Managing Cloud Data Risks – Protected Cloud Certification
Commonwealth agencies are responsible for managing the risk associated with the loss of any information they hold.
All ICT systems used by Federal Government agencies in Australia are required to comply with common rules to ensure they are safe and secure. Agencies must certify that their systems, including cloud and protected cloud environments, meet these rules. The rules are set out in the Information Security Manual (ISM) produced by the Australian Signals Directorate (ASD).
Data is classified on a scale from unclassified to top secret, depending on the consequences of damage from unauthorised compromise or misuse of the information. The more sensitive the data, the more restrictive the controls to minimise the risk of unauthorised compromise or misuse.
Government departments and agencies are responsible for:
- Assessment of the suitability and implementation of security measures.
- Certification that the ISM security controls are implemented effectively and identifying any residual risk.
- Accreditation that any residual risk is recognised and mitigated, and this is accepted by the agency.
If the agency uses an external supplier, then the agency must satisfy itself that it has managed its risks with those elements of its ICT systems that it has outsourced.
Rules for the Cloud
When it comes to cloud, the ASD provides additional guidance to help agencies understand how to meet their obligations.
ASD has recently published a guide to the process for cloud certification Anatomy of a Cloud Certification. The guide highlights the three-step process for accreditation:
- Independent Security Assessment – performed for a Cloud Services Provider (CSP) by a registered IRAP assessor contracted by the CSP to review its own environment.
- Certification by the agency formally recognising and accepting the security measures for a system as implemented effectively and identifying the residual security risks.
- Accreditation by the agency to accept the residual risks.
Agencies may rely on the independent security assessment of an IRAP assessor and use a cloud service not on the CCSL. The IRAP assessor (as noted by ASD) is engaged by and paid for by the cloud provider. The IRAP assessor validates that they are satisfied the provider meets the relevant security controls in the ISM, or for those parts that do not specifically comply, alternative controls to satisfactorily mitigate risk have been implemented.
The agency then needs to perform both the certification and accreditation roles as part of the sign-off.
The IRAP assessment might give the agency additional comfort, but the assessment is paid for by the provider, therefore the assessment process is not fully independent, and only applies to those parts of the service the provider has asked to be accessed. Ultimately the risk remains with the agency.
The CCSL ‘Gold Standard’
The gold standard of certification is inclusion by the ASD on their Certified Cloud Services List (CCSL). To support adoption of cloud services by government, ASD implemented an initiative under the ISM to certify cloud service providers that met the relevant security controls for a data classification. The CCSL lists ASD-certified cloud providers for Unclassified DLM and PROTECTED data classifications.
ASD examines the IRAP assessment and the provider’s environment and makes an independent decision about whether the service complies with the ISM, or that it has sufficiently mitigated any risk not specifically compliant with the ISM. As the Anatomy of a Cloud Certification makes clear, this is more than just ticking off a checklist.*
“Inclusion on the Certified Cloud Services List demonstrates that ASD has certified the CSP. ASD certification of cloud services includes confirmation of physical, personnel and information security requirements as detailed in the PSPF and ISM, including on-site inspections. It is not merely a compliance exercise.
“ASD also calls out that the duration of the CCSL certification process “is highly variable, and in some cases may never be achieved if the service cannot meet the minimum required standards for protecting government information”. [Anatomy of a Cloud Certification]
As government agencies increasingly adopt cloud services it is critical to ensure that the security risks are properly assessed, certified and accredited. The gold standard of the ASD CCSL, with its independent government assessment, will continue to be a key differentiator for agencies in managing their risk position and getting the best outcome for Australia.
*ASD has chosen with one particular cloud provider to qualify its protected status with an additional ‘Consumer Guide’ which conveys a higher level of concern around areas of risk. Agencies would need to mitigate these risks with additional configuration and security controls.