With the release of the NSW Government’s Cloud Services Policy & Guidelines paper today, a number of issues are evident. Particularly around Data Sovereignty and a total lacking of any semblance of agency procurement or supplier guidance. I understand this is not intended to be an IT strategy document, however it is meant to be a policy paper and procurement guide for both agencies and suppliers. Hopefully the following perspective will explain why it fails on both counts.
Incidentally, it amazes me with the release of this paper, that the head of the Australian Information Industry Association (AIIA) was quoted welcoming the paper as an:
” ‘as a Service’ Module to support procurement of cloud services”.
First issue is that the NSW Government’s paper briefly mentions basic NIST definitions of Cloud Service Models: SaaS, PaaS and IaaS; however does not mention any specifics about how these could be leveraged or what data security and related legal aspects need to be considered around these. Potential for better data security improves as you move along the Cloud Deployment Model from SaaS to PaaS to IaaS.
There is absolutely minimal reference in the paper, to important cloud components such as Deployment Models and no mention whatsoever of Essential Characteristics. Where is the assessment and statement on Public, Private; or Hybrid: relating to underlying IT strategy, business drivers, technology strategy, risk appetite, legal and security requirements? Surely an IT Policy paper should be based on an overarching IT Strategy? Can I at least get some due diligence? It isn’t like data sovereignty in the cloud and data privacy are new, this concern has been around for a while.
Even key related government papers, such as Cloud Security documents from Defence Signals Directorate (DSD), Australian Federal Government Cloud Policy Guides and ACMA Chariman Chris Champan mention that data security issues that are highly important in any cloud implementation. Why then, does the NSW Government paper overlook these and other basic essential NIST cloud defined components? The only references are to outdated (in perspective and approach) IT documents originating from the NSW Government within the Cloud Services and Policy Guidelines document. Shouldn’t a government policy document be referencing basic Cloud Security requirements as recommended by DSD, Federal Government and Industry Bodies?
The second issue, is that there are many excellent resources available that have not been referenced or utilised, such as the recently released “Data Sovereignty and the Cloud” paper from University of NSW, that clearly outlines some major components that must be assessed in relation to Data Sovereignty and cloud. All of which are totally missing from the NSW Government’s paper. Data Sovereignty, security and privacy of data are serious IT issues that have major impact on the privacy and rights of citizens. A basic requirement is identified in the NSW University’s Data Sovereignty document as a “clearly articulated policy for cloud data location or jurisdiction”. Fail.
Third in the complaint list, is the “legalese” and obscurity of the NSW Government’s position. The paper is more focused on use of legal language than actually taking a clear position on cloud and the procurement model as such. As well as the lack of clarity, it is evident those involved in creating this document don’t quite “get it” with the big picture of cloud technology. I know first hand, from someone who was involved in the process and who actually knows quite a lot about cloud. The nature of that person’s comments were expressed as frustration at many decisions made without clear understanding and an often ill-informed perspective from government decision makers on cloud technology.
I’m sure there were many experts consulted, committees sat, solicitors paid and ministers stamped to get the document released. But I really don’t think those responsible for this paper get the “big picture”. This is confirmed in the preparation for this paper, the confusion between what is private cloud or not. For example in the reported following statements made earlier in the year by the Executive Director of Strategic Policy at DFS William Murphy:
“The cloud policy …ultimate cloud goal, which is to have agency ICT environments fully migrated to a private Government cloud by the end of 2015.”
Ironically the same article lists the five NSW Government cloud initiatives, which are nearly all multi-tenant, mostly shared PaaS or SaaS – certainly not private cloud:
- Messaging-as-a-service and desktop-as-a-service proof of concept trials to be run by ServiceFirst;
- Department-wide ERP consolidation into the cloud at the Department of Trade and Investment, Regional Infrastructure and Services;
- Email-as-a-Service implementation at NSW Fire and Rescue;
- Multi-tenanted email-as-a-service at NSW Businesslink; and
- Infrastructure-as-a-service at NSW WorkCover.
