[LINK] itNews: 'Govt cloud guides give mixed message'

Fri Nov 18 08:55:24 AEDT 2011

I really can't understand why the following are considered "confronting":

- "Customer inspection of facilities." Most providers invite this for 
customers, sometimes under NDA, sometimes not.
- "Immediate notification of security breaches." Any significant 
customer should expect this.
- Notification of foreign governments' requests for access to data. 
Yeah, like that should happen without notification.
- Onshore storage: not at all challenging, given that there's a dozen or 
so local cloud providers' data centres already on the panel.

RC

On 18/11/11 8:31 AM, Roger Clarke wrote:
> [The article below suggests that, at long last, people have taken a
> cold, hard look at cloud computing offerings, and found them to be
> wanting.]
>
> Govt cloud guides give mixed message
> John Hilvert, Mark Vincent
> Nov 17, 2011 4:50 PM (15 hours ago)
> http://www.itnews.com.au/News/279980,govt-cloud-guides-give-mixed-message.aspx
>
> Promoting cloud by making service terms commercially unviable.
>
> The Australian Government Information Office (AGIMO) has launched
> three draft cloud guides that suggest any commitment to the cloud
> will come under strict conditions and using few providers.
> http://agimo.govspace.gov.au/2011/11/14/cloud-computing-draft-better-practice-guides/
>
> The guides cover privacy, legal requirements and financing a cloud
> project, bringing together relevant laws, policies and checklists.
>
> The tone of the documents reflect a very reserved acceptance that
> cloud will become part of the Government's systems agenda.
>
> The Privacy guide argues that cloud computing has the potential to
> enhance privacy rather than reduce it - and that privacy outcomes
> depend on how cloud is used.
> http://agimo.govspace.gov.au/files/2011/11/Cloud-Privacy-Draft-Better-Practice-Guide-November-2011.pdf
>
> However, debate on broader privacy risks seems to override the upbeat
> flavour of using cloud-based applications.
>
> "If privacy issues cannot be adequately addressed, it would not be
> appropriate to transfer personal information, especially 'sensitive
> information', into the public cloud," the guide states.
>
> The guide also uses the words "adequately" and "appropriate" several
> times, which could further hit hot buttons with risk-averse public
> sector agencies.
>
> Short of storing or archiving material in the public domain, cloud is
> shaping as a no-go zone for many agencies and their hopes of
> innovating with new apps.
>
> Uncommercial terms
>
> The 18-page Legal primer reiterates the cautions in the privacy guide
> but combines these concerns with the significant security and
> sovereignty guidelines addressed by the Defence Signals Directorate
> (DSD), National Archives and access by the Auditor-General.
> http://agimo.govspace.gov.au/files/2011/11/Cloud-Legal-Draft-Better-Practice-Guide-November-2011.pdf
>
> As well it argues for provisions in contracts that vendors and cloud
> service providers are likely to deem uncommercial, such as:
> *   no exclusion for indirect and consequential losses (such as those
> that flow from data loss and misuse);
> *   no limit to liability for breach of privacy, security or
> confidentiality obligations;
> *   an indemnity from the provider in respect to data loss or misuse
> as a result of the negligent, illegal or wilfully wrong act or
> omission of the cloud provider or its personnel; and
> *   a separate liability cap for data loss or misuse that is
> sufficiently high to cover potential liability arising from an
> occurence.
>
> Agencies are also recommended to take into account service level
> agreements, business continuity and exit clauses in service contracts.
>
> Other aspects of the "Better Practice Guide" to negotiating contracts
> seem contrary to public cloud fundamentals such as a suggestion that
> "storage of data [take place] on specified hardware that is unique to
> the agency" and "restricting the locations/countries in which agency
> data may be held".
>
> Some suggestions will be confronting for vendors, such as a right to
> audit and access premises where agency data is held and requirements
> for immediate notification of security intrusions or requests from
> foreign government agencies for access to data.
>
> The few cloud providers ready to sign-off on these additional
> requirements will have to up their own insurance when considering
> pitching for government cloud business.
>
> Accounting for cloud
>
> The Financial guide reflects the change in expenditure type from
> capital to operational.
> http://agimo.govspace.gov.au/files/2011/11/Cloud-Financial-Draft-Better-Practice-Guide-AGIMO-Blog.pdf
>
> Where an agency brings forward a new expenditure proposal for
> Government approval, the accompanying business case should identify
> the extent of any capital investment for ICT or operating expenditure
> required and be reflected in ICT investment advice provided to AGIMO
> each year, the guide notes.
>
> At odds?
>
> The excessively cautious tone of the guides could also be at odds
> with separate moves being vigorously promoted by the Gillard
> Government to free up trade in cloud computing under the Trans
> Pacific Partnership Agreement.
>
> Regional agreements assuring acceptable privacy protections for
> Australians and their data will facilitate free trade, through more
> ready access to regional public cloud solutions.
>
> But privacy is one of the major regulatory barriers to deployment of
> public cloud.
>
> Insisting on uncapped liability for privacy, security and
> confidentiality breaches and removing customary exclusions for
> consequential losses could throw a wet blanket on the willingness of
> cloud providers to do business with Australian Government agencies.
>
> AGIMO has invited comments on the draft guides.
>
>