Govt publishes new cloud security guidance

The Australian Cyber Security Centre and the Digital Transformation Agency have collaborated on the development of new cloud security guidance for agencies to use while assessing and choosing cloud solutions.

The new guidance, designed in consultation with industry partners, has been designed to help walk government agencies, cloud service providers and Information Security Registered Assessors Program (IRAP) assessors through the process of assessing the integrity of cloud services.

The guidance includes a cloud security assessment report template that will seek to improve the consistency of the reports, a new Cloud Security Controls Matrix designed to augment the government’s Information Security Manual security controls for cloud computing and guidance outlining the anatomy of cloud assessment and authorisation.

Published in time for the wind-up on Monday of the former Certified Cloud Services List (CCSL) list, the guidance is designed to facilitate the transition to a new assessment framework that will give government agencies greater choice over their selection of cloud services.

Meanwhile, smaller cloud service and related providers will be able to deliver their services to Australian government, according to Minister for Defence Linda Reynolds.

“The cessation of the [CSSL] will open up the Australian cloud market, allowing more homegrown Australian providers to operate and deliver their services,” she said.

Minister for Government Services Stuart Robert added that the new guidance will “help and guide organisations to assess the suitability of a range of secure and cost-effective cloud service providers to securely handle their data and ultimately boost Australia’s cybersecurity resilience”.

But industry experts such as Vault Cloud CEO Rupert Taylor-Price have questioned the wisdom of putting the burden of risk management assessments on individual government entities.

“The bar for achieving ASD certification was extremely high and provided certainty into data protection. By decentralising compliance requirements we are concerned that government agencies may experience inconsistent standards, not only impacting the service the government receives, but also their ability to interoperate with other agencies and in turn the outcomes for citizens,” he said.

“Although there may be initial cost savings for the ASD there may be overall cost, delays and security implications in the future. However, if Australia continues to experience a threat landscape at the level the Prime Minister outlined recently, the continued investment in a certification program is in our national interest.”

Taylor-Price said recent announcements from across government have shown that there is still a need for government entities to access standardisation certificates.

For example, Robert has recently announced that the government will examine local sovereignty requirements on certain datasets to be hosted on-shore in an accredited Australian data centre, and only be accessible by government and local service providers across Australian networks.

“[Without standardisation certificates] it will be difficult for a cloud provider to achieve the same level of trust or security. The key for us is to come together as a security ecosystem to improve the security, compliance and risk posture of all agencies,” Taylor-Price said.

Image credit: ©stock.adobe.com/au/腾龙 郭