Time for government to put its foot on the cloud accelerator
The COVID-19 pandemic accelerated demand for cloud technologies as the private and public sectors rushed to update the delivery of urgent services and ensure continuity.
A Gartner report suggests cloud spending will exceed $10 billion in Australia this year. But the government’s cloud security guidelines need to go further in overcoming barriers and drive further uptake of cloud technologies. Advancing our digital economy is a central focus of the 2021-22 federal budget, so the government has a huge opportunity to demystify cloud services.
The Australian Cyber Security Centre and the Digital Transformation Agency released cloud security guidelines last year. Their purpose is to better inform organisations, cloud service providers (CSPs) and Information Security Registered Assessors Program assessors about carrying out comprehensive risk-based assessments of CSPs and services.
The federal government is also piloting cyber hubs to share cyber services and security expertise across Home Affairs, Defence and Services Australia. This is a real step forward and something we need to see more of, as a successful pilot would create a blueprint for wider adoption. It’s pleasing to see recent statements from the Australian Signals Directorate and Digital Transformation Agency suggesting an extension to non-corporate Commonwealth entities.
The guidelines and cyber hubs are an important step in improving engagement with cloud services, but there is still much to be done in educating its agencies and the broader community about the advantages of cloud technologies. There are several critical issues with the existing guidelines – assessment is expensive and slow, contractual controls for risk mitigation can be improved, as can overall agency understanding of and consequent adoption of Software as a Service (SaaS) cloud solutions.
Change is needed to overcome these issues, including a shift to continuous risk management underpinned by a whole-of-government risk management framework, the management of certifications across agencies, and encouraging government and community take-up of SaaS to improve cybersecurity defences.
Time to take action
There’s an opportunity for government to seize the moment and lead by example to make the most of digital transformation. The past 18 months have accelerated changes and the cost of failing to encourage this move to digitisation further and the cloud would be huge – not just for government but the whole economy.
Costs and lack of technical expertise have been familiar barriers to entry for small organisations. Policies need to encourage small and medium businesses and smaller agencies to use the cloud and share resources. Here are a few ways policymakers can improve the situation:
1. Take advantage of SaaS solutions
SaaS cloud services are where a vendor provides a customer with the software application and also manages both the cloud infrastructure and platform. From a customer perspective, all they need to do is use the application. They don’t need to manage or maintain the software or the underlying cloud infrastructure.
This improves security by removing the need to update software manually. And perhaps more importantly, it allows government to focus on the core business of policy and citizen service delivery rather than managing software.
IT certifications are needed every time a new government agency uses it, but it needn’t be this way. The latest SaaS solutions allow for the security of each element to be assessed and certified against security requirements. This allows high-level certifications to be reused across departments and agencies. This change would accelerate the uptake of the cloud and keep government security agencies and risk regulators better informed, which is good news for CSPs and government agencies.
2. Discuss cyber risk upfront
SaaS creates opportunities to improve cybersecurity across the economy. But the obligations for protecting information remain the same whether this is outsourced or handled in-house. So keep this in mind before a CSP contract is signed.
CSPs can relieve the burden of maintenance, but an agreement outlining accountability and mitigations to security risks is essential. Without this, an organisation is reliant on promises that can be hard to verify and enforce. Getting this step right provides all parties with greater clarity on accountabilities.
3. Set the right example
Government has an opportunity to increase confidence in cloud services by introducing protected environments. It’s time to move away from traditional ownership models and outsource to trusted parties. In-house expertise in this area remains important, but – with the right agreement in place – the service provider will manage many of the issues. This means government staff can focus on policy outcomes and customer service instead of fixing technology problems.
The trend towards SaaS delivered securely means that organisations will focus less on how the solution is delivered. It’s much like electricity or other utilities where the service is consumed without worrying about who generated the electricity or how it is connected to the building.
What is critical are the business outcomes that can be delivered, and these common platforms and business tools allow government to be run as an enterprise rather than a federated group of agencies with their own technology solutions.
Aside from cost efficiencies, when we begin to share platforms and data through SaaS, new opportunities are created from scale and connectivity benefits. This includes the availability of technologies like artificial intelligence that can be scaled quickly to all agencies regardless of size. Once we connect agencies and business applications, new analytics can be applied to create business insights.
Perhaps most critically, SaaS allows for the rapid deployment and implementation of business’ secure applications at scale. It ensures the benefits of a better-connected government are available to Australians sooner.
Long-term adoption of SaaS is inevitable, so this is a question of how quickly we can accelerate that change and bring forward the benefits. Let’s push ahead with the move to the cloud, so Australia can start reaping the benefits immediately.
The struggle to maintain Australia’s cybersecurity
- How well is Australia prepared for cyber threats in 2022 and beyond?
- Cat and mouse: why ransomware is an evolving organisational threat
- How we’re losing the arms race against deepfake technology
- Beware state-based actors looking to kick down digital doors
- Cybercrime’s shifting sands: which industries are most vulnerable?
- Digital tools allowing extremism to flourish around the world
- What skills do we need on the cybersecurity front line?
- Clear and present dangers: understanding and preparing for cyber threats
- Time for government to put its foot on the cloud accelerator
- Two common tech myths holding back public sector innovation