Is it time for Australian government hold-outs to start trusting public cloud?

Cloud Trust Government

From its inception with the launch of Amazon Web Services in 2006, cloud computing has arguably become one the most disruptive technologies of the modern digital age.

Lowering computing costs, enabling technical and business agility, delivering scalable, ultra-fast services, infrastructure and data storage, and powering artificial intelligence and deep learning, the cloud is poised to carry us into the next era of computing.

Public cloud adoption accelerates

The adoption of cloud technologies has leapt forward in recent years, as organisations raced to bolster resilience and agility in the face of the Covid-19 pandemic.

The worldwide Infrastructure-as-a-Service (IaaS) public cloud services market grew 40.7 per cent and, with worldwide end-user spending on public cloud services predicted to reach US$332.3 billion (AU$459 billion) in 2022, the pace of change is showing no signs of slowing down.

In this year’s Federal Budget, the Australian Government announced a $1.2 billion Digital Economy Strategy to support investment in emerging technologies and digital skills. This, combined with an estimated Government IT sector spend in excess of $15.5 billion for 2022 to meet the challenges of cloud transition, shows a firm commitment to a cloud-enabled digital government transformation.

Public cloud adoption accelerates

This acceleration is also being reflected within the government sector at large.

In NSW, the state government has adopted “public cloud by default” approach for all future IT procurements, hoping to gain the benefits of better lifecycle management and reduced dependency on legacy infrastructure, as well as the ability to rapidly modernise and scale systems to meet increased demand for digital.

The Government, reasonably, expects that more responsive, reliable and scalable ICT services, enabled through public cloud, will better serve the changing needs of citizens, provide better outcomes and, ultimately, improve public trust.

Public cloud services have already been successfully deployed in a number of projects at state, Federal and Commonwealth levels, with several realising immediate benefits:

  • In Western Australia, the land information authority, Landgate, used advanced cloud features to implement cost-effective BCDR measures. This enabled access to the land titles database to be restored within four to five minutes of being hit by a power outage caused by a severe storm.
  • The AEC used Microsoft Azure during the 2019 federal election to develop and manage its first suite of public-facing APIs. Extreme availability was a prerequisite of the system, which mirrored mission-critical systems in the Microsoft Azure cloud on election night, ensuring real-time election results to the public and broadcast media partners were not disrupted.
  • At the Commonwealth level, the CSIRO’s genomic research project, Mega-Biobank VariantSpark, will analyse vast amounts data, powered by Amazon’s AWS, to unlock the causes of complex diseases.

A question of trust

Whilst replacing legacy technology with agile cloud solutions can strengthen cybersecurity posture, as acknowledged by ACSC in their 2020 report, there remains hesitancy around perceived security and data privacy risks posed within public cloud ecosystems.

In a report by the Cloud Security Alliance published in March this year, 58 per cent of those surveyed cited network security as their top concern when adopting the cloud, with their top-ranked security concern being data leakage.

Yet, given that the shared responsibility model of the public cloud also demands a robust cybersecurity implementation on the customer’s end, are these concerns justified?

Under this model, both cloud providers and cloud customers must implement the necessary policies, procedures and tools that address the security areas they are responsible for. In the case of the customer, this includes obligations around data classification, network controls, endpoint security, and physical security.

Back in 2019, tech researcher Gartner posited that 99 per cent of cloud security failures through to 2025 would be the customer’s fault – issues largely are carried over from on-prem ecosystems. This may seem extreme, but it does demonstrate that this is not simply a question of whether the public cloud itself is secure. Rather, it shows that the cloud’s security is also largely dependent on the customer’s own cyber security strategy.

The point was also echoed by Dell Technologies founder and chief executive, Michael Dell, noting that public cloud is no more or less secure than on-premise, with people, rather than digital infrastructure, being the root cause of security failings in both settings.

“People on both sides can make mistakes and compromise security,” Dell said.

According to Australia’s latest Notifiable Data Breaches Report, human error still accounts for nearly one in three systems breaches (with more than a third of these reported by government agencies alone). Moreover, insider threats accounted for at least one in 10 breaches. Whilst these issues are hardly exclusive to the cloud, there is a good chance that the right cloud-based security solutions in place could go a long way towards mitigating them.

Are hyperscaler public clouds the answer?

Mature hyperscaler public clouds, such as Amazon’s AWS, Microsoft’s Azure, and Google’s Cloud Platform, have invested substantial resources into securing their infrastructure and services, as well offering the advantage of in-built disaster recovery and business continuity systems.

Breakthrough initiatives in artificial intelligence and machine learning have gone a long way to ensuring these clouds are considerably more secure than most, if not all, on-prem and private cloud options. For instance, Amazon’s GuardDuty uses machine learning to detect malicious activity while Amazon Macie identifies, protects, and continuously monitors sensitive data at scale.

In fact, a recent Vendor Assessment Study by IDC found that “a majority of the cloud security services vendors assessed demonstrated formidable breadth and depth in terms of service offerings”.

It also noted that many of these cloud security services were “closely aligned to major hyperscaler solutions”, including those of Amazon Web Services and Microsoft Azure.

Add the ACSC Protected Certification into the mix, which has already been granted to a range of public cloud providers, and Australian CISOs have the added reassurance of being able to choose a certified public cloud provider. An endorsed IRAP (Infosec Registered Assessors Program) assessor can be engaged to provide an independent assessment of ICT security, suggest mitigation strategies, and identify associated residual risks.

Above all else, government agencies strive to ensure that data is stored securely, accurately and reliably.

With measures across Federal and state governments that both support adoption and regulate the security of public cloud services in place, do the benefits outweigh the risks? It would certainly seem so.