A new government strategy advocates for Commonwealth departments and agencies to whenever possible employ public cloud services and, in general, use as much cloud as they can.
The strategy’s launch was announced today by Michael Keenan, the human services minister and minister assisting the prime minister for digital transformation.
The new Secure Cloud Strategy was developed by the Digital Transformation Agency (DTA).
It acts as a successor to a 2014 cloud strategy document. The 2014 strategy advocated agencies adopt public cloud for test and dev and Web hosting and evaluate “private, community, public or hybrid cloud services for operational systems”.
The new strategy, by contrast, is much more gung-ho on the use of public cloud: “The public cloud market offers a broad range of services and providers that enable agencies to keep their technologies and business processes up to date. Public cloud can provide fast and competitive options for agencies.”
Agencies “should consider public cloud first and in preference to any other cloud deployment model” although they need to ensure that any service “has the appropriate security implementation for the information being handled.”
The principle of using public cloud services as the default and using as much cloud as possible are two of the seven cloud principles outlined in the strategy — alongside making risk-based decisions when applying cloud security, designing services for the cloud, using cloud services as they come and avoiding unnecessary customisation, taking advantage of opportunities for automation, and real-time monitoring of the health and usage of cloud services.
“In the Australian Government, a number of factors can get in the way of agencies realising their cloud aspirations, from a shortage of knowledge and experience, decades old, stubborn operating models and a struggle to sell the case for cloud across the business,” the document states.
“The Secure Cloud Strategy has been developed to guide agencies past these obstacles and make sure everyone has the opportunity to make the most of what cloud has to offer.”
One concrete initiative outlined in the strategy is the creation of a layered cloud certification model. Generally ICT services used by an agency will be subject to an IRAP assessment and then passed through a certification authority. In most cases, that certification authority is within the owning agency, the document states. For cloud services, the Australian Signals Directorate is the certification authority.
The ASD maintains the Certified Cloud Services List (CCSL), which currently includes offerings from 12 different providers.
The cloud services on the list have been the subject of an IRAP assessment for use with either UNCLASSIFIED:DLM (unclassified but sensitive information) or PROTECTED information.
“Appropriate risk management of cloud solutions is critical to the Australian Government,” the cloud strategy states.
“However, ASD do not have the capacity to undertake certification against every cloud service an agency may wish to use. Continuing with the current approach with existing resources will not achieve the government’s objectives to accelerate the use of cloud.”
The document states that extending the ASD certification model “to enable agency assessments to also become baselines for re-use will increase the capacity of government to undertake assessments”.
Other initiatives include building a cloud knowledge collaboration platform for government, developing a Cloud Responsibility Model, introducing programs to increase cloud skills within the public service, and developing a number of common shared platforms, including a platform for PROTECTED information management.
“The Australian Government has an ambitious agenda to transform its digital service delivery,” the document states.
“Cloud offers reusable digital platforms at a lower cost, and shifts service delivery to a faster, more reliable digital channel. Cloud services have the opportunity to make government more responsive, convenient, available and user-focused.”