New security guidelines have been released to help government agencies weigh the security of cloud providers, representing a move towards a decentralised risk assessment system that has some stakeholders concerned.
The new system replaces the certified cloud services list (CCSL), which was previously administered by the Australian Signals Directorate.
The Australian Cyber Security and Centre and the Digital Transformation Agency this week released the new cloud security framework aimed at guiding government, cloud service providers and Information Security Registered Assessor Program (IRAP) assessors in making decisions about vendors and services.
“The release of the new guidance coincides with today’s cessation of the Certified Cloud Services List (CCSL) which will open up the Australian cloud market, allowing more homegrown Australian providers to operate and deliver their services,” Linda Reynolds said in a statement on Monday (July 27).
“This will provide opportunities for Commonwealth, State and Territory agencies to tap into a greater range of secure and cost-effective cloud services.”
Under the new regime, government entities will self-assess the safety of their cloud systems and will be responsible and accountable for their own assurance and risk management.
The Cloud Security Guidance package includes key documents covering cloud service adoption, CSP provider assessment, frequently asked questions and a cloud security controls matrix template.
Industry reaction
Managing director at Macquarie Government Aidan Tudehope said it was disappointing that the CCSL certification had been abolished but welcomed the guide and anything that would support the local industry.
“Taken alongside Minister (Stuart) Robert’s planned sovereign data policy, this guide opens new opportunities for Australian cloud service providers,” he said.
Strategy director of cloud security technology at FirstWave Cloud Technology Roger Carvosso also said the guidelines would make the government sector more open to homegrown cloud service providers.
It would place greater responsibility on providers who would now have greater market access, he said.
“There is now increased scrutiny on the cyber security posture of these cloud service providers, not just the quality of the security services that they sell to their customers,” Mr Carvosso said.
However Vault Cloud CEO Rupert Taylor-Price said government agencies might struggle to understand if cloud services are secure and suitable, and the decentralisation of compliance requirements could result in inconstant standards.
“The bar for achieving ASD certification was extremely high and provided certainty into data protection,” he said.
“By decentralising compliance requirements we are concerned that government agencies may experience inconsistent standards, not only impacting the service the government receives, but also their ability to interoperate with other agencies and in turn the outcomes for citizens,” he said.
Mr Taylor-Price said this could have security implications and called for continued investment in a certification program.
Slightly concerning. Does that mean that extra funding will be available to government agencies to ensure they have staff with the right skills who can undertake this risk assessment? Systems and processes have to be able to talk to each other to provide joined up services for citizens. This could just lead to data silos and inconsistencies.
Could not agree with you more here Bethany. What is needed here is either a whole of Government Information Management Strategy ( the 3 Tiers Federal/State/Local ) in relation to cyber risk management or at the very least a Strategy for each tier of Government over all states and territories