#buildingblocks – Chris Cormack

Are Australian governments unlocking the full cloud promise; or just testing the waters?

Australia’s public sector has embraced cloud as a strategic enabler, not just an IT upgrade. But with rising expectations for secure, citizen-centric digital services, agencies now face a tougher challenge: moving from cloud adoption to cloud maturity.

The ambition is high. The complexity is real. And the decisions government leaders make now will shape the next decade of public sector capability.

Embedding Hybrid & Public Cloud into the National Digital Government Vision

Australia’s Data and Digital Government Strategy (2023) and the forthcoming Whole-of-Government Cloud Computing Policy (effective July 2026) mark a pivotal shift: cloud-first is no longer aspirational. It’s the default operating model for modern government.

This isn’t just a technology upgrade. It’s a structural change in how the government delivers services, manages risk, and builds resilience.

These frameworks push agencies to:

Use public cloud for new digital services

Actively retire legacy and high-risk systems

Prioritise reusable, interoperable platforms

Modernize procurement and governance

Strengthen whole-of-government consistency

In short, we’re moving from siloed ICT to shared national digital infrastructure, a foundation that supports collaboration, agility, and citizen trust.

Hybrid cloud plays a critical role in this vision. Public cloud accelerates innovation and scalability, but hybrid architectures allow agencies to keep sovereignty over sensitive workloads while still gaining flexibility and cost efficiency. It’s not about choosing one or the other. It’s about designing a model that balances speed with control.

This shift raises a leadership question:
Does your Digital Investment Plan treat cloud as infrastructure or as a strategic capability that shapes service delivery?

Secure Cloud Strategy: Building Resilience, Assurance & Agility

The Secure Cloud Strategy, supported by ASD’s Blueprint for Secure Cloud, is designed to move the public sector away from “lift and shift” thinking toward secure design.

This isn’t just a checklist for compliance. It’s a mindset shift. From treating cloud as a convenient hosting option to recognizing it as part of Australia’s critical national infrastructure.

The strategy provides practical tools:

Architecture patterns for secure deployment

Risk assessment templates

Guidance for configuration and hardening

Clear shared responsibility boundaries

Controls aligned to the PSPF and Essential Eight

But the real goal is bigger … modernizing how government builds, tests, and operates services in an environment where threats are constant, and citizen expectations are uncompromising.

A secure cloud strategy must help agencies:

Detect threats faster

Mitigate failures gracefully

Respond to crises without downtime

Maintain high trust in public digital services

Cloud is no longer just a place to store applications. It’s the backbone of the digital government. Every outage, every breach, every delay impacts public confidence. Treating cloud as critical infrastructure means designing resilience, agility, and assurance from day one.

Is your cloud security posture reactive or embedded as a strategic capability that protects trust and continuity?

Navigating Sovereignty, Security & Complexity

Australia’s cloud environment isn’t just shaped by technology choices, it’s defined by regulatory guardrails, security expectations, and sovereignty obligations that few other markets face. For public sector leaders, these aren’t optional considerations. They’re foundational to trust and compliance.

Data Sovereignty: More Than a Location Requirement

Under the PSPF, Privacy Act, and sector-specific rules like the My Health Records Act and APRA CPS 234, agencies must ensure sensitive data:

Stays within Australian jurisdiction

Is processed by vetted and accredited providers

Aligns with sovereign risk and resilience standards

This is why sovereign cloud regions, such as those in Canberra and Sydney, matter. They’re not just technical zones. They’re protected environments for workloads with national sensitivity, ensuring that critical data remains under Australian control.

Across Australia’s cloud policy, protective security framework, and secure cloud guidance, the message is consistent: sovereignty is a foundation for resilience. Control over data, jurisdiction, and access is not about geography alone; it is about reducing national risk, strengthening security posture, and ensuring continuity in the face of disruption.
Read more here.

Security Expectations: Continuous, Not Occasional

Australia’s Essential Eight maturity model, ISM controls, and PSPF frameworks demand more than periodic audits. They require ongoing posture management, because in a cloud world, risk is dynamic.

That means:

Continuous monitoring

Policy automation

Zero Trust architecture

Governance at scale

Security isn’t a bolt-on. It’s a living capability that evolves as threats evolve.

