Sovereignty key to hosting strategy
Policy shift: The new hosting strategy is more nuanced about how cloud services should be applied in government
The Whole-of-Government Hosting Strategy released last week is a much more substantial document than its slim 17 pages suggests.
Indeed, it seems to flag some significant shifts in thinking about the digital transformation agenda.
In several respects, the Hosting Strategy charts a path quite different from the UK vision of the early 2000s, which heavily inspired former Prime Minister Malcolm Turnbull.
The UK’s Government Digital Service pushed a narrow definition of ‘cloud’ within government, and regarded with suspicion measures to mandate security standards, claiming they were used as an excuse by agencies to avoid change.
While the UK has quietly walked back from this position on security recently, there is no doubt the GDS rhetoric was highly influential in Australia at the birth of our Digital Transformation Office and, now, Agency.
The Hosting Strategy, however, presents a more nuanced picture of the future architecture of Federal Government ICT, and one that looks more consistent with the hybrid IT model that has emerged in the corporate sector.
As the hype cycle about public cloud has flattened out in recent years, the private sector has become much clearer about what works, what doesn’t work and what is a sensible and cost-effective model of organising ICT assets.
In short, it is a combination of public and private cloud, hosted assets and even some retained legacy inhouse IT infrastructure.
The Hosting Strategy implies a similar picture for the Federal Government. It quotes Gartner research predicting government spending growth of 17 percent a year to 2021 on public cloud, but sees this outstripped by private cloud spending growing at twice the pace.
At one level, this is simply a recognition of reality.
But it also speaks to a growing sophistication in government about how to practically piece together the old and the new in ways that meet the specific needs of government.
Chief among those needs is security. The strategy explicitly elevates the importance of building public trust in how the government handles citizens’ data, and the high standards the community expects governments to apply.
The strategy notes that even data deemed “Unclassified” for security purposes “may become sensitive due to changed community expectations or as a result of data aggregation”. That is, depending on where it sits and who can see it.
This thinking underpins the proposed new system of classifying data centres.
Those proposed classifications emphasise the importance of protecting sovereignty over Australians’ data by placing conditions on ownership and control and/or requiring compensation payments if the Government chooses to move data when control changes.
This is another area where there has been a quiet revolution.
Only a few years ago, the idea that there was a case for maintaining data onshore and under the control of Australians was dismissed by many as terribly old-fashioned.
Governments and businesses around the world have been stung by unforeseen consequences of taking a too relaxed attitude to the issue.
- There has been the rising concern, led by Australian and US governments, about networking and data storage infrastructure sourced from countries that do not share our democratic values.
- There has been the acquisition of control of data centres storing sensitive Australian government data by Chinese investors.
- There have been nasty shocks suffered by government and business exposing the unappreciated risks of opaque supply chains, such as the global Operation Cloudhopper attacks targeting of managed service providers to access the data of their customers.
- Europe moved to protect the data of individuals through the General Data Protection Regulation, and in some circumstances, extended the rights of European residents to data held outside the EU.
- And there has been the backlash against the MyHealth record, which saw millions of Australians demonstrate a lack of trust and confidence in the ability of the Government to keep their personal information safe.
There have even been comments from Microsoft that its customers are not comfortable sending their data to Australia because of provisions of the Assistance and Access Act to allow law enforcement agencies access to data in the course of investigations.
These comments confirm an increasing awareness of the reach and sensitivity to national laws even among those who in the recent past dismissed these concerns.
Understandably, the hosting strategy did not get much attention ahead of the budget and expected firing of the election campaign starting gun. It is to be hoped discussion resurfaces when the election season is over.
Aidan Tudehope is the Managing Director of Macquarie Government