Paul Ducklin| Nakedsecurity
The Australian government has officially published its National Cloud Computing Strategy, and it makes interesting reading. It’s good to see the public service entering the risks-versus-rewards argument over cloud computing. Make no mistake, the Aussie government is a giant fan of cloud computing, and makes no bones about the fact.
As the Strategy document explains:
The term 'cloud' refers to the fact that a user of a service no longer needs to buy, build, install and operate expensive computer hardware. Users simply access computing resources as a utility service via a ubiquitously available wired or wireless network — from 'the cloud'.
The document argues that small businesses will ignore the benefits of the cloud at their peril:
New digital technologies such as cloud services are the critical internal drivers for efficiency and innovation in small businesses. A failure to adopt new technologies will leave small business at a severe disadvantage against competitors both domestic and abroad.
But this brave new world isn’t all plain sailing, not least because your data (and your customers’ data) ends up out there in the cloud, too.
This presents potentially serious challenges in all three parts of computer security’s ‘holy trinity’:
- Availability. How do I get my data back if we part company?
- Integrity. How do I know you’ll look after it carefully?
- Confidentiality. Who else gets a chance to peek at my data?
The good news is that these issues aren’t being overlooked.
Indeed, Sophos is part of the NSCCC, or the Australian National Standing Committee on Cloud Computing, to give its full title, and both security and privacy have been core concerns in the development of the Strategy.
Here at Naked Security, we particularly like the following aspects that have emerged in the document:
• The commitment by the public service to provide small businesses with tools and online resources to learn more about the risks as well as the benefits of cloud services.
• The commitment to keep privacy on the agenda by publishing guidance for the cloud services industry about the Australian regulatory reforms due to commence in 2014.
• The concern that a poorly-supervised cloud industry might lead to small businesses getting locked in to one provider, or unable to negotiate variations in terms and conditions, for example over privacy.
• The commitment to develop a Cloud Consumer Protocol to keep cloud providers on their toes in how they communicate with their customers.
Bigger businesses, cloud providers and other public servants will also find the Strategy document useful for the timely reminder it presents of cloud providers’ obligations under existing laws.
You might not have realised, but the laws you need to consider are wide-ranging, including at least the Privacy Act 1988, the Competition and Consumer Act 2010, the Freedom of Information Act 1982 and the Archives Act 1983.
The details may vary in your jurisdiction, but in most of the developed world, similar legal strictures are likely to apply. So even if you aren’t in Australia, this document is worth reading.
So, well done to the Australian public service for embracing and promoting the benefits of cloud computing, but not without keeping its risks and obligations in plain sight.