The government may have to make sacrifices in such treasured concepts as privacy and sovereignty, so that public sector organisations can take advantage of the “convenience” of the cloud, says a Department of Internal Affairs (DIA) project manager.
Adam Stapleton is managing a project for DIA’s Government Technology Services (GTS) arm, to produce “guidance to allow public sector agencies to reduce the barriers” to adoption of cloud computing services. He spoke at the Future Perfect digital continuity conference, held in Wellington recenty.
In August last year, Stapleton said, he convened a meeting of public-sector CIOs and found considerable doubt about taking their organisations into the cloud. “It turned out there was a widely-held perception that public-sector agencies can’t use public clouds. It is anecdotal, but that seemed to be the consensus. There is work to be done in challenging that, because there is no policy statement that says government agencies can’t use public clouds. “There are a range of policy statements and pieces of advice, notably from SSC, that talk about the risks in [processing] offshore and how you would go about making them, but nothing to say you cannot use cloud services,” he said.
The current GTS project that Stapleton oversees aims to provide an authoritative definition of cloud computing, track trends in its evolution “and talk about what is the opportunity space tactically for the next one or two years and the constraints – legislation and policy and other [factors] that may preclude some classes of information being used for some types of cloud computing services.
“We’re working with a range of policy agencies like Archives, the Privacy Commissioner, and the Government Communications Security Bureau, together with some of the agencies that have deployed cloud computing to decide what the opportunities are from their point of view and how they perceive the risks,” he said.
The GTS project is also “asking suppliers whether they would be interested in working on a panel that will work in parallel with our group of agencies, to give us advice on trends and how the supply side of the market might respond to the unique constraints of the public sector in helping us to adopt cloud computing”.
Stapleton prefaced his remarks by saying they represented only his personal view, not that of the DIA. However, as he and fellow DIA speaker Danny Mollan earlier in the day pointed out, one piece of legislation, the Public Finance Act, has already been amended to facilitate participation in a public cloud in the face on an intransigent overseas cloud operator.
Recently, “we organised an amendment to the Public Finance Act to allow state sector agencies to use social media,” said Stapleton. According to Mollan, the change was also to enable agencies to use software-as-a-service. Under the existing Act, departments could not sign the indemnity clauses typically required in providers’ standard contracts. “We tried with an unnamed but well-known cloud services provider to get them to change their indemnity provisions,” Stapleton said. “We got nowhere, because New Zealand is zero in their world scheme, so we had to change our legislation [so we could] use some interesting services.”
Mollan, in response to a question from the floor about control of documents, databases and applications in the cloud indicated that the Public Records Act might be the next piece of legislation to give cause for concern regarding the cloud. “I think we are several years away from that. We are still in an area where we can support the way the Public Records Act is set out now, but at some point I think that will have to change. I think bringing information back into the core to preserve it and record it in a taxonomy you’ve devised [may become difficult].
“I think we have got fewer than 10 years to go where that model will still work,” he said. “Challenges are huge. But it is all about convenience. There will come a tipping point where the advantages are compelling,” Mollan said.
With the cloud’s attractions of low cost and high functionality; “at that point we’re going to have to rethink what it means to keep tabs on the data long term. We’re not doing anything currently [to handle that potential challenge] because we don’t see that problem arising, but [at some time] we are going to have to start doing something about it.”