Privacy Commission issues Cloud Guidelines but misses the mark

privacyThe Privacy Commission has just released a set of guidelines called “Cloud Computing – A guide to making the right choices“, but it is too late in most cases and highlights a need for Government to be clearer around Cloud usage, particularly for their agencies. Worse, because government regulators don’t understand Cloud, the information they release in relation to it, and the policies & opinions they form, risk being irrelevant.

Let’s be clear, the Cloud is already here, has been for some years, and the uptake by private companies and government is significant.

A recent piece of research showed that over 77% of business have bought Cloud services, often outside of view of their ICT organisation.  Other research shows that up to 8% of companies don’t know if they are using Cloud services. Couple that with further research that shows the vast majority of organisation employees are utilising Cloud services, such as DropBox, outside of the purview of their company and you realise that Cloud is here, is un-managed, and issuing guidelines about its uptake is too late.

Personally I think that the Privacy Commissions Cloud Guidelines are over cooked and off the mark. Issuing a document like this requires a basic understanding of Cloud and an ability to explain that in a coherent way. I don’t agree with the definition of Cloud that they provide, it mixes up Outsourcing, Contracting, Offshore Service Delivery, Hosting, Facilities Management, and a host of non-Cloud services.

Why is that important?

Cloud is an immature service within New Zealand and THAT needs to be pointed out. The other services that get lumped into the guideline’s definition of Cloud, by inference, are far more mature and have a greater amount of rigor and process in place when it comes to security and privacy. In addition, there is a real risk that local providers are reselling those services as Cloud, Cloud Washing old product, and the description of Cloud in the guidelines document blurs that distinction.

Cloud has a very clear set of characteristics that set it aside from other ICT services. Failing to recognise that results in problems in the selection, transition, and management of those services.

Worse, because the guidelines are privacy focused they miss they 95% of other requirements, risks, and things that you need to think about with Cloud. In short, the guidelines would have been better summarised as “you are responsible for the privacy of the information you are entrusted with” not a long rambling dissertation on “Cloud” including technical examples of how you might secure information with absolutely no references to any of the dozens of excellent guidelines available on Cloud.

And yes it is important, I don’t rant on very often, but in this case the Guidelines serve to further muddy what is a critical area of ICT, particularly for Government, and appear to have been written in isolation of any other agency. It appears, in my opinion, to be a rush to grandstand as opposed to a practical piece of research. But then again, from what I have seen, that appears to be the modus operandi of that particular agency.

The report is a one trick pony that tries to deal with a single risk in a universe of risk and opportunity that arises from Cloud.

Government has a serious problem with Cloud. On one hand it represents the potential to make all their idealistic dreams come true, the ability to buy a single software solution and have multiple agencies use it for example, and on the other hand it represents a serious perceived security risk. In addition, because there is no single agency or group responsible for ICT across government, co-ordination of a response to Cloud is difficult.

Let’s get some facts straight here:

  • The vast majority of government agencies already utilise outsource ICT services in various forms including Cloud.
  • 77% of companies and agencies use Cloud services directly.
  • Of those 77% companies surveyed, 40% “have suffered exposure of confidential information.”
  • The majority of employees, greater than 65%, use Cloud services to manipulate their company or agency data.
  • The ICT organisations are not necessarily in control of those Cloud services, there is increasing evidence that Cloud services are bought outside of the ICT group by the business directly.

Government is likely to respond in a number of ways to Cloud.

  • Where private companies are concerned, they can do absolutely nothing except remind those companies and their directors of their legal obligations. 
  • Where it is government they are likely to issue strong guidelines about how Cloud should be used.

Government will never mandate how we can use technology. They will strongly encourage and create policy, but they will never intervene. 

So what do we do about the high use of Cloud and associated risks? Do we shut it down? Do we block firewall access for staff and lock down their smartphones? Do we turn off their remote access and implement heavier monitoring?

No, because it is all too late.

What we do as ICT professionals is start working with our businesses and our users to deliver Cloud services that are the same or better than what they can get from the market directly with an adequate level of control balanced against the risks presented. As a rule, we, ICT, have lost our relationship with the business and need to get it back. We’re seen as a group that slows the business rather than supports the business to move quickly when they need too. We need to find our balance again.

As for Government, they would be better thinking about what happens as Cloud becomes more pervasive in New Zealand. What will happen to the 41,000 ICT workers that are employed within New Zealand over the next five years as companies and organisations move to Cloud? What will happen to our burgeoning application development industry? How can they support Cloud being established in New Zealand to be consumed by international countries? How can they provide practical guidance on Cloud and how to use it? How do they stop every last piece of New Zealand data ending up in international data centres? How do they fix the risk around a single fibre cable connecting New Zealand to the world? How do they increase the level of bandwidth while reducing its cost?

How do they become relevant in what is becoming a core New Zealand industry?


One comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: