Date:
25 June 2018
Author:
Salsa Digital

About the Strategy

In February 2018, the Secure Cloud StrategyExternal Link replaced the Australian Government Cloud Computing Policy. This was following the December 2016 shift in ‘ownership’ of cloud for government from the Department of Finance to the Digital Transformation AgencyExternal Link (DTA).

The DTA says: “The new strategy focuses on helping government agencies use cloud more easily.”

The Secure Cloud Strategy

The Secure Cloud StrategyExternal Link starts off (in the exec summary) with addressing the why, citing benefits such as faster delivery and continuous improvement cycles, and reduced time on maintenance as key reasons government should adopt the cloud. The Strategy also recognises the road blocks, including things like a lack of internal knowledge/skills, lack of agency-wide buy-in, and old operating models. The Strategy sets out to provide a support model for wider adoption of the cloud.

The second section of the Strategy document addresses the why in more detail — why cloud is a good model for government agencies and something the public sector needs to embrace. This section covers key benefits including:

  • Agility — ability to scale up and down quickly and easily, and access to the latest technological advances.

  • Operational effectiveness — allowing resources to shift focus from maintenance to improved service delivery.

  • Visibility — delivering real-time monitoring and a more visible environment.

The strategy then moves onto specific opportunities for the Australian public sector, and represents these in a great visual on page 7. The barriers (within government and industry) are then discussed in a little more detail before moving onto the overall strategy.

The strategy

The strategy section kicks off with the importance of security — assuring citizens and agencies that the government cloud is “secure, accurate and reliable”. The DTA sees the strategy and cloud as not necessarily a whole-of-government platform, but rather a foundation for how government can adopt cloud across multiple services. Before moving onto the actual principles, the strategy mentions the need for a community that can guide best practice.

The principles

The strategy presents seven principles that should be followed. The principles are:

  1. Make risk-based decisions when applying cloud security— this means decisions should be based on risk assessment by applying relevant security policy rather than on a compliance ‘checklist’.

  2. Design services for the cloud — because of the many benefits, agencies must use cloud services for new services wherever possible, and must design applications as cloud native or cloud-enabled in line with the National Institute of Standards and Technology (NIST).

  3. Use public cloud services as the default — agencies should use public cloud services where possible, ensuring the service meets the necessary security requirements.

  4. Use as much of the cloud as possible — agencies should use the cloud as much as possible or develop cloud-enabled services.

  5. Avoid customisation and use services ‘as they come’— services should be configured rather than custom-built to improve agility.

  6. Take full advantage of cloud automation practices— agencies should make the most of cloud’s automation to minimise the effort required to “provision, configure, backup, restore, patch, update and deploy services.”

  7. Monitor the health and usage of services in real time — agencies should: use cloud metrics to support their needs; control costs through scaling on demand; and monitor the health of cloud services.

The DTA document stresses that these principles should be followed, but that because each agency is unique, each agency will have its own needs. This leads to the Secure Cloud Strategy’s first initiative...

The initiatives

Initiative 1: Agencies must develop their own cloud strategy— the DTA is supporting agencies in the development of their individual cloud strategies through the community of practice.

The document then moves on to frameworks and practices, looking first at the cloud-certification model. The Strategy highlights the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) as two key documents and discusses the complexity of security considerations for the cloud.

The Australian Signals Directorate (ASD) is the certification authority for cloud and has developed a Certified Cloud Services ListExternal Link (CCSL) — we recently blogged about questions around the accreditation process. The DTA Strategy mentions that the ASD doesn’t have the resources to evaluate every cloud service government agencies may wish to use and recommends agencies get independent IRAP assessments.

This leads to Initiative 2: Implement a layered certification model, following the IRAP process to assess services and sharing these through a common framework to reduce the burden on the ASD.

Next, the Secure Cloud StrategyExternal Link addresses the current Control Services Panel, highlighting problems with the system. To address these issues, the document has issued Initiative 3: Redevelop the Cloud Services Panel to align with the procurement recommendations for a new procurement pathway that better supports cloud commodity purchases. The aim is to streamline the process so government agencies can access innovative cloud solutions quickly and easily.

Initiative 4 is to Create a dashboard to show service status for adoption, compliance status and services panel status and pricing. This initiative will help transparency around government adoption of cloud services.

The DTA Strategy also includes a new Cloud Common Assessment Framework to increase collaboration and better understand the compliance issues around cloud services — in addition to general ‘security’ compliance. Page 23 of the Strategy includes a flow chart of how the Framework is set up to feed into the Cloud Services Panel.

Initiative 5 is to Create and publish cloud service qualities baseline and assessment capability. This initiative is to assess new and existing cloud services and make the assessments available across government.

From here the document moves onto responsibilities, stressing the need for clear delegation of responsibilities between the agency and the provider, especially around risk mitigation and the “accountability for management, security and integrity”. The document emphasises the need to link responsibilities with more flexible contracts. This is covered by Initiative 6: Build a cloud responsibility model supported by a cloud contracts capability.

Initiative 7 is about knowledge sharing and collaboration across agencies. Specifically, Establish a whole-of-government cloud knowledge exchange. This initiative involves building a platform where government agencies can share information.

To address in-house skills, the Strategy recommends building public sector skills around cloud services. This is covered by Initiative 8: Expand the Building Digital Capability program to include cloud skills. This initiative also recommends looking at industry training to boost skills.

The document then looks at cloud.gov.auExternal Link , stressing that while it’s a fully supported environment for agencies to use, it’s “not a single cloud platform for all government cloud use.” In fact, the strategy specifically states there should not be ONE single cloud platform for government.

Finally the Strategy document looks at platforms that will be investigated, because they can help cloud adoption and collaboration. These include:

  • Federated access management — managing user access in a central location.

  • PROTECTED collaboration — taking up the opportunity to collaborate and access information in a PROTECTED environment through a common, shared platform.

  • Integrated Service Management — building best practices for monitoring services across multiple cloud providers through the development of toolkits, reporting and integration capabilities.

A bit more info on cloud.gov.au

Cloud.gov.auExternal Link is covered only briefly in the Secure Cloud StrategyExternal Link and we thought it would be good to include some more context here. Cloud.gov.au uses an open source platform called Cloud Foundry to provide government with access to a secure cloud. It’s been built as a place where government agencies can run web apps and provides a faster and safer way to change or update web apps. This is executed via a fully automated, continuous delivery pipeline. You can find out more about it in the cloud.gov.au documentationExternal Link .

Salsa Digital’s take

The cloud is a fantastic tool, and something we've been committed to for some time now. In fact, it was a key part of our journey to GovCMS. The cloud does deliver big benefits and it’s great to see government and the DTA paving the way for greater adoption across the Australian public sector.

Get the latest digital insights and Salsa news

For a roundup of the latest news and insights across digital government, web development, open data and open source please subscribe to Salsa's monthly newsletter. 

Subscribe to our newsletter