Cloud Computing can be defined simply as ‘an outsourcing arrangement whereby a service provider will host information systems or resources. These systems and resources are then accessed by the client over the Internet (the cloud)’. Cloud computing is not a new technology but it is a new business model for delivering ICT resources.
Benefits from accessing shared resources over the Internet can include; improved flexibility, increased scalability and greater availability and resilience. Examples of these sorts of benefits include not having to house IT infrastructure on-site and only paying for services used. These benefits can improve cost effectiveness and also potentially reduce ongoing operating costs through the reduction of IT infrastructure and staff.
However there are also risks relating to data security and sovereignty, system performance, unauthorised access, legal and regulatory compliance and loss of access to the system, service or information. These risks will vary depending on the sensitivity of the agency’s information and the criticality of the service. Data sovereignty issues arise when data stored ‘offshore’ in other countries becomes subject to local laws potentially affecting the rights over that information.
More agencies are considering the option of moving some of their information systems to the cloud. In doing so they need to fully understand and consider both the benefits and risks associated with cloud computing before making a decision to adopt.
The objective of this audit was to assess whether a sample of five agencies were effectively managing their cloud computing arrangements. We also examined the extent to which agency data was being held offshore under the cloud arrangement and whether there were appropriate controls to protect data sovereignty and security.
The sampled agencies were the Department of Fisheries, Department of Sport and Recreation, Metropolitan Redevelopment Authority, Public Sector Commission and Public Transport Authority.
None of the five agencies could demonstrate effective management across all of the key areas relating to their implementation of a cloud based service with a consequent risk to the confidentiality, integrity and availability of information. Common weaknesses included not assessing business risks and costs and benefits of shifting to the cloud, inadequate contractual arrangements, and weaknesses in the IT security and business continuity arrangements. Despite these overall failings, some agencies demonstrated elements of good practice across certain key areas in their management over cloud services.
Weaknesses in the contractual arrangements with the cloud service providers included a lack of specificity relating to whether agency data can be stored offshore. Agencies were therefore trusting their service providers not to store their information outside Australia and to not allow access to their information from offshore locations. Currently, the data of only one agency (back-up data) is stored offshore.
We noted that government guidance to WA agencies on offshore storage of information and other issues related to agency decisions to move to the cloud was minimal. However, both the Department of Finance and the State Records Office are producing material that will help close this gap – action that is necessary as the trend towards cloud computing grows.
- Risk Management – four of the five agencies were not effectively managing the risks associated with their cloud computing arrangements. In particular, these risks related to information security and sovereignty, system performance, unauthorised access, legal and regulatory compliance and loss of access to the system, service or information. If these risks are not managed properly, they could have a significant impact on an agency’s key objectives and operations and result in the loss or disclosure of information. The overall lack of effective risk management was evident across the following key areas:
- Business Case – only two of the agencies had a business case to support their decision to implement a cloud based service.
- new service – two of the agencies could not provide adequate documentation to support their recent decision to implement a new cloud based service. These agencies were unable to demonstrate that an informed decision was made to deliver key systems or services using the cloud. They were unable to show they had fully considered and evaluated the service costs along with the risks and benefits.
- service renewal – in those instances where contracted services were up for renewal there was again limited evidence by two agencies to show appropriate consideration was given to alternative options, costs and benefits.
- Contract Management – all five agencies had weaknesses in the contractual arrangements established with their service providers. Examples include:
- sovereignty – no contractual requirements or limitations on where agency data could be stored. Agencies were generally unaware of whether their data could be stored offshore under the terms of the agreement. However, given that the agreements were with multi-national companies, there would seem a real possibility of the data ending-up off shore if not explicitly excluded by contract. Currently, the data of only one agency (back-up data) is stored offshore
- security – no contractual requirements relating to data security controls that the service provider should implement to protect the confidentiality, integrity and availability of agency data
- service continuity – no contractual obligations on both parties in the event of a planned or unexpected termination of the services
- performance – no contractual requirement for the service provider to report to the agency on the provider’s performance or on any relevant security matters.
Failings in contractual terms and conditions along with poor contract management and oversight increase the risk that the cloud service will not meet an agency’s requirements. This could result in a poorly performing and insecure service or sensitive information being stored offshore.