To clarify my view purely from an IaaS cloud perspective, Data Sovereignty relating to the Government’s paper and Private, Public or Hybrid cloud:
- Private – you know where your data is, providing you don’t outsource storage
- Public – you have no idea, even with selecting a so-called in-country Public Cloud, your data can get cached and stored outside of that country such as with CDN, you have little control of data sovereignty
- Hybrid – you can manage according to data sovereignty requirements and concerns, providing you manage data sensitivity through meta-tagging and maintain control of data storage
The NSW Government paper makes no reference whatsoever to any of the above situations or any explicit requirement for Data Sovereignty. There are some vague references to compliance with data legislation, but to “comply with regulations” in general means little in reality. The paper should be expressing clear and concise position and requirements relating to how data is managed in the cloud environment, as well as the specific responsibilities of the government and suppliers. In fact the self-reported requirements brief, taken from the NSW Government ICT Board meeting notes for the policy paper was for:
“The Policy and Guidelines provide a clear policy statement about NSW Government use of cloud solutions and taking advantage of the flexibility and agility that they provide,”
Clearly missed that goal then.
Specifically, the NSW Government paper makes vague allocations of responsible parties to:
- “Government Agencies”, and
Where then, is the guidance and responsibility realistically going to be held (assuming a standard government tender process)? With the supplier? Those with tender or bid experience know that the less specific the Tenderer is about the requirements, the more ability the potential Supplier has to dictate outcomes. Conversely according to the wording in the NSW Government paper, it is understood that the NSW Government has pushed all data sovereignty requirements, compliance, auditing and management down to each agency or supplier. Not centrally controlled or dictated from a central IT body. Cloud is a new way of using, procuring, providing and managing IT: from decision making, through to managing, auditing and purchasing. Old models and methods usually will not work (or be a huge waste of resources). This has not at all been considered, which should have been set prior to publishing a procurement policy paper.
The laws relating to technology and privacy are rapidly changing, conflicting legislation between nation-states and even circumvented at the bequest of government agencies across borders under the premise of “freedom”. It is nearly impossible for any supplier or individual agency to keep abreast of multiple and conflicting legislation across multiple countries. But this is effectively what the NSW Government paper is doing.
In a world of conflicting regulations across the globe, the new frontier of information and power relationships and degradation of traditional nation-state power: that which controls the information has the power. Add to the mix a sprinkling of NSA/PRISM/WikiLeaks espionage, Syrian and Chinese targeted hacker warfare (cyberwarfare), Big Data and you have a major issue. It is not just the data that governments collect, no matter what your perspective on that issue is. It is whether they are responsible and knowledgeable enough to maintain the security of that data and ensure it doesn’t fall into the hands of some other entity to misuse that information.
How is each agency or even each supplier as the NSW Government paper insinuates, to effectively provide appropriate resources to successfully deliver the specified data sovereignty requirements, compliance, auditing and management? Successful data management and compliance is a hefty highly skilled and labour-intensive role, let alone auditing and managing during and after-the-fact. How can anyone, including our government and legal system ensure compliance with Privacy Legislation regarding our data that is held and managed by our government institutions in this situation?
What the NSW Government really should be doing, is dictate that all sensitive data is to be contained within Australian borders. Therefore complying with Australian Privacy Legislation. I actually think that the EU got it right, when they enacted legislation that essentially ensures data sovereignty within the borders of each EU nation. The EU have taken an arguably more sensible and liberal-minded:
“…citizen-centric approach to data protection and privacy”
It is my opinion that if data is sensitive and needs to comply with particular privacy laws relating to that particular country, then that data must remain in that country from where the privacy laws originate. Of course the opposite is arguable, that these European in-country data sovereignty laws restrict the cloud market and are restrictive to business. This is the only way to ensure that level of control and auditing required to comply with that law. Of course the knock-on effect of this outcome would be that large global corporations are slightly disadvantaged and local niche cloud operators are slightly advantaged. Additionally commoditisation of cloud stifles innovation and competition. Supporting the local economy and innovation rather than large global corporations. There’s a novel idea!
Of course there is always the possibility to separate confidential private data that must comply with privacy regulations and other data that has no legal privacy requirement. That latter data can go wherever it likes. You can always just download this fantastic new app. Problem solved.