As government agencies increase cloud computing usage in South Australia, some are claiming they don’t have the resources or expertise to support the needs.
In a random review of seven government agencies, South Australia’s auditor general found most were not doing annual independent assessments of the technology, and some were failing to do risk assessments.
The review found most of the agencies planned to increase their use of cloud services in the next two years but four agencies claimed there were not enough internal resources and expertise to support current and future needs.
This is despite six of the agencies individually spending more than $1 million on cloud services annually, and some more than $8 million.
The resourcing issues included insufficient budget funding, difficulties attracting skilled ICT staff, retaining them or providing specialist training.
The report highlights risks of cloud computing — including the loss of confidentiality or data leakage, accidental exposure, reliability issues, and lack of transparency from cloud providers — as concerns public servants should be highly aware of when adopting a new service or change.
“Agencies need to consider these risks in their initial and ongoing cloud computing risk assessments,” the report says.
It found three of the seven agencies did not have a formal procedure for procuring and managing cloud computing services, and three agencies were not engaging their ICT team before procuring cloud computing services.
Three agencies said there were a small number of security incidents or disruptions to their cloud services in the past three-to-four years.
Across the seven agencies, there were 178 different cloud computing environments, and 16% of these stored data outside of Australia.
Most of the cloud models were publicly owned, and 30% were private and 8% were public-private models. The report notes most administration and management of cloud services were outsourced but security risks remained with the agency.
Auditor-general Andrew Richardson said the state’s approach to cloud computing could be strengthened through more collaboration and a centralised point of reporting to either the department of premier and cabinet or an inter-agency forum.
“The aim would be to help agencies while they move their services to the cloud by providing guidance, risk mitigation strategies, a more consistent approach to managing cloud computing and the integration of security governance,” Richardson said.
The report recommended all agencies should develop a cloud computing policy and description of their procurement and ongoing control requirements for cloud services.