- Information Security – three of the agencies had a range of weaknesses in the information security controls implemented by their cloud service provider. These weaknesses increase the risks to the confidentiality, integrity and availability of agency information and included:
- known software vulnerabilities that had not been fixed or updated
- information was not being securely deleted from hard drives before they were reused or destroyed
- sensitive information on backup tapes was not being encrypted
- intrusion detection systems (IDS) had not been appropriately deployed. Without an IDS it is less likely that any cyber-attacks will be detected.
- Business Continuity – all five agencies had weaknesses in their business continuity and/or disaster recovery plans and arrangements. These arrangements are important because they should ensure the continued operation of the cloud service in the event of an unplanned outage, major incident or a service provider ceasing operations. We identified that agencies and/or the cloud service provider lacked adequate plans to restore services and business operations in a timely manner. Without appropriate and tested plans, services may be interrupted for prolonged periods with a significant impact on the public and agency operations and staff.
- Guidelines – agencies should ensure they are familiar with and utilise the Department of Finance resources covering cloud computing arrangements.
- Risk Management – agencies engaging a cloud service should ensure it is supported by an appropriate risk management process throughout the service lifecycle. This process should ensure all relevant and emerging threats and vulnerabilities related to an agency’s service, information and cloud service provider are identified and assessed. The agency should have appropriate treatment plans in place to address these risks.
- Business Case – it is important that agencies properly assess and document their decision to adopt cloud based services. This assessment should ensure any cloud based arrangement is evaluated against other viable options. As a minimum, the evaluation should consider the costs, risks and benefits of each option. As part of this work it is important that agencies implement a process to monitor, evaluate and report against the projected costs, outcomes and benefits.
- Contract Management – the contract between the agency and service provider must include appropriate terms and conditions to address and mitigate key areas of risk. Agencies should implement appropriate management and oversight arrangements to ensure the service provider is adhering to the contract. This may involve periodic reporting, regular audits and service provider certification.
- Information Security – to adequately protect the confidentiality, integrity and availability of information, agencies must ensure that appropriate security controls are implemented. Service providers will charge a fee for the implementation and management of these controls. Therefore, the type and level of controls used should reflect the value and risks to the agency information. Agencies should implement suitable mechanisms to gain regular assurance that the controls are implemented and working effectively.
- Business Continuity – agencies should make sure that their service providers have adequate and tested business continuity and disaster recovery plans in place. Agencies should also develop their own business continuity and disaster recovery plans if their service providers systems are unavailable or the service provider ceases to operate.
Department of Fisheries
The Department is fully aware of the shortfalls of the current contract and is seeking to resolve these issues. However, it must be noted that at the time that the Department secured this contract there was limited information available to assist agencies in purchasing solutions of this nature. I am confident that the Department took into consideration the information available at the time by seeking advice from officers at the Department of Finance and also by appointing a consultant to manage the tender process and draft the contract. The residing contract and tender process was approved by the Department of Finance, approved by the independent probity Auditor and also by the State Tender Reviews Committee and was passed with no comment at the time.
Department of Sport and Recreation
The Department of Sport and Recreation (DSR) acknowledges the Auditors findings. DSR commenced a HR Business Systems Review in April 2014 to consider the business case for our future HR Information management requirement. Additionally, DSR is committed to reviewing its Business Continuity Plan.
On receiving six weeks notice for the expiry of the Talent2 contract, DSR was engaged in a process for reviewing other business systems. Therefore the agency had limited resources to adequately consider a proper requirement within the available timeframe.
Metropolitan Redevelopment Authority
The Metropolitan Redevelopment Authority will ensure that the concerns raised are addressed and taken into consideration in the further development and review of the crisis management framework components. Interim measures will be considered to ensure that all findings are addressed in the immediate future and internal processes modified to ensure due consideration is given and action taken.
Public Sector Commission
The Public Sector Commission (the Commission) welcomes the review and agrees with the recommendations in the Auditor General’s report. Discussions have been held with the provider of the WA Government eRecruitment system and the Commission will act on the recommendations as a matter of priority to further improve the contract and the service provided.
The Commission considers its contract with the provider of the WA Government eRecruitment system to be in the most part robust. The process undertaken for the new contract was complex, detailed and in accordance with the Government procurement guidelines. It resulted in a solution that meets requirements within budget and represents value for money. Due diligence in the areas of contract management and technical security was undertaken in accordance with the established procurement and legal framework. Appropriate expertise was utilised in this process.
