Australian government entities are walking a tightrope between innovation and data protection. As more agencies see the need for and benefits of moving to the cloud, securing citizen data has become increasingly complex and critical.

As a result of these shifts, regulatory frameworks are tightening, and expectations around transparency and privacy are becoming increasingly rigid, both from regulators and the public.

In this guide, we’ll examine what the great cloud migration means for government organisations, explore how it has impacted data privacy and security principles and discuss how government entities can adapt to meet the new standards in the digital era.

The cloud has fundamentally changed how government entities manage and protect sensitive data. ‘Securing the perimeter’ is no longer sufficient to safeguard critical information. Sensitive data lives everywhere and requires continuous protection that evolves alongside threats.

Here are some of the reasons cloud security is so important for government agencies:

• Critical data: Governments manage an unfathomable amount of sensitive citizen data. As you can imagine, this makes them prime targets for large-scale breaches.
• Threat sophistication: To make things more complex, cyberattacks on the public sector are becoming increasingly sophisticated, and cloud systems are perhaps most at risk.
• Distributed data: The cloud delivers dozens of benefits, but it can also lead to data fragmentation. This can introduce new risks around security and privacy.
• Downtime risks: Government services are essential and widely used. Compromised cloud systems can disrupt everything from emergency systems to welfare access.

With these risks in mind, it’s little surprise that legislation is becoming increasingly prescriptive. Let’s take a closer look at the regulatory landscape and how it’s evolving.

The primary legislation governing Australian government entities (as well as many of Australia’s private organisations) has long been the Privacy Act 1988 . But this framework existed in a pre-digital era, and the rapid shift to cloud technology has introduced new complexities.

As a result, several modern frameworks are now in place to help government entities keep their data secure and privacy tight as they shift to cloud environments. Two examples include the Protective Security Policy Framework (PSPF) and the Australian Government Information Security Manual (ISM) , both of which provide mandatory guidance to ensure government entities can integrate cloud systems effectively.

We’ve also recently been introduced to the AGA Cloud Computing Policy , which offers more specific guidance. It outlines how government agencies should approach procurement and risk management in the cloud and puts a strong emphasis on cloud sovereignty under the Hosting Certification Framework .

Australian government entities have good reasons to be excited about a move to the cloud. The opportunity to deliver faster, data-empowered and more readily available services is a primary motivator, as is the chance to reduce the costs of keeping everything running.

But while the cloud is incredibly beneficial, it isn’t without its security and privacy challenges. Here are eight of the most common roadblocks to cloud adoption:

• Expanded attack surface: A move to the cloud creates new entry points, making it harder to secure everything at once. This gives cyber criminals a wider attack surface from which to gain unauthorised access to sensitive data.
• Data sovereignty and control: The government wants to keep data on Australian shores, but cloud providers often store information across borders. This raises murky data sovereignty concerns related to who can access data and which laws govern it.
• Multi-cloud and hybrid complexity: Agencies may wish to use a mix of cloud vendors and on-prem systems to stay compliant and secure, but this can create operational inconsistencies around data access and governance.
• Legacy system integration: Many government entities are operating on outdated IT. Migrating these systems to modern cloud platforms can be a headache at best and a security threat at worst, slowing down transformation efforts.
• Insider and supply chain threats: The cloud can help increase collaboration and agility by providing teams with faster access to the data they need. But without careful planning, this expanded access can also open the door to insider threats.
• Evolving threat landscape: As we’ve discussed, threats are becoming increasingly sophisticated, often with the use of AI and automation to exploit cloud weaknesses. This creates a constant game of cat and mouse to predict and respond to new threats.
• Compliance complexity: Compliance is evolving quickly and becoming increasingly prescriptive for government entities. Maintaining agility while staying on the right side of legislation is a constant balancing act.
• Loss of public trust: The stakes are high for cloud data breaches. A misstep in data security or privacy can quickly erode trust. Maintaining public confidence when using cloud environments is just as crucial as technical security.

Cloud environments create more entry points for attackers. That’s why it’s critical to implement strong access controls that identify who can access what and when. Important principles include:

• Enforcing multi-factor authentication (MFA), with both digital and physical security
• Developing role-based access controls for sensitive data
• Limiting access solely to necessary information

The end goal of all these safeguards is to make it harder for bad actors to move around unnoticed. It ensures that even if an individual gets past the perimeter, they’ll hit a wall of controls and limited privileges at every stage.

Tools like Salesforce’s Shield 2.0 can support your security posture by enforcing access controls and helping you spot unusual activity before it escalates. Learn more about how our groundbreaking compliance and security tool works.