Operational Complexity: The Hidden Challenge

Cloud promises simplicity, but reality often looks different. Agencies face:

Multi-cloud governance friction

Cost unpredictability

Talent shortages for cloud-native skills

Risk of over-dependence on a single vendor

Recent ANAO audits show that failures rarely stem from cloud itself. They come from governance, maturity, and lagging adoption. Technology moves fast. Policy and capability must be kept at a pace.

Is your agency treating sovereignty, security, and complexity as compliance hurdles or as strategic levers for trust and resilience?

Sharpening Cloud ROI & Agility: CIO Best Practices

Cloud maturity isn’t measured by how many systems an agency migrates. It’s measured by how effectively cloud supports outcomes, resilience, cost efficiency, service improvement, and risk reduction. The question isn’t “How much cloud do we have?” but “How much value does it deliver?”

High-performing CIOs in the public sector share a common approach. They treat cloud as a strategic capability, not just infrastructure. Here’s what sets them apart:

1. Strategic Governance Built-In

Cloud strategy must be embedded early in Digital Investment Plans, not bolted on later. Governance isn’t paperwork. It’s the guardrails that keep transformation on track.

What does this look like?

Portability clauses to avoid lock-in

Vendor-neutral patterns for flexibility

Reusable reference architectures

Clear multi-cloud guardrails

This ensures consistency across agencies and reduces reinvention. It’s about building a system that scales without chaos.

2. Cost Transparency & Control (FinOps for Government)

Cloud can be a silent cost escalator if left unchecked. That’s why the government is adopting FinOps disciplines, blending finance and operations to make spending visible and accountable.

Key practices include:

Real-time monitoring across providers

Workload right-sizing

Clear unit costing

Independent audits of cloud use

The goal? Every dollar spent on cloud should map to measurable public value.
Read the FinOps Public Sector Whitepaper.

3. Agile, Risk-Aware Security Models

ASD’s blueprint stresses continuous, adaptive security. CIOs must:

Align provider responsibilities

Automate compliance checks

Standardize configurations across environments

Security isn’t a static policy. It’s a living system that evolves as threats evolve.

4. Effective Hybrid Architecture

Sensitive workloads often remain in sovereign regions or protected private environments, while scalable digital services leverage public cloud elasticity. The challenge? Integration.

Legacy systems and modern cloud-native platforms must interoperate seamlessly, securely, reliably, and under consistent governance. This is where architecture discipline meets operational reality.

5. Culture, Skills & Centers of Excellence

Technology transformation fails without workforce capability. Agencies benefit from creating:

Cloud Centers of Excellence (CCoE)

Cloud-native training pathways

Shared learning across government

Communities of practice

This builds consistent standards and accelerates adoption. Cloud isn’t just a tech shift. It’s a cultural one.

6. Measuring Business Outcomes

CIOs are moving beyond technical KPIs to outcome-based metrics:

Reduced operating risk

Improved citizen experience

Strengthened service resilience

Shorter delivery cycles

Lower cost-to-serve

Cloud success is strategic, not technical. It’s about impact, not infrastructure.

Is your cloud program measured by migration milestones, or by the outcomes that matter most to citizens and government resilience?

Looking Ahead: The Cloud-Enabled Public Sector

Australia is building a public sector cloud ecosystem that balances innovation with sovereignty, resilience, and trust.

The next step is consolidation. Not just running hybrid environments, but aligning them into a cohesive, cloud-native platform for the entire public sector.

The real test:
Can agencies deliver unified, citizen-first public services while managing risk, cost, and national control?

What would success look like for your agency’s cloud-first journey in 2026 and beyond?

Resources

• Data and Digital Government Strategy (DTA)

https://www.dta.gov.au/our-initiatives/data-and-digital-government-strategy

• Whole-of-Government Cloud Computing Policy

https://www.digital.gov.au/cloud-policy

• Secure Cloud Strategy

https://architecture.digital.gov.au/strategy/secure-cloud-strategy

• ASD Blueprint for Secure Cloud

https://blueprint.asd.gov.au/

• Cyber.gov.au – Cloud Computing Guidance