However, it is acknowledged that some aspects of the contract, in particular reporting on the depth of IT Security controls in place, should be further improved. The Commission will undertake action to increase the reporting of IT security protocols as per the Auditor General’s recommendations. The Commission has a very thorough Service Level Agreement with the provider that is reported on monthly and reviewed at an executive level on a quarterly basis.
The Commission also supports these recommendations being provided to Government Procurement for consideration and will work with them to implement any changes to the procurement process.
Public Transport Authority
Participating in such an audit is constructive for an organisation such as the PTA considering that cloud computing is an increasingly common business practice. The PTA is also pleased in regard to the whole of Government approach to the management of cloud computing from a policy perspective.
The PTA welcomes the point that Government is aiding agencies with strategic direction in relation to cloud computing. With the accelerated growth of the cloud computing it is important that future project managers within the Divisions of the PTA consider the risks associated with the use of the Internet in this way. Having guidance from the Department of Finance and the State Records Office gives management from the PTA confidence that risks will be considered and action plans will be formulated to mitigate the risks. The PTA believes the Department of Finance “Cloud Toolkit” and the “Cloud Planning Flowchart” guidance tools will be invaluable when next preparing Business Cases for future Cloud related projects.
In this regard the PTA Manager Information Services has been requested to prepare a PTA policy and guideline, based on the Department of Finance and the State Records Office guidelines, for consideration and endorsement by PTA’s Information and Communications Steering Committee. This policy and guideline will then be applied to all future PTA developments incorporating cloud computing.
There are a number of definitions for cloud computing but for the purpose of this report we are using the following definition: ‘Cloud computing is an outsourcing arrangement whereby a service provider will host information systems or resources. These systems and resources are then accessed by the client over the Internet (the cloud)’.
This arrangement of accessing shared resources can offer a number of benefits which include cost effectiveness, improved flexibility, increased scalability and greater availability and resilience.
Cloud computing is not a new technology but rather a new business model for delivering ICT resources. Because of this, many of the risks and issues associated with ICT service delivery remain. However, as most agency systems were designed to operate in a secure environment, agencies need to fully understand the risks associated with cloud computing both from an end-user and agency perspective.
The risks relate to areas such as data security and sovereignty, system performance, unauthorised access, legal and regulatory compliance and loss of access to the system, service or information. Data sovereignty is important as digital information is subject to the laws of the country where it is located. These risks will vary depending on the sensitivity of the agency’s information, the criticality of the service and how the cloud service has been implemented by the service provider.
From our ongoing work we are seeing more government agencies investigating the use of cloud based services and options. Therefore it is vital for government that agencies fully understand and consider both the benefits and risks associated with cloud computing before making a decision to adopt.
There are a number of different models and options for delivering cloud based services. The three most common service models are:
- Software as a Service (SaaS) – the consumer uses the provider’s applications running on a cloud infrastructure to deliver a specific function or service.
- Platform as a Service (PaaS) – the consumer can install or develop applications onto the provider’s cloud infrastructure.
- Infrastructure as a Service (IaaS) – the consumer is provided with fundamental computing hardware and resources where the consumer is able to install and run operating systems and software applications.
An agency can adopt any combination of the above models and more than one provider can be involved in the delivery of each model. For example an agency’s data centre, protective devices, architecture and software could be controlled and maintained by three different service providers.
The WA Government has not as yet provided guidance to assist agencies who wish to adopt cloud services. However, guidance and examples of good practice are available from the Australian Signals Directorate, Australasian Digital Record Keeping Initiative and the Commonwealth Department of Finance and Deregulation.
The WA Department of Finance is preparing to release a set of guides and toolkits to help agencies and inform industry in the transition to a suitable cloud computing solution. The toolkits and the cloud planning flowchart assist agencies to determine their business case including risk, scope, benefits and potential cost to implement the solution. It is essential that this planning is done prior to the procurement phase.
What Did We Do?
Our objective was to assess whether agencies were effectively managing their cloud computing arrangements. We also examined the extent to which agencies had stored data offshore and whether there were appropriate controls to protect data sovereignty and security.
