ACSC steers govt cloud security path as market opens up

The Australian Cyber Security Centre has released new guidance to help agencies assess the risk posed by cloud services, as the government moves from a centrally-controlled security model to one of self-assessment.

The new guidance, released on Monday, provides the framework for agencies, as well as Information Security Registered Assessors Program (IRAP) assessors, to check the suitability of cloud service providers and their services.

It has been developed by the ACSC and Digital Transformation Agency in consultation with multiple agencies and a cross-section of industry over the past several months.

The guidance fills a hole left by the closure of the cloud services certification program (CSCP) and the associated certified cloud services list (CCSL) run out of the ACSC.

The CSCP was shut earlier this year to remove bottlenecks and confusion around the accreditation of cloud services, though the CCSL only officially came to an end on Monday.

The change means that the ASD is no longer the government’s single certification authority for cloud services and that agencies have to conduct their own risk assessments.

Cloud service providers previously assessed to unclassified or protected levels under the CCSP are similarly now back to square one and have to be assessed again for use by agencies.

Under the new framework, agencies will be able conduct a risk-based review using an IRAP assessment of a specific cloud service to understand its suitability to process or store specific datasets.

Supplementary and new cloud service assessments can be conducted when an agency wants to use cloud services that have not been previously assessed.

IRAP assessments written prior to the new guidance are also still deemed valid, though agencies “need to consider the age and relevance of these reports when reviewing them”.

Defence Minister Linda Reynolds said the new guidance will boost cyber security resilience while opening up the Australian cloud market by allowing more homegrown providers to deliver services.

“This will provide opportunities for Commonwealth, State and Territory agencies to tap into a greater range of secure and cost-effective cloud services,” she said.

Ownership and control

As part of the guidance, the ACSC asks that agencies take “locality, ownership and control” into account when assessing the suitability of a cloud service provider and risk posed.

Ownership has become an increasingly important consideration for government, particularly in relation to data centres, since the release of the DTA’s hosting strategy in March 2019.

“Foreign-owned cloud service providers (CSPs) may be subject to extrajudicial control and interference by a foreign entity,” the guidance states.

“This could include a foreign entity compelling a CSP to disclose its customers’ data unbeknownst to its customers.

“This can include foreign-owned CSPs that provide cloud services in and from Australia.”

But for “sensitive and security-classified information” the ACSC goes one step further, recommending that agencies “use cloud service providers and cloud service located in Australia”.

“Cloud service providers that are owned, based and solely operated in Australia are more likely to align to Australian standards and legal obligations, and this reduces the risk of any data type being transmitted outside of Australia,” it said.

“These cloud service providers are also less susceptible to extrajudicial control and interference by a foreign entity.”

The guidance also notes that third-party cloud solutions can “increase the assessment difficulty and complexity for IRAP assessors” and “make it harder … to identity the risks of its use”.

Data types

Types of cloud data is another focus of the guidance, with the ACSC asking that agencies understand “what these data types are, where they exist and how they are handled and secured” prior to making a decision about where to store information. 

It comes as the government considers introducing new sovereignty rules for government data that would require certain datasets to be hosted in accredited data centres within Australia by Australian service providers.

The guidance seeks to draw separation between four data types: customer data, account data, metadata and support and administrator data, noting that agencies will likely also have other data types.

“Each cloud service provider's handling of data often differs per data type. For example, a globally distributed cloud service provider may retain customer data in Australia, but might transmit account data to another country for processing and storing,” the guidance states.

“It is also common for CSPs to handle the names of customers’ virtual machines, networks and accounts not as customer data, but as metadata. 

“This is often used for analytical purposes and can subsequently be stored in a different location with different security controls.”

The guidance asks that IRAP assessors document the “different data types, their definitions, where they are stored, and how they are handled and secured by the CSP” when conducting their assessments.