Australia’s Digital Transformation Agency (DTA) has released
Cloud Strategy for the Australian Government. The strategy replaces
Government Cloud Computing Policy that was released in 2014. The new
strategy focuses on helping government agencies use cloud more easily.
The Secure Cloud Strategy has been developed to guide Australian
Government agencies beyond current business restrictions and to help them move
towards a more agile method of service improvement. It focuses on preparing
agencies for the shift to cloud and supporting them through the
Barriers to cloud
Despite the numerous well-known benefits of cloud, such as whole-of-government
efficiencies, agility, interoperability across agencies, increasing
availability and freeing up resources to focus on business delivery rather than
maintenance and reducing unnecessary duplication of ICT investment, several barriers
remain to agencies realising their cloud aspirations. Research by DTA revealed that
there is no common understanding of cloud for government and government’s
approach to cloud is siloed rather than collaborative. There is also a lack of
confidence regarding how to meet compliance obligations. Moreover, cloud
adoption may increase short term costs and the skills needed to harness the
cloud opportunity are not wide-spread.
Issues were discovered from the industry side also. Industry
feedback revealed that Australian Government certification practices require
significant investment, in terms of time and dollars, and companies find a
significant gap between the initial investment and realised return. They also
said that the Cloud Services Panel fails to keep up with the rapid release of
cloud offerings. Moreover, ICT contract head agreements are found to not align
well with the features, flexibility or nuance of cloud. Another obstacle is Capital
Expenditure (CapEX)-focused funding models that do not align with the service
model of the cloud.
The new Strategy seeks to address the concerns mentioned
above. It aims to lay the foundations for sustainable change, seizing
opportunities to reduce duplication, enhance collaboration, improve
responsiveness and increase innovation across the Australian Public Service.
DTA recommends that in order to build capability, agencies
should begin their cloud journeys with low complexity services, and
progressively mature their approach. Low complexity services do not contain any
sensitive data enabling rapid and straightforward transition to the cloud. Medium complexity services are expected to require some additional planning and migration effort for agencies but are often common services offered by the market (not bespoke). Often legacy services are high complexity and can be the most difficult and expensive to move to cloud. These are often bespoke, and can hold significant volumes of sensitive data.
Under the Strategy, government agencies will develop their
own cloud strategies, as there is no one-size-fits-all approach to implementing
cloud. Agencies will use the Secure Cloud Strategy as a starting point to
produce their own value case, workforce plan, best-fit cloud model and service
Cloud implementation will be guided by seven Cloud
- Make risk-based decisions when applying cloud security, rather
than just checking off compliance
- Design services for the cloud (design all new or modernised
ICT services as cloud native, or cloud enabled and Where no suitable
commercially provided cloud service is appropriate, agencies must design
applications to be cloud-ready, maximising automation, portability and
- Use public cloud services as the default
- Use as much of the cloud as possible
- Avoid customisation and use cloud services as they come
- Take full advantage of cloud automation practices
- Monitor the health and usage of cloud services in real time
(visibility of cloud usage and cloud health can enable agencies to control
There are also plans to create a layered Cloud Certification
Model. The certification model will create greater opportunity for agency-led
certifications, rather than just ASD (Australian
Signals Directorate) certifications. It creates a layered certification
approach where agencies can certify using the practices, already in place for
certification of ICT systems.
The Strategy also clarifies that the Privacy Act does not
prevent an Australian Privacy Principle (APP) entity from engaging a cloud
service provider to store or process personal information overseas. The APP
entity must comply with the APPs in sending personal information to the
overseas cloud service provider, just as they need to for any other overseas
Another initiative is aligning service procurement with the ICT
Procurement Review Recommendations. As cloud services move more rapidly
than services available through panels traditionally do, the recommendations in
the ICT Procurement Review align well with creating a better pathway for cloud
A cloud qualities baseline and assessment framework will be
introduced to clarify cloud requirements. The cloud qualities baseline
capability and assessment framework will enable reuse of assessments.
A Cloud Responsibility Model will be developed to clarify
responsibilities and accountabilities, as traditional head agreements cannot
cover all cloud services and their frequent variations. A shared capability for
understanding responsibilities, supported by contracts, will address unique
cloud risks, follow best practice and maintain provider accountability.
A cloud knowledge collaboration platform will be built. The
platform will enable secure sharing of cloud service assessments, technical
blueprints and other agency cloud expertise, to iterate on work already done
rather than duplicating it.
Cloud skills uplift programs will be designed. Increase
government skills and competencies for cloud aligned with the Australian Public
Service Commission Digital Skills Capability Program and create the pathways to
leverage industry programs to enhance cloud-specific skills in the Australian
Common shared platforms and capabilities will be explored
including a federated identity for government to enable better collaboration in
the cloud and a platform for PROTECTED information management to reduce
enclaves in agencies. Cloud.gov.au will continue to be reiterated as an exemplar
platform. In addition, Service Management Integrations services could be
developed to enable agencies to manage multi provider services.
These platforms will include the integration toolkits that
enable agencies to seamlessly transition between the cloud services.
All the initiatives mentioned above will be supported
through a DTA-led community of practice that will support agencies to plan and
transition their environments for cloud. It will include delivering training
and advice to agencies to build confidence in their ability to manage cloud
Access the DTA’s Secure Cloud Strategy here.