These guidelines are intended to replace the old Cloud Services Certification Program and the Information Security Registered Assessors Program under which companies were certified by the Australian Signals Directorate as being capable of offering what was called Protected cloud services – meaning that such a company could host government data of the highest classification.
The system was scrapped in March after a review that began in July 2019, though no reason was advanced for the change.
Under the new guidelines, a cloud assessment and authorisation has been co-designed with industry. It will assist and guide Information Security Registered Assessors Program assessors, cloud consumers, cyber security practitioners, cloud architects and business representatives on how to perform an assessment of a cloud service provider and its services.
A number of controls have been specified to mitigate the risk of a cloud service provider's personnel accessing or encountering its customers data without proper authorisation. These are:
- Separation of duties, such as personnel with physical access to IT infrastructure not having logical access and vice versa;
- Data encryption at rest and in transit by default;
- Secure storage and customer supplied and/or management of encryption keys for customer data;
- Just-in-time and just enough access methodologies for its personnel’s access;
- Real-time monitoring to detect and log when CSP personnel access customers’ data, and the ability to quickly terminate any access that is unauthorised;
- Providing the Cloud Consumer with the capability to provide explicit approval before the CSP’s personnel access its data;
- Providing Cloud Consumers with flexible support arrangements including the ability to choose where support is provided from; and
- Contractual clauses with customers that require the CSP to disclose to the Cloud Consumer any incidents of its personnel accessing, or encountering, the Cloud Consumer’s unencrypted data.
Under the old system, there has been controversy over the certification of Microsoft as a Protected cloud provider and allowing the company to access top-secret government data through personnel located outside the country, people who have not received adequate security clearances from the Australian Government.
The new guide also specifies the minimum protections required to protect data that is accessed on a temporary basis:
- Australian Government entities must limit access to security classified information as follows:
- for short-term access – a maximum of three months in a 12-month period;
- for provisional access – until a security clearance is granted or denied.
- Australian Government entities must supervise all temporary access. Examples include:
- escorting visitors in premises where classified information is being stored or used;
- management oversight of the work of personnel who have the temporary access;
- monitoring or audit logging incidents of contact with security classified information (e.g. contract conditions that require service providers to report when any of their contractors have had contact with classified information).
Allowing temporary access will be based on recommended risk assessment which encompasses:
- the need for temporary access, including if the role can be performed by a person who already holds the necessary clearance;
- confirmation from the authorised vetting agency that the person has no identified security concerns, or a clearance that has been cancelled or denied;
- the quantum and classification level of information that could be accessed, and the potential business impact if this information was compromised;
- how access to classified information will be supervised, including how access to caveat or compartmented information will be prevented, and;
- other risk mitigating factors such as pre-engagement screening, entity specific character checks, knowledge of personal history, or having an existing or previous security clearance.
Cloud Consumers are responsible for ensuring the physical facilities that store their data or are used to access their data, including those owned by third-parties such as CSPs, meet the Attorney-General's Protective Security Policy Framework physical security requirements.
The guide includes an information security manual to guide a prospective cloud user so that they can use a suitably qualified provider who meets their needs. The 29-page guide is here.
The new system also provides a cloud security assessment report template and additional context in the form of a cloud security controls matrix to assist in assessments.
A spokeswoman from Australian cloud provider AUCloud told iTWire the guide made it clear how, when used effectively, cloud services could reduce the risk posture of agencies compared with self-managed (on-premise) arrangements.
She said it also explained how sovereign cloud providers — those owned and operated by Australians within Australia — could provide a significantly reduced risk compared with foreign-owned entities, even those operating from within Australia.
The fact that data required a more detailed definition to recognise the off-shoring risks associated not only with customer data, but also metadata, monitoring data and analytics or derived data was also emphasised, the spokeswoman said, adding that AUCloud believed these enhanced definitions should be adopted consistently across all government activities, especially procurement.