Cloud computing provides a service for government, underpinned by a dynamically growing marketplace, which can increase the agility, flexibility, and speed of delivery for digital services. It removes the big upfront investments in technology to enable scaling up or down quickly. This provides much needed flexibility and the ability to respond to changing demands. It has the potential to enhance collaboration, limit the duplication of solutions and reduce maintenance effort. This allows entities to refocus that effort into improving digital service delivery.
It is critical this standard be considered alongside those of complementary capabilities:
- Cloud Financial Operations
- Information Asset Management
- Information Asset Security
Comply with legislation
Entities must:
- comply with relevant Commonwealth legislation including (but not limited to):
- Archives Act 1983 (Cth)
- Freedom of Information Act 1982 (Cth)
- Privacy Act 1988 (Cth)
- comply with any other legislation applicable to specific functions and circumstances.
Align to guidelines and standards
Entities must:
- meet the Hosting Certification Framework (please refer to Hosting for more information)
- apply the principles and requirements of the Protective Security Policy Framework throughout their organisation, including in the context of cloud computing facilities and services.
Entities should:
- apply a risk-based approach to cyber security, where it comes to cloud, to align with the Information Security Manual (ISM)
- utilise applicable elements of the ASD’s Cloud Security Guidance Suite, including the Blueprint for Secure Cloud - an online tool to support the design, configuration, and deployment of collaborative and secure cloud and hybrid workspaces
- develop a risk-managed approach to treat the risk of a cloud service (including backups of data) becoming inaccessible for any reason (e.g. company failure, legal dispute, etc.), including concepts such as contingency backups outside of the main cloud service.
Develop a cloud strategy
Entities should:
- develop a cloud strategy to provide a roadmap for transitioning to the cloud, outlining the steps for migrating applications and data, optimising resource utilisation, and managing costs effectively
- develop a cloud policy optimised for business outcomes, including speed, resilience, and agility, and aligned with supporting guardrails around data, security, governance and architecture
- develop and update implementation plans for ongoing cloud activities.
Incrementally adopt cloud computing services
Entities should:
- begin their cloud journeys with low complexity services that do not contain any sensitive data, and progressively mature their approach
- prioritise, for any ICT investment, cloud-native and modern application architecture design patterns
- adopt applications which are secure, resilient, flexible, modular, automated, and interoperable
- consider the appropriate service model for their needs, of:
- Platform as a Service (PaaS)
- Infrastructure as a Service (IaaS)
- Software as a Service (SaaS)
- Everything as a Service (or Anything as a Service) (XaaS)
- Function as a Service (FaaS)
- regularly review their cloud performance against strategic goals and standards, and make alterations proactively rather than responsively.
Avoid functional customisation by using cloud services ‘as they come’
Entities should:
- map the present state business needs requirements
- identify where these data models, processes, and other requirements would not be met by a cloud service as-offered
- prioritise standardising business functions/processes to those aligned to cloud offerings, in particular where these are vendor-agnostic conventions, in preference to customising service functions
- where customisations are unavoidable, ensure they are made in a manner that is maintainable, scalable, and reusable.
Automate where suitable
Entities should:
- automate where possible to reduce the manual effort associated with provisioning, configuring, and managing cloud solutions
- when developing or procuring services, ensure application, data, and messaging services can take advantage of cloud automation
- ensure a strict quality assurance process is applied to any automation activities.
Take a risk-based approach to cloud security
Entities should:
- ensure assurance and risk management activities are included in the cloud strategy and considered throughout all stages of deployment, utilisation, and decommissioning
- undertake a risk assessment prior to any new implementations, or alterations, to understand and meet the security requirements of a cloud computing service
- consider using threat modelling, a family of activities for improving security by identifying threats, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system
- apply relevant security policy and guidance, factoring in cloud specific considerations to set the right controls, mitigations, and determining accepted risk
- apply only necessary controls, to avoid inadvertent restriction of services
- leverage the following guidance from the Australian Cyber Security Centre:
Monitor the health and usage of services in real time
Entities should:
- ensure that their cloud service provider can provide metrics that support the forecasting and analytics needs of the entity
- control costs of cloud use through provisioning and scaling on demand
- proactively monitor the health and status of the cloud services
- implement a resource tagging strategy to enable cohesive handling of the above points.
Recognise emerging cloud computing trends
Entities should:
- monitor emerging trends in cloud computing
- consider the applicability of emerging trends to their needs, and factor this into their cloud strategy.
Emerging trends include:
- Hybrid multi-cloud environments, can offer more customised and flexible solutions using public cloud services from different cloud services providers, allowing easier movement across different cloud infrastructures. This increases adaptability and reduces the risk of vendor lock-in. However, this approach can also add complexity, and raise the chance of misconfigurations, insecure interfaces, and other security breaches.
- Edge computing which reduces latency, optimises bandwidth, and enhances privacy and security through balancing cloud operations with a degree of localised data processing. It offers scalability and flexibility by distributing workloads more efficiently and ensures resilience and reliability in scenarios with intermittent connectivity. Cost effectiveness may also be achieved by minimising data transfer and storage needs in the cloud, particularly benefiting data intensive applications, however this is at the cost of potentially increased complexity and cost of maintenance of local and cloud infrastructures.
- Sustainability in cloud computing is gaining attention. Entities should monitor for new processes, capabilities and tools, aimed at the monitoring and management of energy consumption and carbon emissions for workloads deployed on cloud.
Procure via the Cloud Marketplace
Entities should:
- procure cloud services, include technical, advisory, professional, managed and project services, through the DTA’s Cloud Marketplace
- select a Cloud Service Provider (CSP) in consideration of:
- what level of data is being accessed
- where is it hosted
- who has access
- evaluate public cloud computing services before considering private or hybrid cloud solutions
- leverage the most scalable, flexible, and cost-effective solutions available
- ensure that the public cloud service has a level of security appropriate for the classification of information that is to be handled.
Adhere to reuse principles
The Australian Government Architecture provides information for entities on Reuse.
Entities should:
- compare their requirements with those of other comparable entities and system functions, and seek to reuse learnings from preceding implementations
- consider specific functional and non-functional requirements prior to solution design or consideration of technology choice, including:
- volume and nature of information assets
- broader system purpose
- performance and availability requirements
- privacy/sensitivity concerns
- meet the requirements of the Digital and ICT Reuse Policy.