Cloud in Procurement

Cloud in procurement in the Australian federal government context, refers to procuring all or part of a cloud solution. Cloud has several benefits but also several risks that need to be considered individually, based on each agencies needs. There are three cloud models:

Software as a Service (SaaS) - is where a vendor uses their infrastructure and platform to provide agencies with solutions. An example of this is Salesforce.

Platform as a Service (PaaS) – is where the vendor provides the operating system and server application such as Microsoft Azure.

Infrastructure as a Service (IaaS) – is where the vendor provides hardware such as server racks, network, CPU etc

The Australian federal government’s cloud framework includes but is not limited to the following:

- Protective Security Policy Framework

- Information Security Manual

- ASD Blueprint for Secure Cloud

- WHoG Hosting Framework

- Hosting Certification Framework; and

- IRAP program.

It is important to note that outsourcing services doesn’t outsource the operational risk, but it may change the risk environment which may then need due consideration and documentation. Appropriate risk management is imperative to determine whether a cloud solution is the best solution for an agency. Such considerations include but are not limited to:

- Risks surrounding the Confidentiality, Integrity and Availability of the service

- Disaster Recovery

- Data access and protection risk (including third parties)

- Cyber security risk

- Foreign Ownership

There are certain risks pertaining to cloud that should be addressed in procurement and contract documentation such as whether the data held should be stored within Australia for security reasons. This type of information is crucial to advise Tenderers in the Statement of Requirement as it may affect a tenderer’s pricing.

Cloud outages and disasters can occur. An example of a cloud issue occurred for NASDAQ Helsinki when an “errant fire extinguisher system” at the data centre owned by a third part triggered the gas suppression system which affected NasDaq’s systems. In this case, the backup system should have triggered immediately but the DR switch over failed and took several hours to activate, costing NASDAQ a significant amount of money. Learn more here. This highlights the need to regularly check DR solutions are operational and to address such risks in procurement and contract documentation.

Reach out to us at ProConIQ@outlook.com.au should you be considering procuring cloud computing services.

Disclaimer:

ProConIQ Consulting does not guarantee or accept any information published on this website and accepts no legal liability for the currency, reliability, accuracy or soundness of this website or any linked website.

Links to other websites are provided to users of the ProConIQ Consulting website for convenience and do not in any way constitute endorsement of that website material, product or service nor is ProConIQ Consulting responsible for other websites accuracy, availability, integrity. Users use these websites at their own risk.

The Opinions and information contained within www.proconiqconsulting.com are provided “as is” without any warranties or guarantees.

Users of www.proconiqconsulting.com website should exercise their own judgement with respect to the material contained therein. Before any decision or action is undertaken by users viewing this material, users should seek their own professional advice.

ProConIQ Consulting accepts no liability for any damage to any user’s computer, software or data arising out of use of this website.

Find us at:
Quick Links:

We acknowledge the Traditional Aboriginal Owners of Country throughout New South Wales and pay our respects to them, their connections to land, sea and community. We pay our respects to their elders, past, present and future traditional owners.

Privacy
Disclaimer
Scams
Contact Us
Copyright

Copyright: ProConIQ Consulting 2024

Email: ProConIQ@outlook.com.au

Social Media:

Business hours: 9am - 5pm Monday - Friday

Social Media