Cloud Computing in the Victorian Public Sector AIIA response July 2015 39 Torrens St Braddon ACT 2612 Australia T 61 2 6281 9400 E info@aiia.com.au W www.aiia.comau Page 1 of 9 17 July 2015
Contents 1. Introduction...3 1.1 About AIIA...3 1.2 Submission Overview...3 2. Key considerations before cloud adoption...4 2.1 Any standards or guidelines on cloud computing should be consistent with existing national and international approaches...4 2.2 Government maintain a cloud service provider certification list to streamline risk assessment processes and reduce administrative burden and cost...4 2.3 Benefits of cloud computing should not be forgotten in the context of risk assessment...4 2.4 Risk assessment gaps that should be addressed...5 3. Key Considerations after Cloud Adoption...6 3.1 Standardisation...6 3.2 The Government develop clear incident handling guidelines...6 4. Attachment A: Compendium of major cloud computing resources...8 Page 2 of 9 17 July 2015
1. Introduction 1.1 About AIIA The Australian Information Industry Association (AIIA) is the peak national body representing Australia s information technology and communications (ICT) industry. Since establishing 35 years ago, the AIIA has pursued activities aimed to stimulate and grow the ICT industry, to create a favourable business environment for our members and to contribute to the economic imperatives of our nation. Our goal is to create a world class information, communications and technology industry delivering productivity, innovation and leadership for Australia. We represent over 400 member organisations nationally including hardware, software, telecommunications, ICT service and professional services companies. Our membership includes global brands such as Apple, EMC, Google, HP, IBM, Intel, Microsoft, PWC, Deloitte, EY and Oracle; international companies including Telstra, Optus; national companies including Data#3, SMS Management and Technology, TechnologyOne and Oakton Limited; and a large number of ICT SME s. 1.2 Submission Overview The AIIA appreciates the opportunity to provide comments on this important issue. This submission addresses the government s discussion paper on Cloud Computing in the Victorian Public Sector in two parts. The first part looks at key considerations before cloud adoption. AIIA recommends: Any additional standards or guidelines on cloud computing should be consistent with existing national and international approaches (see Attachment A); Government adopt a cloud service provider certification process to streamline risk assessment processes and reduce administrative burden and cost. AIIA highlights current jurisdictions already adopting this practice; and Benefits of cloud computing should not be forgotten in the context of risk assessment. The second part of this submission looks at key considerations after cloud adoption. AIIA recommends: The government develop clear incident handling guidelines. This should be done through appropriate industry consultation and engagement. AIIA identifies similar guidelines already in place. The government develop standard contract terms and conditions for cloud computing through appropriate consultation and engagement with industry. While AIIA supports the need for guidelines to support procurement of cloud services, we strongly advocate that these do not provide unnecessary barriers to the take up of these services which provide a secure and cost efficient alternative to traditional ICT operational and support models. Page 3 of 9 17 July 2015
2. Key considerations before cloud adoption 2.1 Any standards or guidelines on cloud computing should be consistent with existing national and international approaches There are a number of standards or guidelines on cloud computing already available across Australia and internationally. As such consistency and harmonisation must be a priority for any additional standards or guidelines. This is particularly important due to the global nature and reach of cloud computing. AIIA has identified several resources available nationally and internationally on cloud computing that the government may find useful. See Attachment A. 2.2 Government maintain a cloud service provider certification list to streamline risk assessment processes and reduce administrative burden and cost Some jurisdictions have created specific certification programs to provide a standardised approach to secure storage of government information in the cloud. For example, at the Commonwealth level, the Australian Singles Directorate (ASD) is conducting certification activities for all government agencies to leverage, through the Information Security Registered Assessors Program. This program provides government agencies with a higher level of confidence in undertaking cloud service procurements and helps standardise government expectations of service providers. In the US, the Federal Risk and Authorization Management Program (FedRAMP) provides a baseline to initiate, review, grant and revoke security authorisations for cloud services used by government agencies. Similarly, in the UK cloud services can receive Pan Government Accreditation status to ensure they meet certain security requirements for the storage of government information. The UK has also established G-Cloud frameworks for government procurement of cloud services and CloudStore, an online marketplace to facilitate the procurement of cloud services by government agencies. A similar model could be adopted by the Victorian Government. Although agencies will have different needs and therefore risks, a certification program will ensure a baseline for protecting government information. Agencies with unique or additional risk mitigation requirements can deal with these issues separately. This will help streamline the risk assessment process and minimise administrative burden and cost for both government and the cloud service provider. 