The Australian Cyber Security Centre and the Digital Transformation Agency have released new guidance to help government agencies assess cloud service providers and their cloud services.
Aimed at government entities, cloud service providers (CSPs), and Information Security Registered Assessors Program assessors, the Cloud Security Guidance outlines how to make risk-informed decisions about a CSP’s “suitability to handle an organisation’s data”, supporting the secure adoption of cloud services.
Defence minister Linda Reynolds said the new material would increase Australia’s cyber security resilience.
“The release of the new guidance coincides with today’s cessation of the Certified Cloud Services List (CCSL) which will open up the Australian cloud market, allowing more homegrown Australian providers to operate and deliver their services,” she said.
“This will provide opportunities for commonwealth, state and territory agencies to tap into a greater range of secure and cost-effective cloud services.”
The guidance was co-designed with industry to replace the Australian Signals Directorate’s cloud services certification program (CSCP) — which ceased on March 2 — and the CCSL, which wrapped up on Monday.
Federal agencies have no longer needed to seek approval from the ASD when purchasing cloud services since the CSCP came to an end.
Under the new guidance, government entities will continue to self-assess, or will need to procure the services of an IRAP assessor to assess its own systems deployed to the cloud.
Agencies will also able to conduct supplementary and new cloud service assessments when they want to use a CSP’s cloud services which have not been previously assessed, according to the ACSC.
“This removes the need to wait for full reassessments before government entities can adopt the new cloud service or services,” it said.
While IRAP reports written prior to the new guidance are still valid, “cloud consumers need to consider the age and relevance of these reports when reviewing them”.
The guidance noted that when a cloud consumer is assessing whether the CSP is suitable for handling its information, they must consider the ownership of the CSP; the locality of the CSP’s offices, data centres and administrative and support personnel; whether the CSP’s personnel are employed by the CSP or a subcontracted; where its cloud services are provided from; and the potential for any extrajudicial control and interference over a CSP by a foreign entity.
“The ACSC recommends cloud consumers use CSPs and cloud services located in Australia for handling their sensitive and security-classified information,” the guidance said.
“CSPs that are owned, based and solely operated in Australia are more likely to align to Australian standards and legal obligations, and this reduces the risk of any data type being transmitted outside of Australia.
“These CSPs are also less susceptible to extrajudicial control and interference by a foreign entity.”
Aidan Tudehope, managing director of cloud company Macquarie Government, said the guide would open “new opportunities” for Australian CSPs when considered alongside the sovereign data policy recently flagged by government services minister Stuart Robert.
“This is about more than simply the physical geographic location where data is stored. Data sovereignty is about the legal authority that can be asserted over data because it resides in a particular jurisdiction, or is controlled by a CSP over which another jurisdiction extends,” he said.
“Data hosted in globalised cloud environments may be subject to multiple overlapping or concurrent jurisdictions … as the ACSC points out, globalised clouds are also maintained by personnel from outside Australia, adding another layer of risk.
“The only way to guarantee Australian sovereignty is ensuring data is hosted in an Australian cloud, in an accredited Australian data centre, and is accessible only by Australian-based staff with appropriate government security clearances.”
The ACSC plans to hold information and training sessions online and in Canberra during August and September for CSPs, government agencies, and IRAP assessors on the application of the new guidance.
The new material will be supported by impending updates to the federal Information Security Manual, the Attorney-General’s Protective Security Policy Framework, and the DTA’s Secure Cloud Strategy.