DTA seeks to boost cloud adoption in Australian public sector through new strategy
Australia’s Digital Transformation Agency (DTA) has released a Secure Cloud Strategy for the Australian Government. The strategy replaces the Australian Government Cloud Computing Policy that was released in 2014. The new strategy focuses on helping government agencies use cloud more easily.
The Secure Cloud Strategy has been developed to guide Australian Government agencies beyond current business restrictions and to help them move towards a more agile method of service improvement. It focuses on preparing agencies for the shift to cloud and supporting them through the transition.
Barriers to cloud adoption
Despite the numerous well-known benefits of cloud, such as whole-of-government efficiencies, agility, interoperability across agencies, increasing availability and freeing up resources to focus on business delivery rather than maintenance and reducing unnecessary duplication of ICT investment, several barriers remain to agencies realising their cloud aspirations. Research by DTA revealed that there is no common understanding of cloud for government and government’s approach to cloud is siloed rather than collaborative. There is also a lack of confidence regarding how to meet compliance obligations. Moreover, cloud adoption may increase short term costs and the skills needed to harness the cloud opportunity are not wide-spread.
Issues were discovered from the industry side also. Industry feedback revealed that Australian Government certification practices require significant investment, in terms of time and dollars, and companies find a significant gap between the initial investment and realised return. They also said that the Cloud Services Panel fails to keep up with the rapid release of cloud offerings. Moreover, ICT contract head agreements are found to not align well with the features, flexibility or nuance of cloud. Another obstacle is Capital Expenditure (CapEX)-focused funding models that do not align with the service model of the cloud.
Addressing the concerns
The new Strategy seeks to address the concerns mentioned above. It aims to lay the foundations for sustainable change, seizing opportunities to reduce duplication, enhance collaboration, improve responsiveness and increase innovation across the Australian Public Service.
DTA recommends that in order to build capability, agencies should begin their cloud journeys with low complexity services, and progressively mature their approach. Low complexity services do not contain any sensitive data enabling rapid and straightforward transition to the cloud. Medium complexity services are expected to require some additional planning and migration effort for agencies but are often common services offered by the market (not bespoke). Often legacy services are high complexity and can be the most difficult and expensive to move to cloud. These are often bespoke, and can hold significant volumes of sensitive data.
Under the Strategy, government agencies will develop their own cloud strategies, as there is no one-size-fits-all approach to implementing cloud. Agencies will use the Secure Cloud Strategy as a starting point to produce their own value case, workforce plan, best-fit cloud model and service readiness assessment.
Cloud implementation will be guided by seven Cloud Principles:
- Make risk-based decisions when applying cloud security, rather than just checking off compliance
- Design services for the cloud (design all new or modernised ICT services as cloud native, or cloud enabled and Where no suitable commercially provided cloud service is appropriate, agencies must design applications to be cloud-ready, maximising automation, portability and resilience)
- Use public cloud services as the default
- Use as much of the cloud as possible
- Avoid customisation and use cloud services as they come
- Take full advantage of cloud automation practices
- Monitor the health and usage of cloud services in real time (visibility of cloud usage and cloud health can enable agencies to control costs)
There are also plans to create a layered Cloud Certification Model. The certification model will create greater opportunity for agency-led certifications, rather than just ASD (Australian Signals Directorate) certifications. It creates a layered certification approach where agencies can certify using the practices, already in place for certification of ICT systems.
The Strategy also clarifies that the Privacy Act does not prevent an Australian Privacy Principle (APP) entity from engaging a cloud service provider to store or process personal information overseas. The APP entity must comply with the APPs in sending personal information to the overseas cloud service provider, just as they need to for any other overseas outsourcing arrangement.
Another initiative is aligning service procurement with the ICT Procurement Review Recommendations. As cloud services move more rapidly than services available through panels traditionally do, the recommendations in the ICT Procurement Review align well with creating a better pathway for cloud procurement.
A cloud qualities baseline and assessment framework will be introduced to clarify cloud requirements. The cloud qualities baseline capability and assessment framework will enable reuse of assessments.
A Cloud Responsibility Model will be developed to clarify responsibilities and accountabilities, as traditional head agreements cannot cover all cloud services and their frequent variations. A shared capability for understanding responsibilities, supported by contracts, will address unique cloud risks, follow best practice and maintain provider accountability.
A cloud knowledge collaboration platform will be built. The platform will enable secure sharing of cloud service assessments, technical blueprints and other agency cloud expertise, to iterate on work already done rather than duplicating it.
Cloud skills uplift programs will be designed. Increase government skills and competencies for cloud aligned with the Australian Public Service Commission Digital Skills Capability Program and create the pathways to leverage industry programs to enhance cloud-specific skills in the Australian Public Service.
Common shared platforms and capabilities will be explored including a federated identity for government to enable better collaboration in the cloud and a platform for PROTECTED information management to reduce enclaves in agencies. Cloud.gov.au will continue to be reiterated as an exemplar platform. In addition, Service Management Integrations services could be developed to enable agencies to manage multi provider services.
These platforms will include the integration toolkits that enable agencies to seamlessly transition between the cloud services.
All the initiatives mentioned above will be supported through a DTA-led community of practice that will support agencies to plan and transition their environments for cloud. It will include delivering training and advice to agencies to build confidence in their ability to manage cloud services.
Access the DTA’s Secure Cloud Strategy here.