The federal government has officially removed a requirement for Commonwealth agencies to obtain approval from both their own minister and the Attorney-General before storing the personal information of the country’s citizens offshore.
The Attorney-General’s Department recently released a formal update [pdf] to its Information Security Management Guidelines for the risk management of outsourced ICT arrangements - which guides agencies in assessing the risk of offshoring unclassified government data and IT services - after consulting with industry on the proposed changes earlier this year.
In June, the department indicated it was working to drop the requirement for double ministerial sign-off introduced by the former Labor Government after agencies and industry complained it created additional hurdles to the adoption of public cloud services.
The AGD formally abolished the requirement in its new guidelines issued late last month [pdf].
Agencies now need seek only the approval of their chief executive officer or departmental secretary when moving privacy-related information in the “unclassified” security category into a public cloud environment, following a documented risk assessment.
Publicly available unclassified information - such as website content and media releases - had not been subject to the double ministerial sign-off.
The changes mean both categories of unclassified information (publicly available and information subject to the Privacy Act) are now subject to the same approvals process for storage in a public cloud.
“There was a little bit of frustration with the approvals process and [the ability to] get a resolution in a timely way,” the Attorney-General’s department’s national security chief Mike Rothery told the Security in Government conference yesterday.
“So what [the changes] effectively mean is for all material below ‘protected’, the authority to make the risk decision is with the CEO or department secretary, and that privacy-related material is treated the same as all other material below ‘protected’.”
Any information above unclassified - categorised as protected, confidential, secret and top secret - remains ruled out of any public cloud option, but Rothery signalled that could change should the Government settle on an endorsed encryption product.
“We do get a lot of questions about protected - we are currently taking advice from ASD that we do not have an endorsed encryption product to allow us to put protected information into the public cloud, or for it to be permanently stored offshore, and on that basis the current advice is that those types of outsourcing, offshoring and other cloud arrangements are limited to unclassified material,” Rothery said.
“But that might include sensitive categories of material if agency heads are satisfied that they are managing the risk.”
The guidelines suggest agencies consider their legal power to access or restrict access to data, complications from data being subject to more than one legal jurisdiction, a reduced ability and lack of transparency to directly monitor operations, and differences in business and legal cultures between countries in assessing whether to move to an outsourced or offshore model for unclassified data.
It also asks agencies to consider the potential threats and outcomes should data be compromised in an offshore hosted environment.
The AGD listed nine threats to consider when assessing a public cloud set-up, singling out data breaches, data loss, account or service traffic hijacking, insecure application programming interfaces (APIs), denial of service (DoS) attacks, malicious insiders, insufficient due diligence, shared technology vulnerabilities and the exploitation of cloud infrastructure.
The guidelines suggest risks can be mostly mitigated through well-designed vendor contractual arrangements, but Rothery said his department had, during its work on creating the new guidelines, discovered that the risk assessments being prepared by agencies for public cloud projects were “not universally strong”.
“I don’t mean in terms of judgments, I mean in terms of the information that was clearly available to the decision maker to be able to make their risk assessment.
“Some of the information that had been provided by vendors as how the data would be handled or configured in a cloud environment we thought were a little bit opaque,” he said.
“So in terms of the application of new guidelines, we would stress that the trick here is that yes you can make a risk judgement about putting your data in a public cloud environment, but you have to be satisfied that you truly understand the nature of the configuration of the way your data will be stored and handled and how that will be controlled in the future.”
Rothery said agencies needed to ensure the contract for the service being provided was not vaguely worded, and the terms and conditions were clearly set out and would remain appropriate for the entire length of the partnership.
“You might be satisfied with the information provided by the vendor now, but do your contracts control or seek your approval about the reconfiguration or the removal or shifting of that data after you’ve entered into that contract,” he said.
“Therefore there is a question mark over whether the risk assessments would last the duration of the business relationship between the government entity and the vendor.”