Skip to content Skip to footer

Loading Results

Secure, cloud-based transformation will help resolve government’s trust deficit

Secure, cloud-based transformation will help resolve government’s trust deficit

by Robert Di Pietro and Alan Nielsen

Share this article

As governments double down on cloud, pivoting on security will open up the digital future. To counter the disruption caused by the COVID-19 pandemic, companies and government organisations have been forced to accelerate their digital transformation. They have expedited data-driven strategies and digital security, to protect citizens who must now, more than ever before, interact with government through digital channels.

In Australia’s private sector, almost 40% of CEOs have accelerated digital transformation plans during the pandemic, according to PwC’s Digital Trust Insights 2021 report. Thirty-one per cent modernised their infrastructure with new capabilities and 27% changed their core business models – well ahead of the 21% global average.

Australia’s government agencies, however, face the added burden of ensuring they maintain citizen trust. As agencies secure customer-interaction channels, increasingly based on citizen data, the need to intensify their efforts on information security is key. Managing this data via web applications running on public cloud infrastructure has presented a solution, but one that is evolving.

Cloud platforms offer many security protections, but ongoing high-profile breaches have left the integrity of government information technology systems exposed – for example, repeated ransomware strikes on Victorian hospitals or the recent cyberattack on the NSW Department of Education.

Understandably, these data breaches have damaged citizens’ trust in government’s digital services. For instance, a recent Office of the Australian Information Commissioner (OAIC) survey found that Australians are less trustful of the way federal government agencies handle their personal information, with trust ratings down 14% over the past decade.

The OAIC also reported that only 24% believe their personal information is well protected, while 40% feel their data privacy protection is poor. Eighty-three per cent of respondents said they want the government to do more to protect their data privacy.

Compliance-based security only goes so far

These figures confirm that governments at all levels must overcome a significant trust deficit. They should redouble their focus on information security as they work to safeguard their new cloud-based infrastructure. In addition, many government agencies are already combating the pressure felt to modernise outdated legacy infrastructure, which is increasingly expensive to maintain and update.

Cloud solutions address these deficiencies by providing efficient, scalable architecture that can be switched on and off as required to maintain customer service standards. They also offer a way to convert COVID-19’s disruption into an opportunity – the reinvention of government services – so long as infrastructure is implemented securely to avoid comprising citizens’ data.

New government policies have created more ways for government bodies to embrace the cloud. The Australian Government Information Security Manual (ISM) and ProtectiveSecurity Policy Framework (PSPF) now include more detailed guidance on cloud security management.

More recently, several large cloud providers have demonstrated they can obtain protected-level accreditation for certain services under the government’s Hosting Certification Framework (HCF).  This enables government departments to securely store and process sensitive data in cloud environments in accordance with Australian Government security and privacy requirements, and importantly, preserving regulatory data sovereignty 

To make sure compliance with these requirements continues, while delivering and operating at scale, government organisations are moving to embrace DevSecOps principles that embed security in all elements of the delivery lifecycle. By ‘shifting security left’ (that is, closer to the beginning of the development cycle), organisations can bolster security from architecture and design, through to DevSecOps tools chains and test automation.

This approach not only supports agile delivery, but extends to ongoing and continuous security and compliance management across development, release and operations.

For agencies operating in uncertified facilities, however, the possibility of another platform migration adds increased complexity to the already pressured pace of digital transformation. Numerous audits show that agencies at all levels are failing to improve their security policies, even where gaps have been identified and remediation recommended.

Earlier this year, an Australian National Audit Office (ANAO) review found that just 24% of audited government entities were compliant with the Australian Signals Directorate’s (ASD) mandatory Top Four mitigation strategies, despite reporting 436 cybersecurity events in 2019/20.

Top-down mandates, resulting from the Australian Government’s updated Cyber Security Strategy 2020, will provide high-level recognition of the need for better cybersecurity practices through initiatives such as:

  • mandates for agencies to comply with the Australian Signals Directorate’s Essential Eight security best practices (ASD8), which spell out key security controls to prevent most cybercrime
  • a requirement for federal agencies to make sure their data and applications are only hosted by ‘certified strategic’ or ‘certified assured’ hosting providers formally evaluated and certified against a range of criteria
  • improved regulation in relation to ransomware ransom payments, including consideration of options for the mandatory reporting of ransom payments and a ban on insurance companies paying ransoms
  • ongoing policy discussions to make company directors liable for cybersecurity breaches.

Within this context of rapid and significant policy change, agencies are drawing on external cybersecurity and risk management expertise to follow industry best practice in areas such as enterprise security architecture, application security and cloud automation.

Every cloud has a silver lining

Cloud providers are working to enhance their application architecture security, and government bodies are refining ways to improve their application resilience, both signs we are moving in the right direction.

‘While, historically, there may have been a perception that the cloud is less secure, or that agencies don’t trust the cloud as much as they do their managed infrastructure, I think we’re seeing government turn the corner,’ says Robert Di Pietro, a partner within PwC’s Cybersecurity & Digital Trust business, who has helped government agencies manage information security risk for over 15 years.

‘There is recognition that these cloud-based offerings are really mature, and that a lot of work has been done by cloud vendors to demonstrate that they meet the Australian requirements for security and privacy.’

An effective transition to a cloud-based solution needs a proactive stance to transformation, avoiding ‘lift-and-shift’ migrations that tend to perpetuate insecurity and poor resilience. Di Pietro explains that lift-and-shift migrations may move applications onto cloud platforms, but they prevent agencies from tapping the benefits of the cloud providers’ extensive and ongoing efforts in data protection and cybersecurity.

‘In general,’ he says, ‘your environment in the cloud is probably going to be more secure than the on-premise traditional environment that you’ve been managing. Some of the big security issues that agencies are still grappling with, such as infrastructure patching, are effectively managed behind-the-scenes in many cloud-based offerings. Government is trying to build and strengthen trust – and we see cloud technology as a key enabler of that trust.’

Government agencies can help to successfully build trust in cloud solutions by discarding long-held beliefs about enterprise architecture. Infrastructure built on years of experience in on-premises systems may not directly translate into the cloud-based world.

When implemented properly, modern cloud solutions enable significant architectural changes including:

  • serverless cloud architecture, which leans heavily on container-based architecture, DevOps to manage them, and automation to help apply policy-based analysis and controls to ballooning data stores
  • integrated security, monitoring and data protection capabilities that facilitate quick recovery from ransomware and other cyberattacks
  • Zero Trust Network Access (ZTNA), which is rapidly replacing perimeter-based security by extending authentication to every component of the enterprise architecture. This is key to remediating potential access-based security risks, spanning both cloud and on-premises architecture.

Each government agency will find its own way to the cloud, but the importance of proactively embracing its new capabilities cannot be overstated.

When planning a migration, agencies should go back to the drawing board to reinvent their services and assemble a team of skilled experts who can design, implement and support the cloud-based systems that increasingly lie at the heart of next-generation digital governments.

Agencies should also work together, sharing their experiences with colleagues in other jurisdictions as they progress with the complex but necessary task of reinventing government for the digital age.

By ensuring that security is built into every step of this journey, those agencies will be able to let the better customer experience of digital transformation speak for itself. With an infrastructure that delivers excellent, frictionless experiences while securing citizens’ data, newly digital government agencies will be able to resolve their trust deficit and emerge from the pandemic in a better position than ever.


Contact us

Robert Di Pietro

Partner, Cybersecurity & Digital Trust, PwC Australia

Tel: +61 418 533 346

Alan Nielsen

Director, Cybersecurity & Digital Trust, PwC Australia

Tel: +61 434 220 968

Follow PwC Australia