On the pathway to digital transformation, Australian government agencies continue to grapple with migration to cloud services due to data sovereignty concerns and dependence on ASD Certification. As a result, the actual implementation of secure digital transformation has yet to fully materialise.
This article looks at the issues that require close consideration from internal stakeholder viewpoints. Internal stakeholders are currently focusing on what the execution of cloud technology means for their department and by introducing sovereignty and security requirements a stalemate ensues; here’s why.
According to the 2018 CIO Agenda: Government Insights report, 30% of government agencies find cloud services and data centres are crucial to digital transformation, while 93% of Australians don’t want their data to be stored overseas. Therefore, the legal jurisdiction of the country in which data is stored in becomes crucial. This is a dilemma which key decision makers, CIO’s, and legal experts have to work together to rectify.
The Decision Makers: What’s the Right Fit
In Australia, there are a handful of Australian cloud providers that hold ASD certification at the ‘Protected’ level. There are however over 180 different service suppliers that offer cloud technology.
Leaders within government Agencies must decide what provider offers the best outcome whilst also having a comprehensive understanding of what the relevant Government standards are. Particular vendors and partners will be better suited for certain outcomes. For example, large international cloud providers offer big data tools and global support whereas smaller Australian providers can design cloud infrastructure solution that ensure Australian data remains sovereign.
Decision-makers are also faced with understanding vendor lock-in clauses. Often vendors include lock-in clauses in their contracts, making it expensive and inflexible for Agencies to change service providers. This can easily be avoided if both the technical, support and commercial clauses of the contract are examined closely during the negotiation phase to ensure that Agencies have the option to switch vendors. This is critical as some vendor’s clouds don’t support structures of others while some charge fees to transfer data over to new formats.
Lawyers: Contracts and International Law
Data control is obviously a hot topic in the wake of the Facebook and Cambridge Analytica data breach. When it comes to selecting cloud providers, the answers to the questions of who controls the data, where is it stored, and who has access to it are essential. Similar to the decision makers, it is important lawyers engaged by Government understand all the clauses in contracts, how these interrelate and affect future data sovereignty.
Misunderstanding of data control or data sovereignty by not truly knowing where it is stored can easily put at risk national security or citizen’s personal data by potentially exposing to foreign governments. The permissiveness of public cloud enables wide-ranging access from around the globe.
The handful of ASD Certified Australian providers that possess the ‘Protected’ level are the only organisations that can guarantee data is secured and sovereign to Australia. It is vital that legal teams ensure Australia retains full control of sensitive data, and that providers and suppliers are limited in what they can do with data once it has been stored. Contract controls on sovereignty that can be measured need to be in place to ensure that they can be enforced.
CIO’s: The Shrinking Support Team
As more Australian data is hosted on the cloud, it is important that Government enforce a certain level of due diligence to ensure citizens’ information is secure from cybercriminals and hackers. CIO’s are tasked with the role of keeping technology functioning as designed, and a big aspect of this is security management. One fear CIO’s have is as more information moves to the cloud, there will be a commensurate decrease in support staff.
As more services are provided on cloud platforms and data stored by cloud providers, there will be weaker demand for internal support people, and conversely a higher demand for experts in development and security. It is important that CIO’s and the key decision makers in the Government openly communicate about the benefits of cloud technology and the concerns about switching to cloud systems.
This will help identify future skill shortages and provide a common understanding of the importance of training resources now to meet these requirements.
The Issue Government is Facing
If Australia is to successfully adapt to a cloud-first technology strategy it is important that Government leaders, lawyers and CIO’s work cooperatively to advance the Government’s technology capability.
Only then will government Agencies have the confidence to embrace cloud technology without fearing systems outages and loss of sensitive data. The decision makers must do their part to align with Government direction. Legal teams must provide the due diligence to ensure that contracts protect the governments and public interests and support decision makers during negotiations.
CIO’s have to adapt their teams as technology demands change to support the efforts of the decision makers and legal teams. Understanding the importance of these teams working together is important to the future of the Australian government’s digital transformation journey.
Article by Ash Smith, MNTR director - Cyber Security Practice