It’s no wonder that government agencies struggle with Cloud services. On one hand we have the promise of Cloud services and the benefits that it can bring, on the other hand we have security agencies who seem, on the face of it, to be anti-Cloud, issuing instructions that run counter to central agency guidelines. What’s a CIO to do?
There is no doubt that Cloud carries risk, the question is how much risk and who is responsible for accepting that exposure. The New Zealand Government has a Cloud First Policy. Something that is missed by several of it’s central agencies who have responsibility to assure the use of technology across Government. The reason for that is simple. Cloud can unlock a tonne of benefits and is most likely, when carefully chosen, to provide far more security than existing ICT being managed internally by an agency.
Bubble bubble toil and trouble… Let’s put this into English.
In New Zealand, the Minister in charge of the Government CIO function, some time ago, agreed and released a policy (Cabinet approved) that said; any time you are upgrading or buying a new ICT service in Government, Cloud comes first. Then, the DIA, set about a Cloud Programme of work, that pushed the use of Cloud (safely) within Government. The DIA, in the last few months, released one of the best documents in this area that was pure, unadulterated, guidance, that had been missing for years.
That document provides guidance for all New Zealand Government Agencies in the adoption of Cloud services, and in my opinion, is the only rule when it comes to Cloud usage. Broadly, it works like this, the Government does not care a whit, where agencies get Cloud services from, as long as they follow this guidance. The guidance is a list of 170 ish questions that can be asked of a Cloud provider, the agency, and anyone else involved, in order to derive a risk view of an individual Cloud service. Further, it says that the Chief Executive of an agency must sign off , and take responsibility, for that risk.
By itself, it kills off millions of dollars (est. $60m plus) in potential consultation costs by laying a baseline that agencies must meet. Agencies do not need to engage consultants of any form, they simply follow the guidance to figure out with a Cloud service is good, or not.
The problem is that we have at odds guidance, instruction, and direction from other central agencies. These are, the DIA themselves (I’ll get to it), the Government Communications Security Bureau (GCSB), the National Cyber Security Centre (NCSC), and the Privacy Commissioner.
So let’s break it down:
- DIA still have mandates in place for certain Common Capabilities. For example, the “IaaS” service. Part of DIA says, you must use that service. This is confusing for CIO’s. Because the IaaS is not IaaS in the true sense, it’s Utility Computing, which, while valuable, is not Cloud Computing. The other key question is, does that service meet the guidelines?
- The NCSC has basically said, don’t use Cloud.
- The Privacy Commissioner issued guidelines some months back that confuse the situation further (same link as above).
- The GCSB’s issuing of the NZISM in recent days, is a almost incompatible with Cloud services.
All of this creates a massive swirl of discussion inside of agencies whereby security teams and business owners have to try and figure their way through a mish-mash of contradictory guidance.
Now, I am going to call out the NZISM as an example. Cloud practitioners will look at this and realise that what they are mandating basically forbids the use of any Cloud service. The number of controls, processes, classifications, and sheer amount of red tape means that pretty much no Cloud service will meet the requirements. Link here. Primarily, the talk about the fact that contracts with Cloud providers, must contain certain provisions. True Cloud providers DON’T have contracts. Most Cloud services are like your local supermarket. You choose to go there, buy stuff, pay for it, and take it home. Cloud is the same. There are no contracts, it’s a supermarket.
Here’s my personal opinion.
GCSB and other security agencies are against the idea of Cloud. The GCSB’s idea of a secure system (necessarily) is something that never talks to the Internet.
Here’s the thing. Any use of Cloud carries risk, but that risk must be matched against agencies current ability to ensure security. For example, Amazon has some of the deepest, strictest, most in-depth security systems seen in history. So when an agency looks at those controls, they must also look at their own controls. Put simply, Cloud is less risk, generally.
It must also be matched against the fact that Cloud, like it or not, is the future delivery system for ICT. There is no escaping this. There is only managing it.
Therefore, the confusion that various agencies bring, DIA, GCSB, NCSC, the Privacy Commissioner, and others, do nothing more than create a swirl that slows progress.
Aside from one. The DIA mandate on Cloud Assurance. One of the best documents I have seen. It puts the power of decision back in the hands of the Chief Executive along with the Chief Information Officer.
We need more of that out of our Government Chief Information Officer. Less, “you may not”, and “you must”, and more “you are all adults, its your decision, here’s a framework to help you, talk to us (DIA), so that we can maximise the benefit of new technology.