The New Zealand Government has some of the more progressive, proactive and permissions policies in the world when it comes to the adoption of the public cloud and they have received published some new guidelines that you can read here.
These were issued by the Government’s Chief Digital Officer (GCDO) Colin MacDonald and are in addition to earlier statements around data sovereignty concerns that I’ve blogged about previously.
The Guidance and Resources offer a summarised set of briefing notes for accelerating public cloud services and make some pretty bold statements on how to manage Security, Offshoring (data sovereignty) and Social License:
In my role, I come across objections to all three of the above on a regular basis.
- Security: many IT professionals are still confident they can secure their own servers more effectively than public cloud providers. Putting aside the scale of firewalling and intrusion detection often available in public cloud, one of the bigger issues is physical access to the servers in a typical educational institute. Few organisations invest in a truly secure environment and whilst unlikely, a “ram-raid” style of attack will usually be successful in physically stealing on-premise hardware.
- Offshoring: Many insititutes I talk to will raise the issue of data sovereignty as a key deciding factor when it comes to using public cloud or not. The NZ Government has a pretty clear stance on this and these are outlined in this PDF, and it’s a good framework that educational leaders and education ICT partners can refer to.
- Social License: This is a bit more fluid and often does not have the same arguments or objections behind it, but more a preference or unstated concerns about “cloud” generally. I’m working with one K-12 school that is embarking on a substantial PowerBI project and is confined to on-premise options only as the Board of Governors categorically ruled out putting school data in cloud of any sort.
Making Shadow Cloud Work For You:
The summary of guidance around Shadow Cloud was really fascinating for me. The report defines Shadow Cloud as:
“Shadow cloud” is a name given to public cloud services that employees use without formal approval. Shadow cloud usage exists for many reasons. For example, agency employees who have used public cloud services in previous jobs or at home often see the opportunity to use them in their work.
This is rife in educational institutes, where you find teachers, administrators and students using various cloud suites, online storage and video streaming services that are not officially approved by the orgnisation. One common example is educational institutes may have Office365 and promote the secure storage options in OneDrive For Business, but users may opt to use a personal G Drive or Dropbox.com account to store and share school work. I know from first hand experience as a K-12 ICT Director how difficult it can be to regulate this type of activity and therefore found it interesting the report suggests:
- Look for silver linings in Shadow Cloud usage i.e. employees are typically using these tools to drive better business outcomes.
- This employee initiative may present CIO/CTO’s the opportunity to identify cloud services that may be suitable for wider adoption by staff if formally implemented.
- Doing nothing is not an option! This may go without saying, but ignoring Shadow Cloud usage will lead to data compromises, dependencies on services that may have no long term viability and complications around information management.
The Government has offered the following framework to help manage Shadow Cloud Usage:
New Zealand Qualifications Authority – An early adopter of productivity services following the change in Cabinet policy, it sees public cloud services as way to re-engineer the focus of its business to better support its customers and its core, high-value business functions.
Right Sizing Risk Assessment:
The final document in the briefing reinforces the policy that NZ Government Agencies need to adopt a preference for public cloud services over traditional IT systems. This is a bold statement and yet it seems the various agencies are responding to this based off the examples given in the document. Three steps are required however:
- A risk assessment is required
- You decide how to assess risk
- Approval can be delegated
Tools and guidance for managing risk assessment are provided for government agencies and there is an inherently practical approach to this:
The time and effort spent on the risk assessment should be proportional to the level of risk. In practice, this means carrying out an initial assessment focused on the sensitivity of the information and the criticality of the service. If the initial assessment concludes that risks are acceptable, then a detailed risk assessment will not usually be required in order to use the service.
Where significant risks are present, then a more detailed risk assessment will typically be needed to address a range of security, jurisdiction, privacy and contractual issues.
It will be interesting to see how this works in practice and whether due diligence and risk assessment is carefully carried out before public cloud services are employed. To assist, two scenarios are presented as examples:
With the New Zealand Government leading the way, there is fewer valid objections for educational institutes to flatly refuse to explore the public cloud as a viable option for an increasing amount of services.
Despite the clear direction issued by the GCDO of “public cloud first”, this feels like an evolving conversation for businesses and educational institutes across the country. It is going to be fascinating to watch the speed (or not) of digital transformation across various Government Agencies in the wake of continued announcements like this. Equally, it will be interesting to see how the education sector as a whole responds to this and whether a step change occurs in the approach of educational ICT partners in their preferred deployment methods.