Why then, does the NSW Government paper overlook these and other basic essential NIST cloud defined components? The only references are to outdated (in perspective and approach) IT documents originating from the NSW Government within the Cloud Services and Policy Guidelines document. Shouldn’t a government policy document be referencing basic Cloud Security requirements as recommended by DSD, Federal Government and Industry Bodies?

Research

The second issue, is that there are many excellent resources available that have not been referenced or utilised, such as the recently released “Data Sovereignty and the Cloud” paper from University of NSW, that clearly outlines some major components that must be assessed in relation to Data Sovereignty and cloud. All of which are totally missing from the NSW Government’s paper. Data Sovereignty, security and privacy of data are serious IT issues that have major impact on the privacy and rights of citizens. A basic requirement is identified in the NSW University’s Data Sovereignty document as a “clearly articulated policy for cloud data location or jurisdiction”. Fail.

Security Camera Install Corner Of Building

“Security Camera Install Corner Of Building” by num_skyman from FreeDigitalPhotos.net

Third in the complaint list, is the “legalese” and obscurity of the NSW Government’s position. The paper is more focused on use of legal language than actually taking a clear position on cloud and the procurement model as such. As well as the lack of clarity, it is evident those involved in creating this document don’t quite “get it” with the big picture of cloud technology. I know first hand, from someone who was involved in the process and who actually knows quite a lot about cloud. The nature of that person’s comments were expressed as frustration at many decisions made without clear understanding and an often ill-informed perspective from government decision makers on cloud technology.

Intent

I’m sure there were many experts consulted, committees sat, solicitors paid and ministers stamped to get the document released. But I really don’t think those responsible for this paper get the “big picture”. This is confirmed in the preparation for this paper, the confusion between what is private cloud or not. For example in the reported following statements made earlier in the year by the Executive Director of Strategic Policy at DFS William Murphy:

“The cloud policy …ultimate cloud goal, which is to have agency ICT environments fully migrated to a private Government cloud by the end of 2015.”

Ironically the same article lists the five NSW Government cloud initiatives, which are nearly all multi-tenant, mostly shared PaaS or SaaS – certainly not private cloud:

  1. Messaging-as-a-service and desktop-as-a-service proof of concept trials to be run by ServiceFirst;
  2. Department-wide ERP consolidation into the cloud at the Department of Trade and Investment, Regional Infrastructure and Services;
  3. Email-as-a-Service implementation at NSW Fire and Rescue;
  4. Multi-tenanted email-as-a-service at NSW Businesslink; and
  5. Infrastructure-as-a-service at NSW WorkCover.

To clarify my view purely from an IaaS cloud perspective, Data Sovereignty relating to the Government’s paper and Private, Public or Hybrid cloud:

  • Private – you know where your data is, providing you don’t outsource storage
  • Public – you have no idea, even with selecting a so-called in-country Public Cloud, your data can get cached and stored outside of that country such as with CDN, you have little control of data sovereignty
  • Hybrid – you can manage according to data sovereignty requirements and concerns, providing you manage data sensitivity through meta-tagging and maintain control of data storage

The NSW Government paper makes no reference whatsoever to any of the above situations or any explicit requirement for Data Sovereignty. There are some vague references to compliance with data legislation, but to “comply with regulations” in general means little in reality. The paper should be expressing clear and concise position and requirements relating to how data is managed in the cloud environment, as well as the specific responsibilities of the government and suppliers. In fact the self-reported requirements brief, taken from the NSW Government ICT Board meeting notes for the policy paper was for:

“The Policy and Guidelines provide a clear policy statement about NSW Government use of cloud solutions and taking advantage of the flexibility and agility that they provide,”

Clearly missed that goal then.

Responsibility

Specifically, the NSW Government paper makes vague allocations of responsible parties to:

  1. “Government Agencies”, and
  2. Supplier

Where then, is the guidance and responsibility realistically going to be held (assuming a standard government tender process)? With the supplier? Those with tender or bid experience know that the less specific the Tenderer is about the requirements, the more ability the potential Supplier has to dictate outcomes. Conversely according to the wording in the NSW Government paper, it is understood that the NSW Government has pushed all data sovereignty requirements, compliance, auditing and management down to each agency or supplier. Not centrally controlled or dictated from a central IT body. Cloud is a new way of using, procuring, providing and managing IT: from decision making, through to managing, auditing and purchasing. Old models and methods usually will not work (or be a huge waste of resources). This has not at all been considered, which should have been set prior to publishing a procurement policy paper.

The laws relating to technology and privacy are rapidly changing, conflicting legislation between nation-states and even circumvented at the bequest of government agencies across borders under the premise of “freedom”. It is nearly impossible for any supplier or individual agency to keep abreast of multiple and conflicting legislation across multiple countries. But this is effectively what the NSW Government paper is doing.

In a world of conflicting regulations across the globe, the new frontier of information and power relationships and degradation of traditional nation-state power: that which controls the information has the power. Add to the mix a sprinkling of NSA/PRISM/WikiLeaks espionage, Syrian and Chinese targeted hacker warfare (cyberwarfare), Big Data and you have a major issue. It is not just the data that governments collect, no matter what your perspective on that issue is. It is whether they are responsible and knowledgeable enough to maintain the security of that data and ensure it doesn’t fall into the hands of some other entity to misuse that information.

Resourcing

National Security Agency

“Capitol Building” by Damian Brandon from FreeDigitalPhotos.net

How is each agency or even each supplier as the NSW Government paper insinuates, to effectively provide appropriate resources to successfully deliver the specified data sovereignty requirements, compliance, auditing and management? Successful data management and compliance is a hefty highly skilled and labour-intensive role, let alone auditing and managing during and after-the-fact. How can anyone, including our government and legal system ensure compliance with Privacy Legislation regarding our data that is held and managed by our government institutions in this situation?

What the NSW Government really should be doing, is dictate that all sensitive data is to be contained within Australian borders. Therefore complying with Australian Privacy Legislation. I actually think that the EU got it right, when they enacted legislation that essentially ensures data sovereignty within the borders of each EU nation. The EU have taken an arguably more sensible and liberal-minded:

“…citizen-centric approach to data protection and privacy”

It is my opinion that if data is sensitive and needs to comply with particular privacy laws relating to that particular country, then that data must remain in that country from where the privacy laws originate. Of course the opposite is arguable, that these European in-country data sovereignty laws restrict the cloud market and are restrictive to business. This is the only way to ensure that level of control and auditing required to comply with that law. Of course the knock-on effect of this outcome would be that large global corporations are slightly disadvantaged and local niche cloud operators are slightly advantaged. Additionally commoditisation of cloud stifles innovation and competition. Supporting the local economy and innovation rather than large global corporations. There’s a novel idea!

Of course there is always the possibility to separate confidential private data that must comply with privacy regulations and other data that has no legal privacy requirement. That latter data can go wherever it likes. You can always just download this fantastic new app. Problem solved.

Disclaimer: I am not a solicitor and the opinions expressed here are my own. I am an independent IT professional and have written, worked with and negotiated on many large IT&T contracts. Comments, debate and fruitful discussion are welcome.
Advertisements

Focus on enabling successful business technology outcomes. I believe that Open wins over Closed and that a diverse eco-system is essential for interoperability to avoid vendor lock-in. This approach is essential for any enterprise considering hybrid cloud. Principal Solutions Architect ANZ at Nuage Networks

Tagged with: , , , , , , , , , , , , ,
Posted in Uncategorized
3 comments on “Murky world of Privacy and Data Sovereignty
  1. […] at local firm buildpartner, has examined the document in detail, and found it extremely lacking. He’s published an extensive blog post with his analysis. A few key […]

  2. Hey Martin,

    Hmmm … I don’t believe that the policy, or any policy really, needs to be a “everything you needed to know about this topic but were afraid to ask” kind of a guidebook.

    I’m a member of the NSW ICT Advisory Panel … so I didn’t write the policy but I did have some input into it.

    The aim of the policy in my understanding was to set some basic direction and guidance and then to put cloud services procurement firmly in the context of the generalized policy that applies to any ICT procurement. There is no need, for example, to revisit the NIST definitions … these are now well accepted and commonly known. You are right, however, that the policy could perhaps have included a ‘For Further Reference’ section at the back so that readers could be pointed in the direction of relevant bedtime reading. I believe, however, that the team is creating a repository of useful reference/guidance material which is available to practitioners to support experience sharing etc.

    Matters of data sovereignty, information privacy, record keeping etc. etc. are business requirements that apply to ANY ICT procurement … in-house ICT, in-house shared services, outsourced managed service, outsourced private cloud or public cloud service. There is no need to ‘call these out’ as being unique or specially applicable to cloud services (only). The policy simply seeks to put cloud services on a level playing field to other ways of sourcing ICT capabilities.