2.3 Benefits of cloud computing should not be forgotten in the context of risk assessment While it is important that the discussion paper provide detail on how to identify and assess risk when adopting cloud technology, it is equally important the paper highlight benefits against the risk - in which there are many. Due to its inherent characteristics, cloud computing brings important benefits to organisations. One benefit is the rapid elasticity of computing resources. Organisations can rapidly buy or relinquish computing resources according to their needs and do not have to perform costly and time intensive upgrades of their infrastructure, nor do they have to plan the provision of those resources in advance where they have quasi-infinite access to computing resources in the cloud. Page 4 of 9 17 July 2015
A further important benefit is the potential reduction of IT costs. On the consumer side, cost reductions by using cloud computing result from the fact that traditional corporate IT infrastructure is in most instances underutilised due to over-provisioning. This is because it is necessary to provide capacity to handle data peaks, future expected loads and to prepare for cases of unanticipated growth in demand. On the provider side, cost reductions are achieved via an increased efficiency of the data centres run by cloud computing providers (e.g. through economies-of-scale). Due to their global scale and the possibility to aggregate the demand of multiple users of cloud computing, especially in public clouds, providers have much lower operating costs than companies that operate their own IT infrastructure. Another important benefit is the transfer of IT expenditures from capital expenditures to operating expenditures that has an important impact on companies investment capacity, in the medium and long run. Users of cloud services do not have to build up their own server infrastructure, nor do they have to invest important quantities of capital in IT infrastructure and software as in the past. Investments in IT infrastructure are thus reduced significantly. Leveraging their purchasing power, agencies can also drive common standards and achieve secure cloud service solutions at a lower cost. In addition, cloud services improve the responsiveness, flexibility and agility of agencies and in doing so enable more responsive service delivery. 2.4 Risk assessment gaps that should be addressed AIIA supports the use of a risk assessment tool to determine suitability of cloud technology. Overall AIIA considers that risk assessments should not be a pass/fail approach and that one size does not fit all. The primary question is the purpose and function of the cloud. For completeness additional areas of consideration should include: Physical security of data centres need to be taken into account. Currently there is lack of consistency in physical security practices; The paper appears to advocate a risk assessment per project. AIIA recommends a streamlined certification process or at a minimum, risk assessment per cloud service model type to reduce duplication; Privacy around financial records for credit card transactions. Although the discussion paper addresses privacy for record keeping generally, financial transactions can be subject to additional obligations and therefore specific guidance may be required; The government could also better leverage self-assurance, such as putting in place regular meetings to discuss issues. This would also assist parties better understand their respective needs and risks. Page 5 of 9 17 July 2015
3. Key Considerations after Cloud Adoption 3.1 Standardisation In our view there is an opportunity for the risk assessment process for cloud procurements to more explicitly leverage globally recognised ISO international standards. These include ISO 27001 for information security management, ISO 31000 for risk assessment and ISO 27018 for handling of personally identifiable information. The ISO 27000 range of standards have become the generally accepted standard for cloud services, they are aligned with industry and government practice and are typically the standards that purchasers/end users require of cloud service providers. Taken together, they cover the requisite governance, physical, information and personnel controls and management processes appropriate to cloud services. Our members along with Australian government have been active participants in the development of these standards through Standard s Australia s ISO Committee JTC1/SC27. Adoption of the ISO 27000 range of standards would help ensure that processes and information management related to these services are to a consensus international baseline. It would streamline assurance and procurement processes and minimise the burden of local compliance requirements on international cloud service providers, while enabling domestic cloud service providers to more effectively offer their solutions to a global market. We also support the use of a centralised cloud procurement model similar to approaches adopted by the Commonwealth and NSW governments. A similar centralised approached has been adopted by the UK G-Cloud framework. The model incorporates: A centralised method of vendor qualification, incorporating assurance checks, framework agreements and security accreditation as required; The ability of Government to set the terms of engagement, ensuring policy considerations are incorporated; Standardised solution category definitions, i.e. Infrastructure as a Service, Software as a Service etc. or alternative category methodologies capturing more specific components such as data centres, network management, server management, end-user computing etc. The advantage of a centralised approach is that it provides a transparent, standardised framework that can be used by all agencies. AIIA believes this level of guidance and support will build the confidence of agencies to take up cloud services and provide Government with an appropriate level of control and additional risk mitigation. Through appropriate consultation and engagement with industry, standardised terms and conditions would provide a general position and proposed remedies on common legal issues arising out of cloud computing agreements. AIIA is willing and able to assist the government in this process. AIIA has worked closely with several State Governments to develop appropriate procurement guidelines and standardised contractual arrangements for as a service / cloud services. 