The Australian Government Information Management Office (AGIMO) has released a set of draft guidelines for government agencies, outlining the legal issues pertaining to cloud computing.
Released this month, this is the first time any government has introduced such a guide on cloud computing. The draft guidelines form part of Stream One of the Australian Government's Cloud Computing Strategic Direction Paper, released in April.
The strategy paper provides a three-stream approach to the implementation of the Australian Government Cloud Computing Policy and outlines several deliverables, including the development of Better Practice Guides for use by federal government agencies.
"The strategy paper is very much [about] arming people with information so that government departments can make more informed decisions around cloud computing options," said the head of Freehills' technology and communications practice, Keith Robinson. "I think the guide really sits in that context, so it's a fairly high level set of guidelines. "
"It's really saying, 'There are a number of specific issues that come up in IT contracts - some of those will change and there will be some specific issues for cloud computing. You need to have a think about them and here are the types of considerations'."
Getting more out of the cloud
Only in draft form, Robinson said there are a few issues that could be added to the guidelines down the track, including further guidance on contracting.
"How to go about contracting is important because ... when you look at cloud computing, particularly if you're going to the public cloud, you're not really going to be able to negotiate the terms very much. If you look at the public cloud it's really going to be less about trying to negotiate the terms and much more about doing due diligence and understanding and managing the risks," he said.
"The first [issue I would add] is lock in. The guidelines talk about termination rights and getting disengagement assistance, but one of the key things with the cloud is you really need to be able to move from one vendor to another," he said, adding that it is important to ensure that the way information is stored and managed will enable it to be easily transferred to somebody else.
"If I was doing the next draft I would add a piece about ensuring that not only is your data able to be extracted and ported, but it's going to be in a form that you can easily give it to somebody else," he said.
Although not necessarily seen as a specific legal issue, Robinson said pricing is another consideration, which should be included in the guidelines.
"It's quite important because current models are quite immature. You talk to a lot of vendors and you ask them how they're pricing the cloud and they're not really sure what the pricing models will look like," he said. "Ensuring that you'll have longer-term pricing competitiveness in what you get is going to be quite important. So I think it would be worthwhile saying to [departments] that you really need to think about how the pricing model works, where it's going to give you long-term value - and if it doesn't how you change it."
Robinson said the draft guidelines will provide a useful resource for general guidance, and not provide a template for a revolutionary form of future regulation.
"Cloud computing is really just a different way of delivering services. So, depending on how you want to classify it, this type of outsourcing of service is a significant part of our practice," he said. "Not all of it will be labelled as cloud, or going into the cloud, but essentially it is. And I suspect for a number of things we do, they're subcontracted to the cloud and a lot of people don't even know about them."