[LINK] itNews: 'Govt cloud guides give mixed message'
Roger.Clarke at xamax.com.au
Fri Nov 18 08:31:02 AEDT 2011
[The article below suggests that, at long last, people have taken a
cold, hard look at cloud computing offerings, and found them to be
Govt cloud guides give mixed message
John Hilvert, Mark Vincent
Nov 17, 2011 4:50 PM (15 hours ago)
Promoting cloud by making service terms commercially unviable.
The Australian Government Information Office (AGIMO) has launched
three draft cloud guides that suggest any commitment to the cloud
will come under strict conditions and using few providers.
The guides cover privacy, legal requirements and financing a cloud
project, bringing together relevant laws, policies and checklists.
The tone of the documents reflect a very reserved acceptance that
cloud will become part of the Government's systems agenda.
The Privacy guide argues that cloud computing has the potential to
enhance privacy rather than reduce it - and that privacy outcomes
depend on how cloud is used.
However, debate on broader privacy risks seems to override the upbeat
flavour of using cloud-based applications.
"If privacy issues cannot be adequately addressed, it would not be
appropriate to transfer personal information, especially 'sensitive
information', into the public cloud," the guide states.
The guide also uses the words "adequately" and "appropriate" several
times, which could further hit hot buttons with risk-averse public
Short of storing or archiving material in the public domain, cloud is
shaping as a no-go zone for many agencies and their hopes of
innovating with new apps.
The 18-page Legal primer reiterates the cautions in the privacy guide
but combines these concerns with the significant security and
sovereignty guidelines addressed by the Defence Signals Directorate
(DSD), National Archives and access by the Auditor-General.
As well it argues for provisions in contracts that vendors and cloud
service providers are likely to deem uncommercial, such as:
* no exclusion for indirect and consequential losses (such as those
that flow from data loss and misuse);
* no limit to liability for breach of privacy, security or
* an indemnity from the provider in respect to data loss or misuse
as a result of the negligent, illegal or wilfully wrong act or
omission of the cloud provider or its personnel; and
* a separate liability cap for data loss or misuse that is
sufficiently high to cover potential liability arising from an
Agencies are also recommended to take into account service level
agreements, business continuity and exit clauses in service contracts.
Other aspects of the "Better Practice Guide" to negotiating contracts
seem contrary to public cloud fundamentals such as a suggestion that
"storage of data [take place] on specified hardware that is unique to
the agency" and "restricting the locations/countries in which agency
data may be held".
Some suggestions will be confronting for vendors, such as a right to
audit and access premises where agency data is held and requirements
for immediate notification of security intrusions or requests from
foreign government agencies for access to data.
The few cloud providers ready to sign-off on these additional
requirements will have to up their own insurance when considering
pitching for government cloud business.
Accounting for cloud
The Financial guide reflects the change in expenditure type from
capital to operational.
Where an agency brings forward a new expenditure proposal for
Government approval, the accompanying business case should identify
the extent of any capital investment for ICT or operating expenditure
required and be reflected in ICT investment advice provided to AGIMO
each year, the guide notes.
The excessively cautious tone of the guides could also be at odds
with separate moves being vigorously promoted by the Gillard
Government to free up trade in cloud computing under the Trans
Pacific Partnership Agreement.
Regional agreements assuring acceptable privacy protections for
Australians and their data will facilitate free trade, through more
ready access to regional public cloud solutions.
But privacy is one of the major regulatory barriers to deployment of
Insisting on uncapped liability for privacy, security and
confidentiality breaches and removing customary exclusions for
consequential losses could throw a wet blanket on the willingness of
cloud providers to do business with Australian Government agencies.
AGIMO has invited comments on the draft guides.
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link