Australia’s Defence Signals Directorate has published a comprehensive guide to risks Australian Government agencies must take into account when considering the use of cloud computing services.
The document, published online today [pdf], aims to “assist agencies to perform a risk assessment to determine the viability of using cloud computing services.”
Whilst the document states that its checklist of considerations are a “guide for discussion of risk” and not exhaustive, the detail and quality of advice is comprehensive.
The DSD paper acknowledged that cloud computing and other IT outsourcing services allows an agency to “focus on their core business” rather than recruitment and retention of specialist IT staff and purchase and maintenance of software and hardware.
“However, the agency is still ultimately responsible for the protection of their data,” the paper stated.
Significantly, the DSD advises agencies to use cloud service providers based in Australia for any data that isn’t already publicly available.
“DSD recommends against outsourcing information technology services and functions outside of Australia, unless agencies are dealing with data that is all publicly available,” the document said.
“DSD strongly encourages agencies to choose either a locally owned vendor or a foreign owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australian borders. Note that foreign owned vendors operating in Australia may be subject to foreign laws such as a foreign government’s lawful access to data held by the vendor.”
The Defence agency also discussed the lack of warranties provided by today’s cloud computing providers – an issue highlighted by a recent Truman Hoyle report into public cloud computing contracts launched by iTnews.
“Vendor’s responses to important security considerations must be captured in the Service Level Agreement or other contract, otherwise the customer only has vendor promises and marketing claims that can be hard to verify and may be unenforceable,” the DSD noted.
(Truman Hoyle’s analysis found that to date, most providers failed to capture these security considerations in the contract.) “In some cases it may be impractical or impossible for a customer to personally verify whether the vendor is adhering to the contract, requiring the customer to rely on third party audits including certifications instead of simply putting blind faith in the vendor,” the DSD noted.
Further, the DSD said that a cloud computing provider advertising its compliance with a security standard was not sufficient in terms of due diligence.
“Customers should consider which of the vendor’s certifications are useful and relevant,” the guide said. “Customers should ask to review a copy of the Statement of Applicability, a copy of the latest external auditor’s report, and the results of recent internal audits.”
The sum of this advice provides excellent ammunition for local managed IT services and “cloud-like” hosting companies attempting to compete with public cloud computing services offered offshore.
The DSD’s checklist:
Copyright © iTnews.com.au . All rights reserved.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.