    Essentially it up to any executive responsible for any ICT procurement to ensure that the services procured are fit for business purposes and compliant with the relevant business and regulatory requirements and obligations.

    The problem is that the more explicit and detailed the policy is in terms of the mechanics and specifics of cloud services procurement, implementation, integration, operation and retirement/exit then the more it become used as a barrier to cloud services adoption by folks with vested interests. Making everything explicit implies that the risks and issues apply only to cloud services … not to other sourcing options. Also, a more detailed policy becomes unstable because the specifics are very fast moving – so you end up chasing your tail with updates every day. The better path is to keep the policy guidance at a high level and then promote experience sharing and transparency across the agencies to accelerate organizational learning and the sharing of good practices, lessons learned etc.

    Find things that work and discover things that don’t quickly and at low cost. Do more of the things that work and less of the things that don’t. Propagate proven solutions across agencies through peer interactions.

    Over-prescriptive policies don’t really help because they are usually not in-tune with front-line hands-on experiences, are too conservative/inflexible and often produce unintended perverse consequences.

    • Hi Steve,

      Thank you, I appreciate your perspective and that you took the time to comment. Whilst I understand that it is far easier to criticise than create, I made these comments in my blog as I observed some key misconceptions about cloud which I believe resulted in a number of major issues with the communicated aims and resulting policy paper. Certainly I was seeking to create some degree of friction in order to generate discussion. I wholeheartedly agree with you on a number of points and disagree on others, which I hope to clarify. I absolutely agree with you that the policy paper should not be “everything..”, but do stand by the fact that major components and outcomes were overlooked.

      Firstly, the communicated outcome of the paper has not been met. This was communicated by the NSW Government ICT Board as to provide a clear guidance to the NSW state government departments on cloud solutions and how to “take advantage of the flexibility and agility that they provide”. There is no clear guidance on the “how” to achieve successful cloud outcomes. Additionally the specific outcome of the policy paper was stated as to enable “private Government cloud” by Executive Director of Strategic Policy at DFS. There is no mention of a government private cloud at all in the policy paper, in fact four of the five NSW Government cloud initiatives are not really private cloud at all. This is the reason why I express concern at the lacking of clarity on core cloud components.

      The policy paper actually in essence states that departments can use cloud but must comply with regulations. This is way too vague and not sufficient, there needs to be more guidance on procurement for both departments and suppliers. It is sufficiently faulty to base a policy paper on an unstated strategy or following an agenda that is a misnomer. Whether private enterprise or government; best practice dictates that to create a policy for a component of IT, the overall IT strategy must be stated and form the basis of the policy. Nowhere is this stated.

      I was not making the point that NIST definitions needed to be re-iterated, rather that the policy paper should define clearly the guidance as per the NIST definitions of Cloud Service & Deployment Models and the parameters of “Cloud Deployment Model” (public, private and hybrid) and the Service Models of clouds (IaaS, PaaS, SaaS). Why? Each of these Service and Deployment models has particular compliance and risk ramifications that are not within the capability of each department to understand, resource, maintain and manage. It is this point that I tried to highlight in the first several paragraphs.

      The section titled “Approach” and the associated links reference the detail and explain how each of these NIST components has a drastically different effect of impact on Data Management, Risk Protection and Compliance. For example, it would be extremely difficult to maintain Privacy Act and associated data compliance on a SaaS platform; which not only cannot guarantee “data sovereignty, information privacy, record keeping etc” but is also inherently insecure as a shared application layer multi-tenant cloud with no data separation. How could an individual government department possibly establish this compliance on their own without the guidance from a cloud policy paper that clarifies this? A number of the referenced articles and papers support this perspective.

      Of course there is a balance, that one does not inhibit sufficient efficiency of cloud adoption. I am not saying the paper should dictate or restrict, rather advise and clarify a very complicated topic. This is in order to enable each department to make a wise decision, rather than one that will inhibit with future cost in resources and management and likely failure to comply. NSW Government IT ought to be following a philosophy of measure twice and cut once, particularly when it comes to tax-payer funds and privacy compliance. Using government limited tax funds, with a combination of limited cloud expertise and private citizen data as testing ground is unwise in my opinion.

      I believe on the scale from “not prescriptive” to “over prescriptive”, the paper has erred towards the former as not prescriptive.

      Kind Regards,
      Marten Hauville

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter Feed
%d bloggers like this: