Monday, 27 July 2020 17:20

Australian Cyber Security Centre, DTA unveil new rules for secure cloud services

Australian Cyber Security Centre, DTA unveil new rules for secure cloud services Image by MasterTux from Pixabay

New guidelines have been released by the Australian Cyber Security Centre and the Digital Transformation Agency to enable the adoption of secure cloud services across the public and private sector.

These guidelines are intended to replace the old Cloud Services Certification Program and the Information Security Registered Assessors Program under which companies were certified by the Australian Signals Directorate as being capable of offering what was called Protected cloud services – meaning that such a company could host government data of the highest classification.

The system was scrapped in March after a review that began in July 2019, though no reason was advanced for the change.

Under the new guidelines, a cloud assessment and authorisation has been co-designed with industry. It will assist and guide Information Security Registered Assessors Program assessors, cloud consumers, cyber security practitioners, cloud architects and business representatives on how to perform an assessment of a cloud service provider and its services.

This is meant to allow a risk-informed decision to be made about the suitability of the cloud provider to handle an organisation’s data.

A number of controls have been specified to mitigate the risk of a cloud service provider's personnel accessing or encountering its customers data without proper authorisation. These are:

  • Separation of duties, such as personnel with physical access to IT infrastructure not having logical access and vice versa;
  • Data encryption at rest and in transit by default;
  • Secure storage and customer supplied and/or management of encryption keys for customer data;
  • Just-in-time and just enough access methodologies for its personnel’s access;
  • Real-time monitoring to detect and log when CSP personnel access customers’ data, and the ability to quickly terminate any access that is unauthorised;
  • Providing the Cloud Consumer with the capability to provide explicit approval before the CSP’s personnel access its data;
  • Providing Cloud Consumers with flexible support arrangements including the ability to choose where support is provided from; and
  • Contractual clauses with customers that require the CSP to disclose to the Cloud Consumer any incidents of its personnel accessing, or encountering, the Cloud Consumer’s unencrypted data.

Under the old system, there has been controversy over the certification of Microsoft as a Protected cloud provider and allowing the company to access top-secret government data through personnel located outside the country, people who have not received adequate security clearances from the Australian Government.

The new guide also specifies the minimum protections required to protect data that is accessed on a temporary basis:

  • Australian Government entities must limit access to security classified information as follows:
  • for short-term access – a maximum of three months in a 12-month period;
  • for provisional access – until a security clearance is granted or denied.
  • Australian Government entities must supervise all temporary access. Examples include:
  • escorting visitors in premises where classified information is being stored or used;
  • management oversight of the work of personnel who have the temporary access;
  • monitoring or audit logging incidents of contact with security classified information (e.g. contract conditions that require service providers to report when any of their contractors have had contact with classified information).

Allowing temporary access will be based on recommended risk assessment which encompasses:

  • the need for temporary access, including if the role can be performed by a person who already holds the necessary clearance;
  • confirmation from the authorised vetting agency that the person has no identified security concerns, or a clearance that has been cancelled or denied;
  • the quantum and classification level of information that could be accessed, and the potential business impact if this information was compromised;
  • how access to classified information will be supervised, including how access to caveat or compartmented information will be prevented, and;
  • other risk mitigating factors such as pre-engagement screening, entity specific character checks, knowledge of personal history, or having an existing or previous security clearance.

Cloud Consumers are responsible for ensuring the physical facilities that store their data or are used to access their data, including those owned by third-parties such as CSPs, meet the Attorney-General's Protective Security Policy Framework physical security requirements.

The guide includes an information security manual to guide a prospective cloud user so that they can use a suitably qualified provider who meets their needs. The 29-page guide is here.

The new system also provides a cloud security assessment report template and additional context in the form of a cloud security controls matrix to assist in assessments.

A spokeswoman from Australian cloud provider AUCloud told iTWire the guide made it clear how, when used effectively, cloud services could reduce the risk posture of agencies compared with self-managed (on-premise) arrangements.

She said it also explained how sovereign cloud providers — those owned and operated by Australians within Australia — could provide a significantly reduced risk compared with foreign-owned entities, even those operating from within Australia.

The fact that data required a more detailed definition to recognise the off-shoring risks associated not only with customer data, but also metadata, monitoring data and analytics or derived data was also emphasised, the spokeswoman said, adding that AUCloud believed these enhanced definitions should be adopted consistently across all government activities, especially procurement.

Read 4958 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News