Australians are growing concerned about how their data is stored and used. The cloud can make this issue more complex, as many providers operate in different countries and therefore adhere to different privacy and protection laws.

For this reason, it’s vital to work with cloud providers that comply with Australian legislation and abide by local standards. The Cloud Assessment and Authorisation (CAAF) framework provides guidance to help government entities choose the right sovereign cloud provider.

Platforms like Salesforce Hyperforce keep data secure and firmly on Australian shores, supporting data sovereignty and localisation for government entities.

Juggling multiple cloud platforms (and balancing these systems with legacy IT) can lead to inconsistent data practices and fragmented communication.

The best way to navigate this problem is to look for ways to simplify your cloud environments. Here are some concepts:

• Appoint key roles, such as a CISO, who will monitor assets across environments.
• Unify and standardise siloed cloud data under one roof to create a single source of truth.
• Automate provisioning to set up core infrastructure and reduce human error.

The key is to switch to the cloud piece by piece, stay consistent and unify data where possible. Tools like MuleSoft can make this process easier by connecting systems across your cloud environment while keeping data governance front and centre.

Migrating from legacy systems can be a significant challenge, both from a technical and a risk standpoint. For example, moving data to modern cloud platforms can expose sensitive information if it isn’t properly encrypted during transit.

The trick here is to move slowly and strategically. Start with a cloud readiness and security risk assessment to identify risks and dependencies. Once you’ve mapped out your information, follow a phased, risk-based migration approach, such as the one provided by the AGA .

You can also leverage technology to automate the transition. MuleSoft can bridge systems securely to speed up your data integration efforts while keeping sensitive information protected.

As cloud environments provide access to more people across multiple locations, governments need to put protocols in place to protect against the increased risk that comes from internal threats and interactions with external parties.

In practice, this means putting in place enforceable safeguards across every touchpoint within their cloud ecosystem. These include:

• Regular staff training to reduce human error
• Continuous logging and auditing policies for sensitive data
• Clear contract clauses that address security responsibilities in case of a breach
• Vendor vetting processes that align with IRAP and AGA security requirements

Entities need to treat insider and third-party risks as operational and legal responsibilities, rather than just a technical checkbox.

Securing the perimeter isn’t a valid approach in modern cloud environments. To counter advanced threats, governments need to implement a multi-layered approach that anticipates breaches rather than reacting to them.

A good starting point here is to use the ACSC’s Essential Eight as a baseline. These eight principles aim to reduce vulnerabilities and strengthen cybersecurity postures for government organisations. Agencies should also take this one step further by routinely stress-testing their systems with penetration testing to detect and protect against threats before they occur.

Lastly, it’s essential to have a plan for when things go wrong. A cyber incident response plan aligned with the Notifiable Data Breaches scheme will ensure entities can act quickly and limit damage in the worst-case scenario.

Finally, we have the element that’s more challenging to quantify: public trust. Consumers are naturally concerned about the way their data is used and secured. That’s why it’s essential to have a strategy in place to keep them on side.

It all starts with transparency. Government agencies need to communicate their data practices clearly, including why and how they collect, use and store it. It’s also vital to act in the best interests of the public by minimising data collection and retention in line with APA standards.

Platforms like Data Cloud can help you organise and manage sensitive data securely, ensuring you can maintain transparency and accountability while getting the best out of the information you possess.

Salesforce helps Australian government entities meet the demands of cloud integration while maximising the benefits that come with it. We’re proud to assist several government agencies across the country in delivering secure, compliant cloud services that put citizens first.

The Victorian Government renewed its State Purchase Contract (SPC) with Salesforce in June 2025 to support its digital transformation by delivering more efficient and accessible public services to Victorians.

As a result of the partnership, Salesforce has been able to support dozens of Victorian Government agencies, including those in the health, energy and justice sectors, with a faster, more consistent pathway to providing first-rate public services.

The recent AGA framework is comprehensive. Aligning with it requires a consistent approach to technology security, a clear risk-management framework and providers that can meet strict requirements around sovereignty and compliance.

Here’s how Salesforce meets those requirements:

• Security and compliance: With HCF-certified hosting, Shield 2.0 encryption, continuous monitoring and proven compliance with IRAP, PSPF and ISM standards, Salesforce sets the industry benchmarks for government-grade cloud services.
• Governance and transparency: Role-based access controls, full audit trails, and secure, explainable AI powered by the Einstein Trust Layer ensure government agencies can maintain transparency and accountability through every digital interaction.
• Adaptability and integration: Our solution supports easy legacy system integration through flexible APIs and low-code automation, making the switch to the cloud faster and more affordable.

Learn more about our services for the public sector and government agencies in Australia