Commonwealth agencies are now encouraged make their own cloud computing plans, according to seven principles set out in the federal government’s new secure cloud strategy, which has been published on the Digital Transformation Agency website.
The Australian Signals Directorate has lost its monopoly on certification of cloud providers and a “layered certification model” has been adopted, according to the new document:
“The certification model creates greater opportunity for agency-led certifications, rather than just ASD certifications. It creates a layered certification approach where agencies can certify using the practices already in place for certification of ICT systems.”
The opening lines suggest “a shortage of knowledge and experience, decades old, stubborn operating models and a struggle to sell the case for cloud across the business” have held back Australian Public Service entities from adopting cloud computing services to date. The seven principles are:
- Make risk-based decisions when applying cloud security.
- Design services for the cloud.
- Use public cloud services as the default.
- Use as much of the cloud as possible.
- Avoid customisation and use cloud services as they come.
- Take full advantage of cloud automation practices.
- Monitor the health and usage of cloud services in real time.
Replacing the 2014 cloud computing policy, the DTA’s secure cloud strategy says the shift will help the public service “reduce duplication, enhance collaboration, improve responsiveness and increase innovation” and make its online services more “convenient, available and user-focused” for citizens.
And it states that procurement of cloud services will be easier and quicker to take advantage of rapid developments in the market, in line with the ICT procurement taskforce’s recommendations.
The DTA will also lead a new community of practice to provide support and training, according to the new policy outline. Other key points include:
A cloud qualities baseline and assessment framework will be introduced to clarify cloud requirements. The cloud qualities baseline capability and assessment framework will enable reuse of assessments.
A Cloud Responsibility Model will be developed to clarify responsibilities and accountabilities. Traditional head agreements cannot cover all cloud services and their frequent variations. A shared capability for understanding responsibilities, supported by contracts, will address unique cloud risks, follow best practice and maintain provider accountability.
A cloud knowledge collaboration platform will be built. The platform will enable secure sharing of cloud service assessments, technical blueprints and other agency cloud expertise, to iterate on work already done rather than duplicating it.
Cloud skills uplift programs will be designed. Increase government skills and competencies for cloud aligned with the Australian Public Service Commission. Digital Skills Capability Program and create the pathways to leverage industry programs to enhance cloud-specific skills in the Australian Public Service.
Common shared platforms and capabilities will be explored including:
- Federated identity for government to enable better collaboration in the cloud.
- Platform for PROTECTED information management to reduce enclaves in agencies, and continue to iterate cloud.gov.au as an exemplar platform.
- Service Management Integrations services to enable agencies to manage multi provider services.
These platforms will include the integration toolkits that enable agencies to seamlessly transition between the cloud services.
Human Services and Digital Transformation Minister Michael Keenan also announced the government had inked a new whole-of-government deal with Concur, which provides travel, invoicing and expense management software as a service.
This, according to the minister, “will enable easier and cheaper adoption of cloud services” for the APS:
“This strategic arrangement will simplify our ICT procurement and allow the Government to get the best return on investment for ICT products and services. The Government’s ICT procurement reforms are expected to achieve savings of up to $54 million over the next four years.”
Geoscience Australia cut 80% of the maintenance costs of its Sentinel bushfire hotspot mapping service by moving it to the cloud in 2016 and had no outages in the last bushfire season, according to the minister.
According to the new document, both industry and public servants told the DTA that they were being slowed down by the current security arrangements, with ASD having provided a list of certified cloud services since 2014:
“Under this list, any cloud service with an UNCLASSIFIED:DLM or PROTECTED workload must be certified by ASD, or seek exemption. This single accountability for certification in a vast and diverse cloud marketplace creates bottlenecks and confusion.
“During Discovery research it was highlighted by both government agencies and industry that, despite best efforts from ASD to meet this demand, the existing process is a significant barrier to the adoption of cloud services.
“Additionally, agencies highlighted confusion regarding accountability for assessments and a lack of transparency in the process.
“Industry consistently expressed frustration with significant time delays experienced between an initial IRAP assessment and the cloud service being available for use by agencies, and the associated financial impact.”