What the cloud certification model means for you

Federal government agencies are now required to understand, assess and authorise the cloud services they wish to consume.

As of July 2020, the Australian Government’s Cloud Services Certification Program (CSCP) has been wound down in a move that promises to unlock the country’s cloud market. The announcement was made in March by the Australian Signals Directorate (ASD) and the Digital Transformation Agency (DTA), following the findings of an independent review of the program and the Information Security Registered Assessors Program (IRAP) commissioned by the ASD.

For many years, the CSCP acted as the gatekeeper for cloud service providers (CSPs) to compete for government contracts requiring secure cloud services. CSPs that were accepted as ‘secure’ were listed in the Certified Cloud Services List (CCSL), which meant they were able to pitch for government contracts.

Whilst the ASD is no longer the Certification Authority for secure cloud services for Commonwealth entities, new guidance to help government, cloud providers and IRAP assessors in making decisions about cloud vendors and services has been released.

What does this mean for government?

Theoretically, the end of the CSCP and CCSL — and the adoption of the new cloud security guidance — will allow Commonwealth entities to choose from a wider range of CSPs and cloud services. This means that a CSP which previously didn’t make the ‘shortlist’ can now be considered by buyers. All things being equal, competition is usually a good thing as it leads to greater innovation and more cost-effective sovereign cloud services.

On the flip side, this new decentralised model also means that Commonwealth entities are now responsible for their own cloud assurance and risk management activities.

While the CCSL unintentionally allowed Commonwealth entities to transfer risk to the ASD, the onus has now returned to those entities to accept and own the risk. In other words, agencies are now required to understand, assess and authorise the cloud services they wish to consume.

Some commentators have suggested that the decentralised model could increase risk and reduce the cyber resilience of organisations. Also, some claim decentralising compliance may lead to the application of inconsistent standards during the self-certification process.

On the other hand, advocates of the new model point to the outdated relevance of the CCSL, arguing that the model was due for a change.

The likely impact in FY21

The new decentralised and deregulated regime means government organisations will have to manage their own risk. In other words, the onus will be on the agencies to make sure that they are cyber secure.

There are at least two scenarios which may play out.

First, given the challenges around COVID-19 and the now tighter budgets to deliver core services, CISOs and CIOs will need to develop a greater understanding of how to approach the new responsibility around self-certification. This could result in delayed decisions around new technologies and services.

On the opposite end of the spectrum, there will be CISOs and CIOs that are experienced and well versed in the scope, size and type of cybersecurity risks that new technologies and cloud services attract. This cohort will be extremely familiar with the previous CSCP and CCSL and understand how the new changes will empower them to make their own risk-based decisions.

Due to experience, they will make faster decisions around risk, and those that make the decisions will be comfortable in working with IRAP assessors. This group will proactively approach new self-certification and act as leaders for their industry peers. I think this is good news.

How will MSSPs help?

Both scenarios should drive managed security service providers (MSSPs) to become more engaged with their clients, cloud and technology vendors, regulatory authorities and industry partners. In some respects, the new Cyber Security Strategy 2020 already alludes to deeper engagement to support innovation and capability development, and this shift also means that over time, a more defined set of roles and responsibilities may be placed on service providers to support clients.

In the short term, the expertise of MSSPs that are able to provide advisory services, risk assessments and support for technology decisions and implementations can prove crucial to making the right changes.

MSSPs will be required to work more closely with cloud vendors to obtain guidance on specific cloud technologies, and the risks associated with them.

While IRAP assessors will continue playing a pivotal role in assessing and certifying services, MSSPs will continue playing the role of trusted advisor in helping guide technology decisions that enable the organisation to achieve its operational requirements.

Adam Misiewicz is National Security Lead at ASG Group.

Image credit: ©stock.adobe.com/au/Rajeev