Commonwealth entities left to self-assess security in cloud procurement
The Australian Cyber Security Centre (ACSC) has released a new document for procuring cloud services.
The Cloud Security Guidance aims to guide organisations including government, cloud service providers, and Information Security Registered Assessors Program (IRAP) assessors on how to perform a “comprehensive assessment of a cloud service provider and its cloud services so a risk-informed decision can be made about its suitability to handle an organisation’s data”.
The Cloud Security Guidance is supported by forthcoming updates to the Australian government Information Security Manual (ISM), the Attorney-General’s Protective Security Policy Framework (PSPF), and the Digital Transformation Agency’s Secure Cloud Strategy.
The new guidance follows the Australian Signals Directorate (ASD) announcing in March it would be shuttering the current form of its cloud certification program after an independent review recommended for the system be reworked.
ASD Cloud Services Certification Program certifications, and consequently all services listed on the Certified Cloud Services List (CCSL), are now all void. As of July 27, the vendors and their certifications are removed from the ISM. The IRAP, meanwhile, will continue to “grow” and be “enhanced”.
“The new guidance will guide organisations, cloud service providers, and assessors on how to perform a comprehensive assessment of a cloud service provider and its cloud services so a risk-informed decision can be made about its suitability to handle an organisation’s data,” a spokesperson for the ASD told ZDNet.
Commonwealth entities will continue to self-assess their cloud solutions in accordance with the guidance, and the ASD spokesperson said they would also continue to be responsible for their own assurance and risk management activities.
While the CCSL is no longer, it is expected the IRAP will support government in maintaining their assurance and risk management activities.
Agencies will assess and self-certify their own solutions moving forward by using IRAP reports and the ISM control framework, as well as the guidance package that contains The Anatomy of a Cloud Assessment and Authorisation documentation, a Cloud Security Assessment Report Template for agencies to use alongside their own “in-house” procedures for certification, as well as a Cloud Security Controls Matrix, and an FAQ page.
Before the CCSL was shuttered, there were 13 vendors on it; four of which are Australian companies. Amazon Web Services (AWS), NTT, Macquarie Government, Microsoft, Sliced Tech, and Vault Systems were all certified at a protected level.
Macquarie Government managing director Aidan Tudehope said he was disappointed by the decision to discontinue the CCSL certification regime.
“This is about more than simply the physical geographic location where data is stored. Data sovereignty is about the legal authority that can be asserted over data because it resides in a particular jurisdiction, or is controlled by a cloud service provider over which another jurisdiction extends,” he said.
“Data hosted in globalised cloud environments may be subject to multiple overlapping or concurrent jurisdictions as the debate about the reach of the US CLOUD Act demonstrates. As the ACSC points out, globalised clouds are also maintained by personnel from outside Australia, adding another layer of risk.”
He believes the only way to guarantee Australian sovereignty is ensuring data is hosted in an Australian cloud, in an accredited Australian data centre, and is accessible only by Australian-based staff with appropriate government security clearances.
“Taken alongside Minister Robert’s planned sovereign data policy, this guide opens new opportunities for Australian cloud service providers,” he said.
Minister for Government Services Stuart Robert earlier this month said the federal government was examining the sovereignty requirements that should apply to certain data sets held by government.
“In addition to the existing protective security policy framework, this will include considering whether certain data sets of concerns the public should be declared a sovereign data set and should only be hosted in Australia in an accredited Australian data centre across Australian networks and only accessed by the Australian government and our Australian service providers,” Robert said, addressing the National Press Club.
“We need to ensure that Australians can trust that government will appropriately manage the information they provide to us whether it’s from tracing apps or through to the Census.”
AWS, meanwhile, said it welcomed the changes and is using them as an opportunity to tout “innovation”.
“The changes to the Cloud Services Certification Program creates an opportunity for Australian government agencies to strengthen their secure cloud skills, knowledge, and resources to foster ongoing innovation,” AWS worldwide public sector country director for Australia and New Zealand Iain Rouse said.
“To help Australian government agencies plan, architect, and self-assess systems built on AWS, we have released extensive education materials including IRAP ‘protected’ documentation and a series of informative webinars.”
Under the ISM framework, AWS had 92 services assessed as protected.
Minister for Defence Linda Reynolds said the new guidance would boost Australia’s cybersecurity resilience.
“The release of the new guidance coincides with today’s cessation of the CCSL which will open up the Australian cloud market, allowing more homegrown Australian providers to operate and deliver their services,” she said in a statement Monday. “This will provide opportunities for Commonwealth, state, and territory agencies to tap into a greater range of secure and cost-effective cloud services.”
Meanwhile, analyst firm Gartner is expecting the public cloud services market in Australia to grow 12.3% to reach AU$8.9 billion this year and 16.8% to AU$10.4 billion in 2021.