The specific lines of inquiry were:
- did the agencies adequately consider the costs, benefits and risks prior to outsourcing one or more of their key IT systems into the cloud and throughout the lifecycle of the service?
- did the agencies implement appropriate contracting arrangements to effectively manage their cloud computing services?
- have cloud service providers implemented adequate IT controls to satisfy the agreed obligations and agency requirements?
- have the agencies evaluated, monitored and reported the costs and benefits of using the cloud model?
The agencies selected for the audit were:
- Department of Fisheries
- Department of Sport and Recreation
- The Metropolitan Redevelopment Authority
- Public Sector Commission
- Public Transport Authority.
We also consulted with the Department of Finance who previously entered into a common user agreement for a cloud based human resource system for agencies. A large number of agencies use this system.
The State Records Office (SRO) and Information Commissioner both have an interest in how agencies manage their information in a cloud arrangement. The SRO is developing a new guideline to provide information management advice on cloud computing specific to WA government agencies. We invited both to provide their views on cloud computing and these are included in full at Appendix 1.
The audit was conducted in accordance with Australian Auditing and Assurance Standards.
What Did We Find?
A high level summary of findings is shown in Figure 1 below against the key areas we examined. These areas are not exhaustive but are considered important to the management of cloud services. The findings are categorised based on the levels reported to each agency. The table shows that no agency demonstrated good management over cloud services across these areas.
The detailed results of our audit are summarised below on an agency by agency basis.
Department of Fisheries
The Department of Fisheries (Fisheries) have adopted the software as a service (SaaS) model for the cloud based service that supports their Commercial Vessel Monitoring System (VMS). The system is used for the real-time monitoring of approximately 260 boats across 22 commercial fisheries off the Western Australian coast. Commercial fishing is a significant operation that contributes in excess of $300 million per year to the WA economy. In this arrangement the main vessel monitoring application is provided by one service provider. The servers hosting the system and supporting infrastructure are housed in another service provider’s data centre. This data centre and the servers are located in Sydney. Figure 2 provides a basic overview of this service.
This complex system provides a critical function, however Fisheries had not identified the risks related to their decision to implement this arrangement or thereafter assessed and treated these risks. The risks include unauthorised access to commercially sensitive fishing information, system disruptions or the complete loss of service. Should these risks occur they could have a serious impact on the State’s commercial fishing operations and Fisheries’ ability to monitor fishing vessels for compliance with area restrictions.
Fisheries proceeded with the cloud solution without completing an adequate business case that included consideration of the above risks. Without a sound business case, Fisheries was unable to show that they fully considered all potential options to arrive at the most effective solution. It is also unlikely that they had a clear understanding of the service benefits and how these were going to be achieved.
Although the VMS provides a key service, the contract with the system provider is missing some important terms and conditions to protect Fisheries’ interests. For example:
- Fisheries had not adequately defined its security requirements and included these in the contract
- the service provider was not required to regularly report to Fisheries on the system security controls that are in place and of auditing that will be done of the effectiveness of the systems security controls
- the responsibilities and actions of both parties in the event of the service terminating is not detailed.
We also found that Fisheries was not receiving regular service or security reports from the service provider, which is a requirement of the contract service level agreement. The information in these reports is essential to alerting Fisheries as to whether it is exposed to a poorly performing and insecure service.
Fisheries did not have an information security policy of their own to assist them to define the security requirements they required in the contract with their provider. This contributed to a number of weaknesses in the system and service provider operations, such as:
- information was not securely deleted from hard drives before they were disposed of or re-used. This increases the risk that the information on these disks can be recovered resulting in unauthorised access or disclosure
- the data on the backup tapes was not encrypted. The lack of encryption makes it easier for anyone with access to the tapes to read the information
- auditing of login failures on the system had been turned off. As a result, it is less likely that attempts to gain unauthorised access to the system would be quickly detected.
The VMS provides a key service to Fisheries. However, it does not have a business continuityplan (BCP) to enable continued vessel monitoring in the event of an incident affecting the cloud service or if the provider ceased operations. A BCP would reduce the impact that an incident or cessation of the providers operations would have on Fisheries operations.
Public Transport Authority
The Public Transport Authority (PTA) has acquired a software service to process Transwa regional coach and rail bookings. Customers can make their travel bookings directly online (https://www.transwa.wa.gov.au) or via the authority call centre or through a regional agent.
