Opinion: Time for government to put its foot on the cloud accelerator

The COVID-19 pandemic accelerated demand for cloud technologies as the private and public sectors rushed to update the delivery of urgent services and ensure continuity.

A Gartner report suggests cloud spending will exceed $10 billion in Australia this year. But the government’s cloud security guidelines need to go further in overcoming barriers and drive further uptake of cloud technologies. Advancing our digital economy is a central focus of the 2021-22 federal budget, so the government has a huge opportunity to demystify cloud services.

The Australian Cyber Security Centre and the Digital Transformation Agency released cloud security guidelines last year. Their purpose is to better inform organisations, cloud service providers (CSPs) and Information Security Registered Assessors Program assessors about carrying out comprehensive risk-based assessments of CSPs and services.

The federal government is also piloting cyber hubs to share cyber services and security expertise across Home Affairs, Defence and Services Australia. This is a real step forward and something we need to see more of, as a successful pilot would create a blueprint for wider adoption. It’s pleasing to see recent statements from the Australian Signals Directorate and Digital Transformation Agency suggesting an extension to non-corporate Commonwealth entities.

The guidelines and cyber hubs are an important step in improving engagement with cloud services, but there is still much to be done in educating its agencies and the broader community about the advantages of cloud technologies. There are several critical issues with the existing guidelines – assessment is expensive and slow, contractual controls for risk mitigation can be improved, as can overall agency understanding of and consequent adoption of Software as a Service (SaaS) cloud solutions.

Change is needed to overcome these issues, including a shift to continuous risk management underpinned by a whole-of-government risk management framework, the management of certifications across agencies, and encouraging government and community take-up of SaaS to improve cybersecurity defences.

Read more from Ramah Sakul in The Mandarin here

To explore this topic in more detail download the Cloud Control paper from the Cybersecurity Research Co-Operative Centre and SAP here.