[LINK] itNews: 'Govt cloud guides give mixed message'

Roger Clarke Roger.Clarke at xamax.com.au
Fri Nov 18 08:31:02 AEDT 2011

[The article below suggests that, at long last, people have taken a 
cold, hard look at cloud computing offerings, and found them to be 

Govt cloud guides give mixed message
John Hilvert, Mark Vincent
Nov 17, 2011 4:50 PM (15 hours ago)

Promoting cloud by making service terms commercially unviable.

The Australian Government Information Office (AGIMO) has launched 
three draft cloud guides that suggest any commitment to the cloud 
will come under strict conditions and using few providers. 

The guides cover privacy, legal requirements and financing a cloud 
project, bringing together relevant laws, policies and checklists.

The tone of the documents reflect a very reserved acceptance that 
cloud will become part of the Government's systems agenda.

The Privacy guide argues that cloud computing has the potential to 
enhance privacy rather than reduce it - and that privacy outcomes 
depend on how cloud is used.

However, debate on broader privacy risks seems to override the upbeat 
flavour of using cloud-based applications.

"If privacy issues cannot be adequately addressed, it would not be 
appropriate to transfer personal information, especially 'sensitive 
information', into the public cloud," the guide states.

The guide also uses the words "adequately" and "appropriate" several 
times, which could further hit hot buttons with risk-averse public 
sector agencies.

Short of storing or archiving material in the public domain, cloud is 
shaping as a no-go zone for many agencies and their hopes of 
innovating with new apps.

Uncommercial terms

The 18-page Legal primer reiterates the cautions in the privacy guide 
but combines these concerns with the significant security and 
sovereignty guidelines addressed by the Defence Signals Directorate 
(DSD), National Archives and access by the Auditor-General.

As well it argues for provisions in contracts that vendors and cloud 
service providers are likely to deem uncommercial, such as:
*   no exclusion for indirect and consequential losses (such as those 
that flow from data loss and misuse);
*   no limit to liability for breach of privacy, security or 
confidentiality obligations;
*   an indemnity from the provider in respect to data loss or misuse 
as a result of the negligent, illegal or wilfully wrong act or 
omission of the cloud provider or its personnel; and
*   a separate liability cap for data loss or misuse that is 
sufficiently high to cover potential liability arising from an 

Agencies are also recommended to take into account service level 
agreements, business continuity and exit clauses in service contracts.

Other aspects of the "Better Practice Guide" to negotiating contracts 
seem contrary to public cloud fundamentals such as a suggestion that 
"storage of data [take place] on specified hardware that is unique to 
the agency" and "restricting the locations/countries in which agency 
data may be held".

Some suggestions will be confronting for vendors, such as a right to 
audit and access premises where agency data is held and requirements 
for immediate notification of security intrusions or requests from 
foreign government agencies for access to data.

The few cloud providers ready to sign-off on these additional 
requirements will have to up their own insurance when considering 
pitching for government cloud business.

Accounting for cloud

The Financial guide reflects the change in expenditure type from 
capital to operational.

Where an agency brings forward a new expenditure proposal for 
Government approval, the accompanying business case should identify 
the extent of any capital investment for ICT or operating expenditure 
required and be reflected in ICT investment advice provided to AGIMO 
each year, the guide notes.

At odds?

The excessively cautious tone of the guides could also be at odds 
with separate moves being vigorously promoted by the Gillard 
Government to free up trade in cloud computing under the Trans 
Pacific Partnership Agreement.

Regional agreements assuring acceptable privacy protections for 
Australians and their data will facilitate free trade, through more 
ready access to regional public cloud solutions.

But privacy is one of the major regulatory barriers to deployment of 
public cloud.

Insisting on uncapped liability for privacy, security and 
confidentiality breaches and removing customary exclusions for 
consequential losses could throw a wet blanket on the willingness of 
cloud providers to do business with Australian Government agencies.

AGIMO has invited comments on the draft guides.

Roger Clarke                                 http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list