In the latest series of developments in Cloud security, the Australian Cyber Security Center (ACSC) and Digital Transformation Agency (DTA) released the new Cloud Security Guidance (CSG). This move can largely be called decentralization of the cloud security model put in place by the Australian Government. The newly released guidance aims to equip different agencies and Information Security Registered Assessors Program (IRAP) assessors with a framework to measure the eligibility of Cloud Service Providers (CSPs). CSG will replace the Cloud Services Certification Program (CSCP), which provided accreditation to cloud service providers before the arrival of this guidance.
So, What Changes Under CSG?
As already stated, CSCP now has a true successor in the name of CSG. The arrival of CSG means different agencies will conduct their separate risk-assessments for cloud services, something that the Australian Signals Directorate (ASD) was solely responsible for in the past. The existing CSPs that have already been marked as ‘Unclassified’ or ‘Protected’ by ASD, will now have to seek fresh assessment by the relevant agencies.
Under CSG, the agencies that wish to avail Cloud services can undertake risk-assessment for the cloud service through the IRAP assessment of the same service. Thereby determining the acceptability of the CSP. While the IRAP assessments conducted before CSG will be valid as of now, the agencies “need to consider the age and relevance of these [IRAP] reports when reviewing them.”
Cloud Security Guidance — Finer Details
CSG recommends CSP and cloud service located in Australia for sensitive and security-classified information. Further, it also asks that agencies carefully consider locality, ownership, and control of CSPs when conducting eligibility and risk-assessment for availing services. These CSG recommendations must be seen in the light of Australian Government’s data security concerns, especially regarding data center ownership, ever since DTA’s hosting strategy was released in March 2019.
Further, CSG also focuses on the types of cloud data, asks agencies to distinguish between what kind of data is stored, and how it is handled by the CSP. It is especially important as the Australian Government has been mulling introducing Data Sovereignty laws that will require sensitive data to be stored in data centers located in Australia, and operated by Australian CSPs. The guidance asks IRAP assessors to study data types, its definitions, storage location of said data, and CSP’s handling and security of data, in their assessments.
New Set of Guidelines From Australian Government
The official release states, “Cloud Security Guidance aims to guide organizations including government, cloud service providers (CSP), and Information Security Registered Assessors Program (IRAP) assessors on how to perform a comprehensive assessment of a cloud service provider and its cloud services so a risk-informed decision can be made about its suitability to handle an organization’s data.”
Australian Defense Minister went ahead to state that the new CSG has been developed by ACSC and DTA in close consultation with several other agencies and leading bodies from the industry. Further, the minister said that CSG would open up Australian cloud market, provide an opportunity for local providers to deliver services to their own government, and enhance the country’s cybersecurity resilience.
Writing on occasion, Iain Rouse, the country director for Australia and New Zealand at AWS, stated, ” We continue to see Australian Government agencies rise to the challenge of meeting the fast-changing needs of citizens. We are inspired by the innovation of these agencies and their use of technology to respond quickly and securely. With the help of our partner community in the AWS Partner Network (APN), we’re seeing the development of innovative solutions for government agencies.”
The United States already has cloud computing laws in place, and EU is mulling a stringent iteration of the same. Amid this, the arrival of CSG in Australia only begins to highlight the trend of data sovereignty and data localization among governments over the world. While this poses challenges for CSPs, they are more than ready to tackle it, as is evident in the AWS statement above.