The Australian Cyber Security Centre (ACSC) and the Digital Transformation Agency (DTA) have released new Cloud Security Guidance to support the secure adoption of cloud services across government and industry.
This follows the closure of the Cloud Services Certification Program (CSCP) and the associated Certified Cloud Services List (CCSL).
Minister for Defence, Senator Linda Reynolds said the recently released guidance, which has been co-designed with industry partners, will boost Australia’s cyber security resilience.
“The release of the new guidance coincides with today’s cessation of the CCSL which will open up the Australian cloud market, allowing more homegrown Australian providers to operate and deliver their services,” Minister Reynolds said.
“This will provide opportunities for Commonwealth, State and Territory agencies to tap into a greater range of secure and cost-effective cloud services.”
Minister for Government Services, Stuart Robert said the ACSC and DTA worked closely with industry to develop the new guidelines.
“Having been co-designed with industry, this will help and guide organisations to assess the suitability of a range of secure and cost effective cloud service providers to securely handle their data and ultimately boost Australia’s cyber security resilience,” he said.
In addition, the ACSC will grow and enhance the Information Security Registered Assessors Program (IRAP) to further support government and industry in implementing appropriate cloud security measures and increase their cyber security resilience.
Technology service provider, Macquarie Government has welcomed the new guidelines and believes the guide highlights the importance of the legal authority that can be asserted over data based on its jurisdiction.
Aidan Tudehope managing director said data hosted in global cloud environments is at higher risk as it could be subject to multiple overlapping or concurrent jurisdictions, while in the hands of personnel outside of Australia.
“While we remain disappointed by the decision to discontinue the CCSL certification regime, we welcome the ACSC’s new guide today for government departments to assess the security and risks of cloud service providers,” he said. This is about more than simply the physical geographic location where data is stored.
According to Tudehope, data sovereignty is about the legal authority that can be asserted over data because it resides in a particular jurisdiction or is controlled by a cloud service provider over which another jurisdiction extends.
“Data hosted in globalised cloud environments may be subject to multiple overlapping or concurrent jurisdictions as the debate about the reach of the US CLOUD Act demonstrates,” he said. “As the ACSC points out, globalised clouds are also maintained by personnel from outside Australia, adding another layer of risk.
The only way to guarantee Australian sovereignty is ensuring data is hosted in an Australian cloud, in an accredited Australian data centre, and is accessible only by Australian-based staff with appropriate government security clearances, said Tudehope.