3.2 The Government develop clear incident handling guidelines As incidents are a high profile concern for both government and the cloud service provider, it is vital to have clear guidelines on what needs to happen should an incident occur. This should be done through appropriate industry consultation and engagement. To this end, incident needs to be defined and monitoring tools in place to enable tracking of what occurred. Importantly, any guideline must define roles and responsibilities, not just of the cloud service provider but also of the department. Page 6 of 9 17 July 2015
The Queensland government has already adopted something similar with their, Information Security Incident Management Guideline, although this is not cloud specific. Similarly, the Commonwealth ADS, in their Cloud Computing Security Guides recommends implementing and annually testing an incident response plan covering data spills, electronic discovery, and how to obtain and analyse evidence e.g. time-synchronised logs, hard disk images, memory snapshots and metadata. They reference Securosis Cloud Forensic 101 1, which outlines how to track what occurred. AIIA would be happy to provide industry perspective input into an incident handling consultation process. 1 https://securosis.com/blog/cloud-forensics-101 Page 7 of 9 17 July 2015
4. Attachment A: Compendium of major cloud computing resources The National Cloud Computing Strategy Australian Government Data Centre Strategy 2010-2025 Australian Commonwealth Government Developed in partnership between government, industry and consumer groups, the Strategy outlines a vision for cloud computing in Australia and provides a range of useful guidelines in support of the implementation and use of cloud computing services. Aims to improve and optimise government use of data centre facilities over a fifteen year period through the aggregation and standardisation of entities data centre requirements via the Data Centre Facilities Panel. The strategy identifies a number of trigger points such as asset refresh cycles, end of outsourcing contracts, end of life for data centre, or expansion of data centre capacity that place mandatory obligations on entities to use the Data Centre Facilities Panel. Entities considering infrastructure cloud services such as Infrastructure and Platform as a Service (IaaS and PaaS) are advised to contact the Data Centres team at datacentres@finance.gov.au Protective Security Policy Framework The Protective Security Policy Framework provides a whole-of-government approach for the way the Australian Government protects its people, information and physical assets. The policy is the Government s principle document outlining entities mandatory obligations for the protection of information including the management of security risks associated with electronic data transmission, aggregation and storage. Information Security Manual The Information Security Manual is a part of the Protective Security Policy Framework providing a principles and risk-based approach to the security of government information and communications technology systems. The manual articulates mitigating strategies and processes for entities to reduce the security risks to the Government s information assets. ICT Customisation and Bespoke Development Policy The ICT Customisation and Bespoke Development Policy aims to reduce the percentage of customised and bespoke ICT solutions across government. The policy places a mandatory obligation on entities to consider existing government or commercial off-the-shelf ICT solutions, such as cloud services. Standards The Australian Government is contributing to the development of international cloud standards via its work with Standards Australia on the Joint Technical Committee 1 SC27 and SC38 programs of work. Page 8 of 9 17 July 2015
Other Australian States and Territories NSW NSW Government Cloud Services Policy and Guidelines General authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the State Provides guidance to agencies about key considerations to be aware of when evaluating cloud services. This general authority gives approval for the transfer of records outside of NSW for storage with or maintenance by service providers based outside the State. However, this permission is given on the condition that an appropriate risk assessment has been made and the records are managed in accordance with all the requirements applicable to State records under the State Records Act 1998. Queensland ICT-as-a-service policy Cloud Computing Implementation Model Provides that Departments adopt an ICT-as-a-service strategy and source ICT services, in particular for commoditised services, from industry providers in a contestable market where this is feasible and represents value for money. An addendum to the ICT Strategy, the model states the preferred option is to use a cloud-based solution for all future information and communication technology (ICT) investments. Page 9 of 9 17 July 2015