New Zealand: What do the Government Chief Information Officer, Privacy Commissioner, and National Cyber Security Centre have in common?

sky fallingNothing. That’s what. All have issued quite contrary advice on the use of Cloud Computing by government agencies that are simply confusing decision makers in government and slowing adoption. In a classic case of left hand right hand a recent published document by the National Cyber Security Centre titled “Cloud, Risk and Security” muddies the water significantly and should be challenged.

Let’s start with the good. As I commented a few weeks back the GCIO has released an excellent paper on managing the risks of Cloud computing (as well as other things like large projects and security). While this is a mandatory process, it signals a clear message that the GCIO recognises that the Cloud horse has bolted, can be carefully managed through good risk planning, and as a document for evaluation Cloud providers is excellent. It seems to be a steer away from just demanding agencies use specific Government approved services to one of guidance, expertise, and careful management of your own destiny.

So they get a ten out of ten.

Then we have the Privacy Commission that released their view some months back on Cloud Computing that serves as confusing, to say the least, particularly for small to medium business. The information hasn’t been updated in nearly eighteen months, asking a small business to consider NIST standards is like asking a mechanic to understand the chemical makeup of a particular alloy (i.e. utterly irrelevant), and spuriously quoting standards doesn’t much help either. Martha, on Xero, running a Dog Day Care business does not care a jot about ISO20001. While it makes the point that privacy is everyone’s responsibility, it associated privacy with technology, which is a particular bug bear of mine. Privacy is a business problem not a technology problem. 

So they get five out of ten for at least attempting something, but it missing the audience in much the same way a foreign movie without subtitles does.

Now we have a paper published on the National Cyber Security Centre website that, on the face of it, would scare Martha from the Dog Day Care business into buying her own datacentre let alone any slightly paranoid government CEO or CIO who are likely to start buying servers again.

“This paper seeks to encapsulate aspects of cloud risk and related work in order to present a comprehensive view of the benefits, issues and risks in cloud computing.”

It doesn’t say it is a balanced view, which is good, given the first paragraph:

“There is much concern and a great deal of caution in the use of cloud services and the hosting of critical data in the cloud. Gartner describes organisations using cloud services as early adopters and fast followers, the terminology indicating the immaturity of cloud services. Many early adopters are driven
by the need for performance, scalability, resource sharing and cost saving.”

I guess the document shows it’s age here, given that Cloud computing cannot be called immature on a global level. But the issue I have with the document is that, another pet hate, does not quantify the risk of Cloud computing against the real world.

As a former Risk Manager I know that all risk must be quantified against a given state. For example. You can’t say “it is risky to move to Baltimore because that is the murder capital of the U.S.” without pointing out the fact that you live in Syria, now. Risk must be quantified on where you are now, and where you are going.

The first eighteen pages of the document set the scene, though it is not entirely certain who the audience is.

Then we get into risks:

“While the cost savings have been the most visible and best promoted perceived benefit of cloud services, the risks of cloud have not been comprehensively identified and are less well understood.”

This is a true statement, and as we will see, this document isn’t helping that problem.

The author points out the first risk being a Changed Business Model. To me, this is not a risk, this is a) natural progression of ICT, which most overseas countries have figured out already and b) the entire idea of Cloud is to unlock new business models. Sure, there is a risk that if you aren’t ready, you’ll screw it up, but that has nothing to do with Cloud, at all. We should have moved to a Service Management model in Government ICT a decade ago. If Cloud drives it out, all the better.

The list of risks then expands into this table that when matched against risk, looks massive. Here’s a handful and my view:

  • Bandwidth Cost: Likely to be less, in my experience.
  • Poor technology performance: Likely to be better than what most agencies do today and if issues occur, easily scaleable.
  • System Resilience: Massively resilient compared to in-house operations that can’t afford that level of SLA.
  • Incident Response: Probably a lot better than what an agency does currently and certainly able to match Service Management if you have it.
  • Vendor Lock-In: As opposed to the completely proprietary lock-in you have today with your own hardware?
  • Multi-Tenancy security implications: Better than what you do today I would suggest.
  • Data location: Does it matter as long as the data is safe? Nope, it doesn’t. Your data will be safer in the Cloud, regardless of where it is.
  • Increased attack surface: Nonsense. That’s like saying that living in an apartment building with three million tenants is less safe than living in your own house.
  • Malicious insiders: Not a risk. You are more likely to have an admin with god access to your current environment than you ever will have in a Cloud environment.
  • Reliance on external support. Not a risk. You are more likely to get 24X7 from a Cloud provider than you ever are from your own internal 8X5 team.

Now, if you pick a rubbish Cloud provider, then you’ll get this kind of risk, which is why the GCIO released their guidelines, so you don’t.

Then the author gets into what is clearly their area of expertise, Security Risk. There is no doubt the author is an expert in this area, however, in my opinion, the risks are un-balanced.

Here’s a few examples:

Location. The author seems to think that anything that is not New Zealand is a high risk, but then points out that locations should be away from physical hazards (like earthquakes and volcanoes – hello Auckland and Wellington), and then points out that we are reliant on communications to get there. I’d put my bottom dollar on any Cloud service provider being able to provide multiple layers of redundant across multiple continents with multiple connection points being far superior to the current practice of having a data centre in your basement on The Terrace.

Jurisdiction and sovereignty is raised as well:

“One reason for the international focus on the Patriot Act is the aggressive and enthusiastic use of that legislation, by the US. This has manifested itself in a degree of distrust by EU nations in the ability of  US cloud service providers to adequately protect and secure their data. It is fair to say, however, that
many other nations are equally enthusiastic but perhaps less public in exercising access rights.”

Well, if we were going to avoid that risk then we’d move our workloads out of New Zealand to Sweden and Germany. Given New Zealand’s relationship with the Five Eyes network, it surely is at more risk here?

Poor Virtualised environments is raised as a risk, again, in my opinion, Cloud provided Virtual environments are infinitely better than in house.

The list of risks goes on and on but fails to meet the quantification of risk process.

Where am I today, how risky is it, where will I be if I move to Cloud, how risky will that be against my original position? THAT is where the GCIO guidance comes in, kicks ass, and cleans up. Can I say that? Too bad if I can’t.

The problem with documents like this is not the content, its written by a professional, and the material is valid. The problem is that it’s not balanced and then the fear, uncertainty, and doubt it creates costs the country untold millions while agencies take advice on how to navigate a minefield that simply does not exist.

Worse, it kind of makes the government look a bit silly when the GCIO has the helm on this and some other minor agency appears to be undermining their good work.

But as always, it’s just my opinion.




  1. Very interesting article, and as somebody who runs a cloud-based SaaS startup, I have to deal with these sort of objections all the time. Unfortunately, I find myself in a discussion about why moving data through a geographically mirrored cloud application is not riskier than an poorly-patched file server in a basement on The Terrace.

    1. Yup, the view is certainly turning to one that is more pragmatic, having old thinking like this published by a government department isn’t helpful to the industry.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: