Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Monday, 02 March 2020 20:45

ASD withdrawal from cloud certification will add to cyber risk

ASD withdrawal from cloud certification will add to cyber risk Pixabay

The Australian Signals Directorate's decision to withdraw from the role of certifying cloud providers to handle government data at sensitive and classified levels means that cyber security is being put at risk, with each provider now having to act as their own regulator.

The decision is all the more surprising given the extent of talk in government circles these days about keeping Australia safe online and guarding the country's secrets.

That only six companies had been certified as Protected cloud providers thus far is testimony to the strictness of the criteria laid down to gain this status. It involved a great deal of expenditure and also a lot of patience; additionally, there was a need for cloud providers to have well-qualified people on board so that the technical requirements could be met in their entirety.

But though the decision was announced on Monday, it has been in the making officially since July last year, as announced by the ASD and the Digital Transformation Agency. Informed sources have told iTWire that the decision was driven by the ASD's desire to avoid being the fall guy for any mix-up in certification.

The move is said to have begun in June last year, soon after the appointment of Rachel Noble as head of the Australian Cyber Security Centre, after Alastair MacGibbon quit the post two weeks before the Federal Election in May 2019. Noble has now moved on to the post of director-general of the ASD.

With the ASD withdrawing from the certification role, each cloud provider will now have to approach each government agency and convince the latter of their suitability to handle a given task for which they are bidding. Each agency will have its own specific requirements based on the nature of what it is looking to outsource.

Self-regulation will, no doubt, be cheaper for the cloud providers, but any extra expense under the old rules that lesser-known companies incurred to get certified was more than compensated for by the amount that government contracts are worth.

Under the scenario that takes effect now, bigger companies will have a distinct advantage in gaining government contracts - even though one of the stated reasons for the change is to give smaller firms a chance to compete for the big money paid out by the government. The old saying "one never got fired for buying IBM" will come to dominate transactions.

Given that, it is unlikely that local cloud providers, who look to cash in on government work, will be happy with the change. The responsibility they have to bear will be increased a thousandfold and there will be no set criteria and an inspector to catch any shortcomings.

Instead, there will be something akin to a free-for-all which will certainly not make Australia's top-secret data safer. As with many things, it looks very much as though the government says one thing in public, and then does precisely the opposite.

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments