Download original attachment
(PDF file)

This is an HTML version of an attachment to the Freedom of Information request 'DTA blog posts (no longer published)'.


Digital Transformation Agency
What are you looking for today?
Search
This document can be found at Home  >  Answering your cloud questions
Answering your cloud questions
4 April 2018
Tags:  Cloud (/taxonomy/term/20)
Digital sourcing and ICT procurement (/taxonomy/term/25)
Since we published the secure cloud strategy for the Australian Government, you’ve come to
us with questions. Here we answer your top 4.

Have we changed the way we certify cloud services?
No. Anyone who provides technology services to government is subject to
stringent assessment and certification (https://www.asd.gov.au/infosec/irap/) and we’ve
worked with the Australian Signals Directorate to make sure that doesn’t change.
What the secure cloud strategy (/our-projects/secure-cloud-strategy) does do is confirm
existing practices including:
the need to keep the government’s lead agency for information security informed so
they can help when we need them
giving government agencies the option of arranging their own assessments using the
same accredited professionals and requirements followed by the Australian Signals
Directorate.
By making these options clearer, we’re making it easier for government organisations to use
cloud technology.
We’re starting work on the certification model which will cement how this works in future and
will design the right solution in the same agile way we delivered the strategy (/blogs/can-agile-
work-policy).
We also recommend reading the latest explanation of the cloud certification process
(https://www.asd.gov.au/publications/irap/IRAP_Anatomy_of_a_Cloud_Certification.pdf) from
the Australian Signals Directorate.
Is cloud treated differently to any other service provider?
No. Government already outsources lots of its technology to service providers to manage.
Cloud is no different. We are still asking someone to manage technology services on our
behalf.
When we outsource, we make sure we know who our supplier is, what access they have to our
data and check what they do to protect our information. We apply those same principles to
cloud.
How we use the contract between us and a provider to achieve those things might depend on
what we’re buying but the responsibilities don’t change.
The responsibilities model we’re developing will help government organisations fine tune who
is doing what and use more modern contracts to manage it.
Is using offshore services really okay?
We know people worry about storing information offshore.
The strategy has not changed how we determine if information can be stored or managed
outside of Australia. This will always be a decision made by individual government
organisations based on a clear understanding of the risks. But we have confirmed storing
information or supporting cloud in locations outside of Australia is an option.
Some government information doesn’t include private or sensitive data. For example, using an
offshore cloud service for public consultation or event management, where consent is clearly
obtained, is allowed under existing rules.
Before making these decisions, the most important thing is knowing the information we want
the cloud to manage and having a clear understanding of how it’s done.
Shouldn’t there be one solution for everyone?
When we first started developing the strategy, we realised something important. Each agency
is in a different place. Our views of cloud depend on our individual technology environments
and how ready each of our organisations are to embrace different services.
Instead of coming up with a one-size-fits-all cloud solution, we’ve asked government agencies
to publish their own strategies. This will give us all a chance to share what we’re able to do and
ensure we get solutions that fit individual circumstances.
Federal government employees working on cloud should join our monthly showcase where
organisations share what they’re doing and learning with colleagues.
If you have any questions or want to join our community, drop us a line
at xxxxxx.xxxxx@xxxxxxx.xxx.xx (mailto:xxxxxx.xxxxx@xxxxxxx.xxx.xx)
For media enquiries email us at xxxxx@xxx.xxx.xx (mailto:xxxxx@xxx.xxx.xx)
For other enquiries email us at xxxx@xxx.xxx.xx (mailto:xxxx@xxx.xxx.xx)
© Commonwealth of Australia. With the exception of the Commonwealth Coat of Arms and
where otherwise noted, this work is licensed under the CC BY 4.0 license.