Australia’s public sector experiences a wealth of challenges when it comes to digital innovation. Resource and talent shortages, coupled with a complex and fluid regulatory landscape, has meant the adoption of cloud (as aligned with the Digital Transformation Agency’s Cloud Strategy) has historically moved more slowly than the private sector.
That’s changing as agencies look to adopt more digital-first agendas. The NSW government is encouraging its agencies to adopt ‘public cloud-first’ strategies by 2023, while an audit of seven government agencies in South Australia reported that most planned to increase their use of cloud services within the next two years.
This acceleration is partially due to a pivot from strict government ‘control-based’ regulatory regimes towards an assessment of actual data risk, with controls applied based on those findings. This new approach is reflected in policies such as the Australian Cyber Security Centre’s (ACSC) Cloud Security Guidance, Information Security Manual and Essential Eight.
Implementing a risk-based approach to cloud security assessments gives agencies more flexibility in managing their workloads and data, with less carte-blanche security strategies that have traditionally protected everything in the same way by default.
This trend has accelerated during the COVID-19 pandemic, as agencies faced huge challenges in managing the rapid expansion of remote workforces. The pandemic required agencies to adopt cloud solutions such as Office 365 effectively overnight, with other digital demands like e-commerce and digital booking services becoming imperative.
It gave agencies an immediate business case that couldn’t be ignored because existing on-premise and remote access systems weren’t designed for the rapid increase of remote workers, and maintenance was hampered by global supply shortages.
With many of these initial transformations complete, agencies have now realised the value, scale and efficiencies that cloud services bring, and are now looking at other ways to digitally transform services and speed up their cloud adoption.
A few significant challenges remain. While the compliance landscape has shifted towards risk management, the sheer number of regulatory considerations is still staggering. To combat this, agencies and regulated industries often err on the side of caution, with tendencies to over assess or classify the data they wish to store, manage or handle within a cloud solution. This leads to a risk-averse approach that leans away from cloud innovation.
That attitude isn’t going to cut it in this new world, where citizens are demanding innovative digital services from government that are on par with what they’re getting from the private sector. It’s important to change this thinking to spark further innovation within our public services and regulated industries. Here are two common mistakes that we see agencies making every day.
Myth 1: All data should be treated equally and hosted locally
Whilst the ACSC has done a great job in articulating a risk-based approach to assessing cloud services, many agencies – especially smaller ones – continue to struggle against the swathes of additional requirements that are outlined in various other pieces of legislation, policy and laws.
This leads to an over-generalisation of data assessment and classification, with agencies applying strict controls to all data and insisting it is hosted onshore in a bid to maintain compliance and ‘data sovereignty’.
Agencies often needlessly host data* – such as the metadata of cloud computing applications – onshore, despite no regulatory obligation to do so. This data contains no critical or citizen information and is only required for the provisioning and functions of the service itself. Hosting locally wastes resources and – in some cases – limits the functionality of applications that require supply-chain interactions across the internet to work efficiently. This then erodes the value, efficiencies and scale of cloud solutions.
As a first step, agencies must take advantage of publicly available tools to assess the protection requirements of their existing data and apply risk-based frameworks to governing use. The Protective Security Policy Framework’s Business Impact Level Assessment tools provide a toolkit for undertaking an assessment of your data, including which data should be marked as ‘official’ and ‘official: sensitive’, or classified as ‘protected’, ‘secret’ and ‘top secret’, providing guidance on the appropriate application of controls as applicable.
Once organisations begin to undertake business impact level assessments like these to better understand their data, where it’s located and what their risk appetite is, they can more effectively craft strategies that work within the confines of compliance regulation and manage risk, thus offering more room for innovation.
Myth 2: Public cloud is inherently unsafe
Despite presenting less of a risk to government and regulated industries than ever before, many agencies still inherently distrust public cloud services. This is borne from a perception that the large public cloud service providers don’t apply appropriate security controls to “data” and host it offshore.
These cloud providers are now very mature, investing huge amounts in the application of security standards, even offering Infosec Registered Assessors Program (IRAP) certifications in many cases, in addition to the plethora of other national and international certifications they may have. Where you still see instances of cloud services being compromised, they’re usually because customers have set poor boundary security or have misconfigured their workloads, creating entry points for threat actors.
That doesn’t mean public cloud risk doesn’t exist, but agencies shouldn’t avoid them by default, as they offer some of the industry’s best and most robust applications and services. Where risk is still a concern, government agencies should consider hosting these workloads in virtual private cloud environments, which allow agencies to continue using public cloud infrastructure but in a more tightly controlled and secure cloud environment.
These services host software that is fully contained in the jurisdictional control of the agency, with data hosted in Australian data centres to satisfy compliance requirements.
Building a new world of government services
The pandemic, along with a shift to more risk-based compliance, has influenced a significant acceleration in public-sector digital transformation, to the point where Australia leads the way in some respects. We’re one of the first countries to recognise – through amendments to the Security of Critical Infrastructure Act currently passing through parliament – cloud services as critical infrastructure, with a risk-based approach to identifying which of those need to be registered as critical assets.
These are important developments in a world where cloud-based digital transformation is becoming an essential part of delivering cutting-edge public services. Although agencies must ensure they’re applying risk-based considerations and assessing everything with nuance, to allow them to build such services will drive real outcomes for citizens and realise efficiencies for government.
* Legislation articulates that the definition of data is as defined in the Privacy Act 1988