Agreements between users of cloud computing services are as variable as the businesses involved, which has led the government to the realisation that the ongoing adoption of cloud-based business solutions has brought with it a need for a whole-of-government approach to the issues that can surface.

The government’s Information Management Office (IMO) defines cloud computing as: An ICT sourcing and delivery model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

The IMO says that cloud computing, at the broadest level, can be viewed as the provision of computing as a service over “a network” (typically the internet).

Cloud computing services are usually grouped into the following categories:

software as a service – the provision of software over a network rather than the software being loaded directly onto a locally available computerplatform as a service – the provision of computing platforms that create the environment for other software to run (for example, operating systems) over a network rather than being loaded directly on to a locally available computerinfrastructure as a service – the provision of access to computer infrastructure (for example, data storage or processing capability) over a network that is used to compliment local platform resources.

The government has come to realise that cloud computing is becoming an increasingly attractive model for delivery of an ever expanding range of functionality (which used to be provided via both hardware and software). The attractiveness is primarily due to the potential cost savings.

The ATO is also on the front foot in moving practitioners over to the cloud, with its own systems gravitating more and more to rely on cloud-based functionality. As well, being online enhances flexibility — users can access files and data from a range of locations, such as at client premises.

The IMO says cloud computing can be deployed in a number of ways, including:

public cloud (where access to the cloud computing service is not restricted to a particular entity or community of entities and is generally available to the public)private cloud (where access is restricted to a single private entity – for example a single agency)community cloud (where access is available for a community of entities – for example, a range of government agencies in a government community cloud)hybrid cloud (where more than one of the above models operate in tandem to provide some level of interactivity between the clouds that is not available outside of the hybrid cloud).

The government also ranks a number of key legal issues as centrally important for businesses to have a thorough understanding of both their obligations but also the inherent risks that can arise.

Privacy As data can move outside the direct control of the primary party, sometimes even to servers outside of Australia, privacy can become a big issue. Different levels of indirect control of this data are possible depending on the type of cloud service selected and the legal protections put in place. Privacy principles can be found at the Office of the Australian Information Commissioner.

Security An obvious issue for any cloud computing solution is the security of data held “in the cloud”. For many users, the attendant risk is heightened by the fact that it is generally financial data being dealt with. The IMO refers users to the Defence Signals Directorate’s publication Cloud Computing Security Considerations for guidance on issues to consider.

Records management The National Archives of Australia has prepared a checklist of considerations in regard to records management in cloud computing (download it here). This includes checking that appropriate controls and protections are in place (for example through agreement with the cloud service provider) that match the value of the records and address the risks of cloud computing for a business’s records.

Data loss or misuse The IMO advises businesses to consider the possibility of data being permanently lost by a cloud computing services provider, and says this could come about through a number of circumstances, such as operator or technical error as well as damage through fire or other disasters. A similar outcome could eventuate through the risk of misuse of data by rogue employees of the provider, or through compromise from external parties.

While safeguards can be taken, such as ascertaining that the service provider ensures offsite data back-up, has proper hardware maintenance and technically credentialed staff, the IMO says it is important that a business has a plan in place to address data loss or its misuse.

#[ATO], [cloud computing], [els], [in the cloud], [PLS], [practice]