DSD provides checklist for agency cloud computing

Australia’s Defence Signals Directorate has published a comprehensive guide to risks Australian Government agencies must take into account when considering the use of cloud computing services.

The document, published online today [pdf], aims to “assist agencies to perform a risk assessment to determine the viability of using cloud computing services.”

Whilst the document states that its checklist of considerations are a “guide for discussion of risk” and not exhaustive, the detail and quality of advice is comprehensive.

The DSD paper acknowledged that cloud computing and other IT outsourcing services allows an agency to “focus on their core business” rather than recruitment and retention of specialist IT staff and purchase and maintenance of software and hardware.

“However, the agency is still ultimately responsible for the protection of their data,” the paper stated.

Significantly, the DSD advises agencies to use cloud service providers based in Australia for any data that isn’t already publicly available.

“DSD recommends against outsourcing information technology services and functions outside of Australia, unless agencies are dealing with data that is all publicly available,” the document said.

“DSD strongly encourages agencies to choose either a locally owned vendor or a foreign owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australian borders. Note that foreign owned vendors operating in Australia may be subject to foreign laws such as a foreign government’s lawful access to data held by the vendor.”

The Defence agency also discussed the lack of warranties provided by today’s cloud computing providers – an issue highlighted by a recent Truman Hoyle report into public cloud computing contracts launched by iTnews.

“Vendor’s responses to important security considerations must be captured in the Service Level Agreement or other contract, otherwise the customer only has vendor promises and marketing claims that can be hard to verify and may be unenforceable,” the DSD noted.

(Truman Hoyle’s analysis found that to date, most providers failed to capture these security considerations in the contract.)

“In some cases it may be impractical or impossible for a customer to personally verify whether the vendor is adhering to the contract, requiring the customer to rely on third party audits including certifications instead of simply putting blind faith in the vendor,” the DSD noted.

Further, the DSD said that a cloud computing provider advertising its compliance with a security standard was not sufficient in terms of due diligence.  

“Customers should consider which of the vendor’s certifications are useful and relevant,” the guide said. “Customers should ask to review a copy of the Statement of Applicability, a copy of the latest external auditor’s report, and the results of recent internal audits.”

The sum of this advice provides excellent ammunition for local managed IT services and “cloud-like” hosting companies attempting to compete with public cloud computing services offered offshore. 

The DSD’s checklist:

• My data or functionality to be moved to the cloud is not business critical.
• I have reviewed the vendor’s business continuity and disaster recovery plan.
• I will maintain an up-to-date backup copy of my data.
• My data or business functionality will be replicated with a second vendor.
• The network connection between me and the vendor’s network is adequate.
• The Service Level Agreement (SLA) guarantees adequate system availability.
• Scheduled outages are acceptable both in duration and time of day.
• Scheduled outages affect the guaranteed percentage of system availability.
• I would receive adequate compensation for a breach of the SLA or contract.
• Redundancy mechanisms and offsite backups prevent data corruption or loss.
• If I accidentally delete a file or other data, the vendor can quickly restore it.
• I can increase my use of the vendor’s computing resources at short notice.
• I can easily move my data to another vendor or inhouse.
• I can easily move my standardised application to another vendor or inhouse.
• My choice of cloud sharing model aligns with my risk tolerance.
• My data is not too sensitive to store or process in the cloud.
• I can meet the legislative obligations to protect and manage my data.
• I know and accept the privacy laws of countries that have access to my data.
• Strong encryption approved by DSD protects my sensitive data at all times.
• The vendor suitably sanitises storage media storing my data at its end of life.
• The vendor securely monitors the computers that store or process my data.
• I can use my existing tools to monitor my use of the vendor’s services.
• I retain legal ownership of my data.
• The vendor has a secure gateway environment.
• The vendor’s gateway is certified by an authoritative third party.
• The vendor provides a suitable email content filtering capability.
• The vendor’s security posture is supported by policies and processes.
• The vendor’s security posture is supported by direct technical controls.
• I can audit the vendor’s security or access reputable third party audit reports.
• The vendor supports the identity and access management system that I use.
• Users access and store sensitive data only via trusted operating environments.
• The vendor uses endorsed physical security products and devices.
• The vendor’s procurement process for software and hardware is trustworthy.
• The vendor adequately separates me and my data from other customers.
• Using the vendor’s cloud does not weaken my network security posture.
• I have the option of using computers that are dedicated to my exclusive use.
• When I delete my data, the storage media is sanitised before being reused.
• The vendor does not know the password or key used to decrypt my data.
• The vendor performs appropriate personnel vetting and employment checks.
• Actions performed by the vendor’s employees are logged and reviewed.
• Visitors to the vendor’s data centres are positively identified and escorted.
• Vendor data centres have cable management practices to identify tampering.
• Vendor security considerations apply equally to the vendor’s subcontractors.
• The vendor is contactable and provides timely responses and support.
• I have reviewed the vendor’s security incident response plan.
• The vendor’s employees are trained to detect and handle security incidents.
• The vendor will notify me of security incidents.
• The vendor will assist me with security investigations and legal discovery.
• I can access audit logs and other evidence to perform a forensic investigation.
• I receive adequate compensation for a security breach caused by the vendor.
• Storage media storing sensitive data can be adequately sanitised.