Monday, 27 July 2020 17:20

Australian Cyber Security Centre, DTA unveil new rules for secure cloud services

By
Australian Cyber Security Centre, DTA unveil new rules for secure cloud services Image by MasterTux from Pixabay

New guidelines have been released by the Australian Cyber Security Centre and the Digital Transformation Agency to enable the adoption of secure cloud services across the public and private sector.

These guidelines are intended to replace the old Cloud Services Certification Program and the Information Security Registered Assessors Program under which companies were certified by the Australian Signals Directorate as being capable of offering what was called Protected cloud services – meaning that such a company could host government data of the highest classification.

The system was scrapped in March after a review that began in July 2019, though no reason was advanced for the change.

Under the new guidelines, a cloud assessment and authorisation has been co-designed with industry. It will assist and guide Information Security Registered Assessors Program assessors, cloud consumers, cyber security practitioners, cloud architects and business representatives on how to perform an assessment of a cloud service provider and its services.

This is meant to allow a risk-informed decision to be made about the suitability of the cloud provider to handle an organisation’s data.

A number of controls have been specified to mitigate the risk of a cloud service provider's personnel accessing or encountering its customers data without proper authorisation. These are:

  • Separation of duties, such as personnel with physical access to IT infrastructure not having logical access and vice versa;
  • Data encryption at rest and in transit by default;
  • Secure storage and customer supplied and/or management of encryption keys for customer data;
  • Just-in-time and just enough access methodologies for its personnel’s access;
  • Real-time monitoring to detect and log when CSP personnel access customers’ data, and the ability to quickly terminate any access that is unauthorised;
  • Providing the Cloud Consumer with the capability to provide explicit approval before the CSP’s personnel access its data;
  • Providing Cloud Consumers with flexible support arrangements including the ability to choose where support is provided from; and
  • Contractual clauses with customers that require the CSP to disclose to the Cloud Consumer any incidents of its personnel accessing, or encountering, the Cloud Consumer’s unencrypted data.

Under the old system, there has been controversy over the certification of Microsoft as a Protected cloud provider and allowing the company to access top-secret government data through personnel located outside the country, people who have not received adequate security clearances from the Australian Government.

The new guide also specifies the minimum protections required to protect data that is accessed on a temporary basis:

  • Australian Government entities must limit access to security classified information as follows:
  • for short-term access – a maximum of three months in a 12-month period;
  • for provisional access – until a security clearance is granted or denied.
  • Australian Government entities must supervise all temporary access. Examples include:
  • escorting visitors in premises where classified information is being stored or used;
  • management oversight of the work of personnel who have the temporary access;
  • monitoring or audit logging incidents of contact with security classified information (e.g. contract conditions that require service providers to report when any of their contractors have had contact with classified information).

Allowing temporary access will be based on recommended risk assessment which encompasses:

  • the need for temporary access, including if the role can be performed by a person who already holds the necessary clearance;
  • confirmation from the authorised vetting agency that the person has no identified security concerns, or a clearance that has been cancelled or denied;
  • the quantum and classification level of information that could be accessed, and the potential business impact if this information was compromised;
  • how access to classified information will be supervised, including how access to caveat or compartmented information will be prevented, and;
  • other risk mitigating factors such as pre-engagement screening, entity specific character checks, knowledge of personal history, or having an existing or previous security clearance.

Cloud Consumers are responsible for ensuring the physical facilities that store their data or are used to access their data, including those owned by third-parties such as CSPs, meet the Attorney-General's Protective Security Policy Framework physical security requirements.

The guide includes an information security manual to guide a prospective cloud user so that they can use a suitably qualified provider who meets their needs. The 29-page guide is here.

The new system also provides a cloud security assessment report template and additional context in the form of a cloud security controls matrix to assist in assessments.

A spokeswoman from Australian cloud provider AUCloud told iTWire the guide made it clear how, when used effectively, cloud services could reduce the risk posture of agencies compared with self-managed (on-premise) arrangements.

She said it also explained how sovereign cloud providers — those owned and operated by Australians within Australia — could provide a significantly reduced risk compared with foreign-owned entities, even those operating from within Australia.

The fact that data required a more detailed definition to recognise the off-shoring risks associated not only with customer data, but also metadata, monitoring data and analytics or derived data was also emphasised, the spokeswoman said, adding that AUCloud believed these enhanced definitions should be adopted consistently across all government activities, especially procurement.


Subscribe to Newsletter here

NEW OFFER - ITWIRE LAUNCHES PROMOTIONAL NEWS & CONTENT

Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.

POST YOUR NEWS ON ITWIRE NOW!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

These days our customers Advertising & Marketing campaigns are mainly focussed on Webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://www.itwire.com/itwire-update.html and Promotional News & Editorial.

For covid-19 assistance we have extended terms, a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

BACK TO HOME PAGE

ZOOM WEBINARS & ONLINE EVENTS

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Research & Case Studies

Channel News

Comments