Cloud adoption hindered by data security concerns
The Australian public sector has been challenged by unprecedented and unpredictable change over the past two years in the form of fires, floods and pandemic. These challenges and in particular the COVID-19 pandemic have forced government agencies to look at digital transformation with a renewed focus. Post pandemic, the federal government has dedicated $1.2 billion of the 2021-22 budget towards the Digital Economy Strategy. NSW government aims to have all NSW government agencies using public cloud for a minimum of 25% of their ICT services, by 2023 as per the NSW Government Cloud Strategy.
Invariably, using data driven insights for decision making is a key pillar of every agency’s digital strategy. Unlocking the true potential of data is a top priority for agencies. As such, implementation of a cloud data analytics platform is part of almost every agency technology roadmap. However, there is inertia to overcome in moving analytics platforms to cloud due to data security concerns.
Information security, privacy and data sovereignty are key risks associated with cloud services. While these risks are valid for traditional ICT delivery, the movement of data to an offshore location introduces added risk of non-compliance to data sovereignty and privacy. Cloud Service Providers (CSP) have set up robust technical controls ensuring these risks are addressed effectively. Microsoft Azure provides confidentiality, integrity and availability of customer data, while also enabling transparent accountability. Additionally, Microsoft’s Cloud Adoption Framework (CAF) shows a solid foundation for a secure cloud platform.
In the following sections I present the key processes that can further address these data security concerns.
Privacy Impact Assessment (PIA) and Data classification
The Privacy (Australian Government Agencies – Governance) APP Code 2017 requires Australian Government agencies be subject to the Privacy Act and to conduct a Privacy Impact Assessment(PIA) for all ‘high privacy risk projects’. Follow your organisation’s PIA process to identify any privacy risks early in the project and align the process closely to your organisation’s Information Security Risk Assessment Process (ISRAP). Classifying data according to its business impact will aid in implementing right controls according to the classification.
Ensure your data classification process is lean and applies a risk-based approach. Typically, data classification forms a part of an information management framework which consists of the necessary governance and control mechanisms to manage collection, management, distribution and archival of data. Ensure the data classification is in alignment to your overall organisational information management. Data classification must be endorsed and approved by the data custodian.
In case your organisation does not have the necessary frameworks in place, ensure you use publicly available tools to classify your data and involve a privacy and confidentiality specialist to conduct a PIA for data analytics on cloud. Endorsed data classification and PIA will inform the data hosting and protection requirements. Azure purview helps classify data using built-in and custom classifiers and Microsoft Information Protection sensitivity labels.
Information Security Risk Assessment
Collaborate with your security team at the outset and start an ISRAP. Ensure all the risks are documented and have an agreed owner, agreed treatments and controls. Queensland Govt’s implementation of ISO:27001 supports the risk-based approach to information security. In case a formal information security capability is missing, collaborate with your ICT operations team to identify security requirements based on federal and state security guidelines for data analytics on cloud.
The Australian Cyber Security Centre has extensive guidance on Cloud Security and lays a solid foundation for a risk-based approach to cloud consumption. (Cloud Security Guidance | Cyber.gov.au). ISO 27001 Azure Blueprint sample provides governance guardrails using Azure Policy that help in assessing specific ISO 27001 controls.
Architecture Assurance
Follow the agency architecture assurance process. Involve the reviewing architects from the beginning and identify the key architectural concerns that need addressing. Architecture assurance can be an enabler if you are able to seek the right influence. There are different Enterprise Architecture frameworks that government agencies follow but recently the shift has been towards enablement of change. For example, Queensland Government Enterprise Architecture (QGEA) focuses on principle driven architecture. Architecture Review Boards should be kept informed of your initiative and you should seek a business sponsor from the beginning who can make a case for you to the board. Determine if you require a dispensation from existing mandated standards/policies. It is prudent to start on this as early as possible.
Microsoft Azure Well-Architected Framework provides guidance to improve workloads on azure.
Putting it all together
Your implementation of data analytics on the cloud will ultimately depend on how changes are implemented in your agency. Depending on the organisational maturity, the above-mentioned processes may differ, but the intent should remain. The intent here is to supply expert advice and analysis to decision makers enabling them to make an informed decision for a proposed solution – data analytics on cloud in this case.
I suggest setting up a working group that includes representatives from all the teams involved in these processes. Think of scrum or any agile methodology and build a cross-skilled team delivering PIA, ISRAP and Architecture Assurance in sprints. Take a gated assurance approach enabling regular health checks on major milestones.
When utilised correctly, these processes will alleviate security concerns surrounding cloud and accelerate cloud adoption for data analytics in government agencies. The future demands delivery of innovative and quality public services from the agencies and a modern data analytics platform on cloud would be instrumental in enabling the delivery of such services.