Government agencies face big onus after cloud-security decision

Recriminations are flying in the wake of an Australian government decision to abandon a centralised scheme for certifying cloud security — made all the more pointed as authorities scrambled to deal with the potential breach of an outsourced Australian Defence Force (ADF) database.

How cloud security assessment will change

The decision to terminate the Australian Signals Directorate (ASD) Cloud Services Certification Program (CSCP) gives Australian government authorities just three months to prepare comparable internal capabilities for evaluating the security of third-party cloud services they intend to use.

Beyond that date, the ASD advised, products listed on the Certified Cloud Services List (CCSL) — which has, among other things, guided agencies on which cloud platforms are suitable for storing Protected level data — will no longer be certified by the ASD.

Protected-level certifications are in place for seven cloud services, including Amazon Web Services, NTT Australia’s Protected Government Cloud, Macquarie Government’s GovZone, Microsoft Azure and Office 365, and Gov Cloud Packages from Sliced Tech and Vault Systems.

A further 14 products — from those vendors and Dell Virtustream, Education Services Australia, Google, IBM, Rackspace, Salesforce, and ServiceNow — have been certified for processing unclassified data.

With the CSCP now ceased and CCSL certifications running into their last days, the mandatory Australian Information Security Manual (ISM) will no longer require government agencies to choose cloud services from the list.

Commonwealth agencies will, the Australian Cyber Security Centre announced in its statement about the change, be directed to “self-assess cloud services using practices already used to assess IT systems,” as per the Australian Government Secure Cloud Strategy.

Assessments should consider existing guidance such as Cloud Computing Security Considerations and a similar document for tenants of third-party services.

ASD will now work with industry to co-develop guidelines around cloud security through an impending Cloud Security Consultative Forum, which will include membership on a “rotational basis” and target a new theme every time.

Self-assessing cloud security is not so easy

But doing these assessments is not so easy, even for government agencies, and variability is often the result. The importance of predictability in government data management came to the fore with the announcement that a key ADF database had been pulled offline for 10 days amidst concerns that it had been hacked.

The Defence Force Recruiting Network (DFRN)’s Powerforce database system, which has been managed by recruitment giant ManpowerGroup since 2003, contains a broad range of details about ADF personnel, including medical exams, psychological records and entrance interview reports.

Careful examination of the database environment — which came under the spotlight after a government security analyst raised concerns a lingering might have left the database exposed —satisfied government authorities who testified in Senate Estimates that the information had not been compromised, so Powerforce was brought back online on 12 February.

It was a close call and seems to have had a better resolution than most suspected cybersecurity incidents — but the government’s ability to investigate itself is something many other government agencies and businesses will struggle to emulate.

Certifications are expensive but important

Obtaining CCSL certification is a time-consuming, expensive process, but vendors because they pave the way for lucrative government contracts that might otherwise have been unavailable for security reasons.

The 2018 certification of Microsoft’s Azure and Office 365 was deemed so important that it factored into the company’s decision to deliver two new government-targeted Azure cloud regions in Canberra-area data centres.

Just days ago, domestic cloud operator Sliced Tech — which markets itself as “Australia’s longest standing provider of ASD Certified Clouds and Secure Gateway” — trumpeted the firm’s CCSL status as being a key catalyst for the company’s success bidding for a .

That three-year deal will see a TechnologyOne student management system — which will replace over 50 separate databases, spreadsheets, and other software programs — rolled out at the Australian Defence College, Australian Defence Force Academy and Royal Military College-Duntroon by April, with all 115 learning centres to come online over the next two years.