Have we changed the way we certify cloud services?

No. Anyone who provides technology services to government is subject to stringent assessment and certification and we’ve worked with the Australian Signals Directorate to make sure that doesn’t change.

What the secure cloud strategy does do is confirm existing practices including:

• the need to keep the government’s lead agency for information security informed so they can help when we need them
• giving government agencies the option of arranging their own assessments using the same accredited professionals and requirements followed by the Australian Signals Directorate.

By making these options clearer, we’re making it easier for government organisations to use cloud technology.

We’re starting work on the certification model which will cement how this works in future and will design the right solution in the same agile way we delivered the strategy.

We also recommend reading the latest explanation of the cloud certification process from the Australian Signals Directorate.

Is cloud treated differently to any other service provider?

No. Government already outsources lots of its technology to service providers to manage. Cloud is no different. We are still asking someone to manage technology services on our behalf.

When we outsource, we make sure we know who our supplier is, what access they have to our data and check what they do to protect our information. We apply those same principles to cloud.

How we use the contract between us and a provider to achieve those things might depend on what we’re buying but the responsibilities don’t change.

The responsibilities model we’re developing will help government organisations fine tune who is doing what and use more modern contracts to manage it.

Is using offshore services really okay?

We know people worry about storing information offshore.

The strategy has not changed how we determine if information can be stored or managed outside of Australia. This will always be a decision made by individual government organisations based on a clear understanding of the risks. But we have confirmed storing information or supporting cloud in locations outside of Australia is an option.

Some government information doesn’t include private or sensitive data. For example, using an offshore cloud service for public consultation or event management, where consent is clearly obtained, is allowed under existing rules.

Before making these decisions, the most important thing is knowing the information we want the cloud to manage and having a clear understanding of how it’s done.

Shouldn’t there be one solution for everyone?

When we first started developing the strategy, we realised something important. Each agency is in a different place. Our views of cloud depend on our individual technology environments and how ready each of our organisations are to embrace different services.

Instead of coming up with a one-size-fits-all cloud solution, we’ve asked government agencies to publish their own strategies. This will give us all a chance to share what we’re able to do and ensure we get solutions that fit individual circumstances.

Federal government employees working on cloud should join our monthly showcase where organisations share what they’re doing and learning with colleagues.

If you have any questions or want to join our community, drop us a line at secure.cloud@digital.gov.au