DSD provides checklist for agency cloud computing

Powered by SC Magazine
 

Advises agencies to consider nuances in cloud contracts.

Australia’s Defence Signals Directorate has published a comprehensive guide to risks Australian Government agencies must take into account when considering the use of cloud computing services.

The document, published online today [pdf], aims to “assist agencies to perform a risk assessment to determine the viability of using cloud computing services.”

Whilst the document states that its checklist of considerations are a “guide for discussion of risk” and not exhaustive, the detail and quality of advice is comprehensive.

The DSD paper acknowledged that cloud computing and other IT outsourcing services allows an agency to “focus on their core business” rather than recruitment and retention of specialist IT staff and purchase and maintenance of software and hardware.

“However, the agency is still ultimately responsible for the protection of their data,” the paper stated.

Significantly, the DSD advises agencies to use cloud service providers based in Australia for any data that isn’t already publicly available.

“DSD recommends against outsourcing information technology services and functions outside of Australia, unless agencies are dealing with data that is all publicly available,” the document said.

“DSD strongly encourages agencies to choose either a locally owned vendor or a foreign owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australian borders. Note that foreign owned vendors operating in Australia may be subject to foreign laws such as a foreign government’s lawful access to data held by the vendor.”

The Defence agency also discussed the lack of warranties provided by today’s cloud computing providers – an issue highlighted by a recent Truman Hoyle report into public cloud computing contracts launched by iTnews.

“Vendor’s responses to important security considerations must be captured in the Service Level Agreement or other contract, otherwise the customer only has vendor promises and marketing claims that can be hard to verify and may be unenforceable,” the DSD noted.

(Truman Hoyle’s analysis found that to date, most providers failed to capture these security considerations in the contract.)

“In some cases it may be impractical or impossible for a customer to personally verify whether the vendor is adhering to the contract, requiring the customer to rely on third party audits including certifications instead of simply putting blind faith in the vendor,” the DSD noted.

Further, the DSD said that a cloud computing provider advertising its compliance with a security standard was not sufficient in terms of due diligence.  

“Customers should consider which of the vendor’s certifications are useful and relevant,” the guide said. “Customers should ask to review a copy of the Statement of Applicability, a copy of the latest external auditor’s report, and the results of recent internal audits.”

The sum of this advice provides excellent ammunition for local managed IT services and “cloud-like” hosting companies attempting to compete with public cloud computing services offered offshore. 

The DSD’s checklist:

  • My data or functionality to be moved to the cloud is not business critical.
  • I have reviewed the vendor’s business continuity and disaster recovery plan.
  • I will maintain an up-to-date backup copy of my data.
  • My data or business functionality will be replicated with a second vendor.
  • The network connection between me and the vendor’s network is adequate.
  • The Service Level Agreement (SLA) guarantees adequate system availability.
  • Scheduled outages are acceptable both in duration and time of day.
  • Scheduled outages affect the guaranteed percentage of system availability.
  • I would receive adequate compensation for a breach of the SLA or contract.
  • Redundancy mechanisms and offsite backups prevent data corruption or loss.
  • If I accidentally delete a file or other data, the vendor can quickly restore it.
  • I can increase my use of the vendor’s computing resources at short notice.
  • I can easily move my data to another vendor or inhouse.
  • I can easily move my standardised application to another vendor or inhouse.
  • My choice of cloud sharing model aligns with my risk tolerance.
  • My data is not too sensitive to store or process in the cloud.
  • I can meet the legislative obligations to protect and manage my data.
  • I know and accept the privacy laws of countries that have access to my data.
  • Strong encryption approved by DSD protects my sensitive data at all times.
  • The vendor suitably sanitises storage media storing my data at its end of life.
  • The vendor securely monitors the computers that store or process my data.
  • I can use my existing tools to monitor my use of the vendor’s services.
  • I retain legal ownership of my data.
  • The vendor has a secure gateway environment.
  • The vendor’s gateway is certified by an authoritative third party.
  • The vendor provides a suitable email content filtering capability.
  • The vendor’s security posture is supported by policies and processes.
  • The vendor’s security posture is supported by direct technical controls.
  • I can audit the vendor’s security or access reputable third party audit reports.
  • The vendor supports the identity and access management system that I use.
  • Users access and store sensitive data only via trusted operating environments.
  • The vendor uses endorsed physical security products and devices.
  • The vendor’s procurement process for software and hardware is trustworthy.
  • The vendor adequately separates me and my data from other customers.
  • Using the vendor’s cloud does not weaken my network security posture.
  • I have the option of using computers that are dedicated to my exclusive use.
  • When I delete my data, the storage media is sanitised before being reused.
  • The vendor does not know the password or key used to decrypt my data.
  • The vendor performs appropriate personnel vetting and employment checks.
  • Actions performed by the vendor’s employees are logged and reviewed.
  • Visitors to the vendor’s data centres are positively identified and escorted.
  • Vendor data centres have cable management practices to identify tampering.
  • Vendor security considerations apply equally to the vendor’s subcontractors.
  • The vendor is contactable and provides timely responses and support.
  • I have reviewed the vendor’s security incident response plan.
  • The vendor’s employees are trained to detect and handle security incidents.
  • The vendor will notify me of security incidents.
  • The vendor will assist me with security investigations and legal discovery.
  • I can access audit logs and other evidence to perform a forensic investigation.
  • I receive adequate compensation for a security breach caused by the vendor.
  • Storage media storing sensitive data can be adequately sanitised.

Copyright © iTnews.com.au . All rights reserved.


DSD provides checklist for agency cloud computing
 
 
 
Top Stories
Hockey flags billion-dollar Centrelink mainframe replacement
Claims 30 year-old tech is holding Govt back.
 
Ombudsman wants to monitor warrantless metadata access
Requests ability to report publicly.
 
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  20%
 
Bankwest
  9%
 
CommBank
  12%
 
National Australia Bank
  17%
 
Suncorp
  23%
 
Westpac
  19%
TOTAL VOTES: 1512

Vote