On 2 March 2020 the Australian Signals Directorate (ASD) and Digital Transformation Agency (DTA) issued a public statement announcing the immediate cessation of the Cloud Services Certification Program (CSCP).
What are the implications of this?
The ASD is now no longer the Certification Authority, as a result, until 30 June 2020 services listed on the Certified Cloud Services List (CCSL) remain ASD certified, however after this date all certifications and re-certification letters will be void. To effect the change, the Australian Government’s Information Security Manual (ISM) will be amended remove the requirement to select cloud services from the CCSL.
In a practical sense, this means that each government agency will now be able set its own cloud security parameters, and service providers will have to adapt to meet the particular agencies requirements.
What were the reasons for the change?
This decision stemmed from the ASD commissioned independent review of its CSCP and Information Security Registered Assessors Program (IRAP).
The following recommendations arose from this review:
Close the CSCP and create new co-designed cloud security guidelines with industry;
Grow and enhance IRAP;
Establish Government and Industry Consultative Forums for cyber security; and
Update incentives in Procurement and Administrative Instructions and Guidance to reflect the cessation of the CSCP.
The current CCSL includes well known names such as Amazons ‘Amazon Web Services (AWS)’, Microsoft’s ‘Azure’ service and Macquarie Government’s ‘GovZone (Secure Cloud)’ service. In their joint statement, the ASD and DTA commented that this will open up the Australian cloud market to allow for more home-grown Australian providers to operate. This will also give government customers a greater range of secure and cost-effective cloud services.
How has the industry responded?
The Australian Information Industry Association in its 3 March press release in response expressed concern that:
“the mixed ability for small and even larger government agencies to conduct cyber threat risk assessments may lead to risk adverse behaviours due to a lack of cyber skills in agencies resulting in a decline in adoption of latest cloud technologies and digital services. We encourage the DTA and ACSC to support agencies to develop these capabilities or to share information through communities of interest”.
Lavan comment – what does this mean for your organisation?
Whilst these reforms will only directly impact cloud providers who wish to partner with government agencies, they raise important, and often overlooked issues of cloud security which should be considered by all individuals and organisations who utilise cloud services.
The ASD’s Australian Cyber Security Centre (ACSC) recommends that organisations conduct security assessment of their cloud services against the security controls in the ISM and ASD cloud security guidance. The most basic of these guidelines is the ‘Cloud Computing Security Considerations’, it contains a number of questions which are designed to be worked through by senior managers and technical staff to identify and manage risks with their cloud computing system. Some of these questions/statements include:
I know and accept the privacy laws of countries that have access to my data;
Strong encryption approved by the ACSC protects my sensitive data at all times;
The vendor suitably sanitises storage media storing my data at its end of life;
The vendor securely monitors the computers that store or process my data;
I can use my existing tools to monitor my use of the vendor’s services;
I retain legal ownership of my data;
The vendor adequately separates me and my data from other customers;
Using the vendor’s cloud does not weaken my network security posture;
Actions performed by the vendor’s employees are logged and reviewed;
Visitors to the vendor’s data centres are positively identified and escorted; and
Vendor data centres have cable management practices to identify tampering.
In the current COVID-19 climate with phishing scams on the rise, it is more important than ever to ensure that your organisation has a robust cyber security policy. If you have any questions in relation to this article, or require assistance in assessing and managing the risks of your or your organisations cloud service, please do not hesitate to contact Iain Freeman or Lorraine Madden.