The main application that processes bookings is provided by one service provider. The servers that run this application and store the PTA and customer information are owned and managed by a second service provider. The servers are housed in two data centres both located in Sydney which are owned and managed by a third service provider. The payment of bookings involves an interface with a card payment gateway. The payment gateway is provided by a fourth service provider and runs on servers in a different data centre. Figure 3 gives a basic overview of this arrangement.
Despite the complexity of the service and the sensitivity of the customer information being processed, the PTA had not identified or managed the risks related to these arrangements. The risks include; unauthorised access to customer information, system interruptions, complete loss of service and data being offshored. Emergence of these risks could impact on customer’s personal information and travel arrangements. We noted that the PTA had not adequately defined and communicated their information security requirements to the service providers through the contracts. These security requirements instruct the service provider and any sub-contractors on the security controls that should be in place to protect PTA and customer information. The absence of these requirements means that there is no contractual constraint to prevent customer information being stored on computer systems located overseas. The PTA had also not stipulated how long they required the customer and booking information to be stored and retained on the service providers’ IT systems. By not defining and communicating their data security requirements to the service provider, there is an increased risk to the confidentiality, integrity and availability of the PTA’s information.The PTA and their main service provider did not have any business continuity or disaster recovery plans (DRP) to cover the continued operation of the system which is critical for booking and managing regional travel. A BCP and DRP would reduce the impact that an incident or cessation of the providers operations would have on the PTA and on those members of the public wishing to travel.
Public Sector Commission
The Public Sector Commission (Commission) has acquired a recruitment portal software service. This portal provides a centralised website (www.jobs.wa.gov.au) for positions in the WA public sector. Agencies use the service to advertise their vacancies and manage applications for those roles. It also provides the public with a central view of all vacancies and enables them to submit their job applications online. The recruitment portal application is provided by oneservice provider. The application is located on servers in a Sydney data centre which is ownedand managed by another service provider. Figure 4 provides a basic overview of this service.
The contractual arrangement between the Commission and the service provider is missing key security terms and conditions to ensure the confidentiality of sensitive and personal information the system stores and processes. These include:
- no defined requirement for data encryption to protect personal information
- no requirement to ensure data is securely deleted from surplus media (e.g. tape, hard disk or CD-Rom)
- inadequate reporting requirements defined for the Commission to gain assurance on system security
- inadequate provision for auditing the design and effectiveness of security controls.
We also noted that the service provider had not implemented an appropriate intrusion detectionsystem (IDS). An IDS would help detect any cyber attacks aimed at taking the system offline or gain unauthorised access. In addition, the service provider was not completing any vulnerability assessments on the system and network. Regular assessments allow system or software weaknesses and vulnerabilities to be identified and addressed to prevent exploitation by hackers or cyber criminals.
The Commission did not have a business continuity plan to cover the continued operation of the service. This increases the risk that the recruitment system will not be available for an extended period of time if there is an unplanned incident or the service provider ceases operation. The Commission had also failed to gain assurance from their service provider that they had adequate disaster recovery plans in place. Without effective and tested continuity and recovery plans there is an increased risk to the overall availability of the service. This could impact the state government’s ability to manage staff recruitment.
Department of Sport and Recreation and Metropolitan Redevelopment Authority – Talent2
Both the Department of Sport and Recreation (DSR) and the Metropolitan Redevelopment Authority (MRA) were using ‘software as a service’ (Talent2) to manage and process their staff pay and other benefits.
Talent2 is a cloud based HR system in common use amongst WA government agencies. The Department of Finance entered into a common use arrangement to deliver Talent2, for agencies in 2002. When the contract recently expired, individual agencies were required to negotiate their own arrangements.
Both DSR and MRA took a decision in 2013 to extend their contract with the service provider without fully considering alternate options or whether the terms of the agreement were still relevant. We acknowledge that the time frame to do this was very limited due to the government’s decision not to proceed with the Shared Service arrangements across the sector. Due to the short time frame agencies had limited capacity to determine whether the cloud based arrangement best suited their needs. However given the sensitivity of the personal information being stored on Talent2, all agencies should ensure they have a full understanding of the contract and service levels (security, quality and availability) they are accepting.
