Australia’s Cloud Mandate Sparks Migration Warnings

What the Policy Requires

The Digital Transformation Agency (DTA) developed the new policy, which outlines five core requirements for government entities. Agencies must prioritize cloud for modernizing IT infrastructure and leverage cloud for innovation, particularly artificial intelligence.

The mandate also requires agencies to adopt cloud securely, manage costs effectively, and build cloud skills across the APS. A critical element demands cloud solutions for all new digital and ICT initiatives unless an alternative is explicitly justified. This sweeping requirement is intended to push systemic change across the public sector.

The Migration Reality Check

Gartner director-analyst Adrian Wong cautions that the blanket mandate risks overlooking application compatibility realities. Many legacy applications simply aren’t suited for cloud environments. Running them in the cloud can be technically mismatched and unexpectedly more expensive than maintaining them in local data centers.

Aggressive timelines compound the problem. When agencies lack sufficient cloud planning and architectural expertise, tight deadlines drive poor decision-making. This rush often leads to poorly conceived lift-and-shift migrations that fail to meet expectations and contribute to cloud project failures.

Vinayak Sreedhar, country manager for ANZ at ManageEngine, emphasizes that agencies should not underestimate the complexity involved. Migrating from legacy systems while ensuring ongoing compliance is a significant undertaking. Without a clear understanding of what is being retired, when, and its dependencies, agencies are most at risk of outages.

Vendor Lock-In and AI Strategy

Cloud platforms are seen as essential for a more connected, data-driven public sector, particularly for AI adoption. The policy encourages designing for interoperability and portability to minimize vendor lock-in. However, agencies are only encouraged, not mandated, to ensure cloud services support open standards, APIs, and data portability.

Ben Henshaw, SUSE ANZ general manager, noted that the policy’s language aims to prevent a repeat of past mother of all lock-in situations seen with mainframes. Public clouds are designed to capture as many departmental workloads as possible, making it difficult and costly to extract data later. Hyperscalers often use proprietary domain-specific languages, complicating multi-cloud strategies.

For agentic AI, different systems will use various large language models, requiring diverse data processing needs. Henshaw emphasized that governments should retain sovereign control over their data and models, often through open source LLMs for explainability and governance.

Security and Skills Gap

Federal agencies must navigate the cloud transition with robust security measures. Henshaw highlighted the risk of accidentally exposing sensitive information in public AI systems. A modern, defensible architecture is essential for safely hosting AI workloads, adhering to frameworks like the Essential Eight.

Sreedhar warned that the sheer scale of the transition significantly expands the attack surface. The most common vulnerability in cloud transitions is a communication gap between IT and security teams. Security architects must be involved from procurement through to deployment and beyond.

The DTA policy explicitly requires agencies to nurture cloud skills across the APS. Sreedhar stressed that workforce capability is often the most underfunded aspect of digital transformation. Agencies must evaluate their internal capabilities and invest in genuine skills training well before the July deadline.