While it may be drawing too long a bow to suggest the return of Kevin Rudd as PM influenced the length of the title, The Australian Government Policy and risk management guidelines for the processing and storage of Australian Government information in outsourced or offshore ICT arrangements1 does get points for having a title that accurately articulates the contents of the policy.
This policy, released on 8 July 2013, prescribes the manner in which Government agencies can take advantage of cloud offerings, and for those not put off by the title, it contains a number of useful considerations for any organisation considering cloud deployment.
In particular, the policy recognises that there is a sliding scale of risk which is impacted by legislative requirements and influenced by broader community expectations (such as citizens expecting that government agencies will treat certain information with appropriate care).
The policy introduces a risk-based framework through which the risks of any outsourced cloud arrangement can be considered against the expected value of cloud offerings. Organisations which have undertaken any form of outsourcing, whether through use of cloud environments or otherwise, will be familiar with the need to balance known impacts and risk against expected gain.
The policy also recognises that:
- certain public information should not be subject to significant fetters (e.g. information available from public websites hosted by agencies);
- non-public information or information which is subject to privacy protections requires a greater level of protection; and
- there are categories of information for which cloud offerings are inappropriate (e.g. security classified information);
Different considerations apply depending on the type of cloud arrangement. In general terms, any offshore cloud or domestic public cloud will be treated with a heightened level of sensitivity compared to a domestic private, internal or community cloud, which is a logical differentiation given the different levels of control which underlie the alternative models.
A suggested risk assessment framework is also outlined which is based on existing AS/NZS ISO 31000:2009 and HB 167:2006. Critical to this framework is the implicit view that not all risks are equal. Tolerance levels and mitigation options can exist and which have the impact of reducing either the likelihood and/or the consequences of a particular risk.
In terms of potential risks to consider, the policy outlines a number (though stresses that these are not exhaustive):
- compromise of the integrity of the information which impacts on business functioning
- unavailability of the information which impacts on business functioning
- unauthorised access by a third party
- unauthorised access by the service provider’s other customers
- unauthorised access by rogue service provider employees
- inadequate resilience and security measures applied to the associated physical infrastructure, supply chain and ICT networks
Many organisations which are subject to regulatory oversight would be familiar with a number of the above risks. For example, those financial institutions regulated by the Australian Prudential Regulation Authority will see some commonality with the risk issues identified in Prudential Standard CPS 2312.
Added to the above are the following specific offshore aspects:
- the nature of legal powers to access or restrict data
- the lack of transparency (and reduced ability to directly monitor operations)
- the prevailing culture of some countries?complications arising from data being simultaneously subject to multiple legal jurisdictions
While appreciating that there are a number of additional overlays relevant to Government agencies, in many respects the policy reflects good business practice in terms of implementing an integrated risk management approach when considering any form of cloud opportunity. In particular, the importance of recognising that:
- the impact of risk is affected by the nature and characteristics of the cloud delivery model being considered (including the geographic location from which it will be deployed); and
- appropriate consideration of risk likelihood, consequence, tolerance, and potential mitigation can ultimately result in a decision which allows the expected value of cloud arrangements to be realised.
To strain the title of this note, and to take Joni Mitchell entirely out of context3, in short it is important to look at clouds from “both sides”.