We noted a number of issues in relation to the Talent2 arrangements that had potential to result in unauthorised access to personal information or in staff not being paid:
- the service provider stores back-up copies of information in Melbourne whilst the contractual arrangements stipulate that data should only be held in Western Australia
- neither agency was monitoring key performance criteria set out in the contract. This included security, quality and availability of the service
- the Department of Sport and Recreation had not developed a business continuity plan to ensure the ongoing operation of the service following an unplanned event.
Metropolitan Redevelopment Authority – Infrastructure as a Service
In addition to Talent2, the MRA has also implemented an ‘infrastructure as a service’ (IAAS) model. Under this arrangement, all of the MRA’s computing resources and supporting ICT infrastructure is hosted from a service provider’s Perth based data centre.
Our audit of these arrangements identified weaknesses in the MRA’s process for managing its cloud based risks. These weaknesses could result in commercially sensitive information being exposed to unauthorised access or disclosure or could affect the availability of key information on metropolitan redevelopment projects. The weaknesses included:
- the MRA adopted a cloud solution for their ICT infrastructure without completing an adequate business case and without a documented analysis of its risks
- a range of key terms and conditions covering areas such as security, performance and auditing were missing from the contract
- gaps in key security controls. These related to fixing known security vulnerabilities and securely deleting information from hard drives before disposal or re-use
- the MRA did not have an adequate business continuity plan. Details of what actions they planned to take to continue their IT operations should the service provider suffer a significant outage or cease operating were unclear. In addition, they had not defined or agreed any disaster recovery arrangements with their service provider.
Appendix 1 – Central agency views about the use of the cloud
We sought advice from the State Records Office and the Information Commissioner about their views on the use of cloud computing within government agencies.
The following is a summary of their advice.
State Records Office
The State Records Office (SRO) of Western Australia is the Western Australian public records authority with responsibility for managing, preserving and providing access to the State’s records.
The SRO is of the view that although there are potential benefits for government agencies utilising cloud computing there are a number of risks that should first be properly assessed.
The major issues in relation to records and information management which agencies need to consider and mitigate when considering cloud computing include, but are not limited to:
- risk of loss of access to their information
- risk of unauthorised access to their information
- unauthorised destruction of their information
- security and protection of their information
- custody and ownership of their data and information
To assist agencies in assessing whether a cloud computing arrangement is appropriate to its business operations, the Australasian Digital Record Keeping Initiative (ADRI) guideline Advice on managing the recordkeeping risks associated with cloud computing is available from the SRO website. ADRI is a working group of the Council of Australasian Archives and Records Authorities and, as a member organisation, the SRO endorses the risk assessment approach in the guideline.
The SRO is also developing a new guideline to provide information management advice on cloud computing specific to WA government agencies and to complement the Cloud Computing suite of tools currently being developed by the Department of Finance.
Agencies considering or using cloud based services need to factor the requirements of all applicable legislation, including the Freedom of Information Act 1992 (FOI Act), into the early stages of any planning or procurement process.
The use of cloud based services is not inherently incompatible with the FOI Act, as the Act gives the public a right to access all documents (including electronic documents in any form) which are in the possession or under the control of an agency. This includes documents which an agency is entitled to access, even though they may not be in the agency’s physical possession.
However, failing to take the requirements of the Act into account at the planning stage can lead to a situation where the objects of the FOI Act are frustrated in practice. For example, it may be more difficult or costly to undertake reliable and comprehensive searches for all documents which may be within scope of a particular FOI application. Depending on a service provider’s data and cost structure, retrieval of documents may also be delayed or rendered more costly due to complex extraction procedures. Conversely, the well-planned and executed use of cloud services may enhance the ability of an agency to achieve the objects of the FOI Act, by allowing for efficient and effective searches across all relevant data holdings and speedy retrieval, especially where this replaces or interconnects previously incompatible and distributed systems.
Agencies also need to ensure that cloud based services provide acceptable levels of data security and integrity to allow the agency to comply with all of its oversight and accountability obligations, including those under the FOI Act.
The most important point is to consider and address these issues at the early stages of planning and to be aware of the practical impact which system design can have on an agency’s ability to achieve the FOI Act’s legislative objects of greater public participation in government and improved government accountability.