Mr Mark Dreyfus, the Australian government Attorney General has unveiled new guidelines requiring agencies to protect data in the cloud – especially for off-shore, outsourcing arrangements.
A recently-released Protective Security Framework mandates comprehensive guidelines for agencies sourcing externally-hosted computing and data storage services.
Attorney-General, Mark Dreyfus, and Minister Assisting for the Digital Economy, Senator Kate Lundy, have jointly released this policy involving government’s use of cloud computing.
Managing off-shore arrangements
This policy ensures that agencies take full advantage of the opportunities enabled by cloud computing and the National Broadband Network. But they also need to maintain the privacy, security, integrity and availability of personal information.
Mr Dreyfus says a clearly-defined roadmap helps decision-makers assess when to allow the use of offshoring or outsourcing on a “case-by-case basis.”
Under new arrangements, information that does not require privacy protection can be stored and processed in outsourced and offshore arrangements. But this is only after an agency-level “risk assessment” is done.
Gaining ministerial approvals
Suitable approvals are needed for privacy-protected information. This can only be stored and processed in outsourced and offshore arrangements with pre-approvals.
These pre-approvals are being done by a relevant portfolio minister, and the minister overseeing privacy and security involving government information, in this case, Mr Dreyfus.
Security classified information cannot be stored offshore unless it is in special locations (such as Australian Embassies) or under specific agreements.
Government holds considerable unclassified data which, subject to a risk assessment, can be stored in a public cloud. But this information requires privacy protection and stronger safeguards.
Protecting personal information
“I have paid special attention to the security of personal information, which people expect will be treated with the highest care by all organisations, but by government in particular,” adds Mr Dreyfus.
“Safeguards have been incorporated so that before personal information can be stored in the cloud, the approval of the minister responsible for the information, and my own approval as minister for privacy, must be given.”
Government is trusted to hold a great deal of information on citizens and business. Citizens expect their information is protected. “As much of our work is on-line, and technology is constantly evolving, we must regularly ensure we are continuing to meet our obligations in protecting the information given to us.”
Assessing security risks
A new cloud security policy helps agencies better assess privacy and security risks. “They can decide when cloud arrangements are suitable for their business needs.”
Safeguards ensure the government takes advantage of cloud computing to reduce storage costs and improve efficiency. But external storage and processing of data can only reside in securely-protected domains.
Current security guidelines build on the Australian government’s National Cloud Computing Strategy. This strategy was released in May 2013 by former minister for communications, Senator Stephen Conroy
Government is an enthusiastic supporter of new technology such as cloud computing, notes Senator Kate Lundy.
“Cloud technology offers not just agility, flexibility and scalability, but also cost savings. In fact, cloud computing is fundamentally changing the way we think about communications technology.”
Senator Lundy adds that combined with rolling out a National Broadband Network, cloud computing has the potential to “revolutionise how we consume and use digital technology.”