It is unfortunate Federal Government processes for certifying and classifying outsourced cloud services for use by Government has become a matter of controversy.
It is even more unfortunate to see blurring of the lines between the ability of an agency to use a service and the “gold standard” Australian Signals Directorate certification process.
The security of the information held by our Government agencies is too important to be treated glibly.
The unauthorised release of classified Government information could be damaging to the nation and to citizens. Government agencies quite properly have to apply strict controls and security.
Comments about ASD processes for endorsing cloud providers in InnovationAus.com on Tuesday therefore require clarification.
Agencies are ultimately responsible for assessing the suitability and implementation of their ICT security arrangements, certifying they have met whole-of-government security controls, and accrediting they have identified and mitigated any residual risk, as we have previously explained here.
When it comes to cloud, the ASD gives further guidance.
This includes advice that an agency can get a degree of comfort from an Infosec Registered Assessors Program (IRAP) consultant’s report. But this consultant is hired and paid for by the vendor and is not a substitute for an assessment by the ASD.
ASD will add a service to the Certified Cloud Service List (CCSL) only after it has thoroughly examined the cloud service and reached its own conclusion whether it meets government security standards.
So comments suggesting ASD has told agencies they can use cloud services not on the CCSL should be read as a statement, not an endorsement.
Agencies are free to choose to use a service not on the CCSL – it’s up to them to be willing to assess and accept the risk of using a service the ASD has not certified.
One other issue the article raises requires a response – comments about the physical separation of data of different classifications.
Accidental data spills are a real issue, and this is why Macquarie Government (and others) have chosen to keep PROTECTED classified data on separate infrastructure.
I do not wish to comment on the security architecture any provider employs for Australian Government agencies. But as noted in the article, the US Government requires providers to employ physical separation, along with many other controls.
Choices between the physical and logical separation of data should not be dismissed lightly.
Data is separated by software (logically) can be accidentally misconfigured by a user or during routine patching and find its way into a lower classification zone.
When it is physical separated, someone needs to join it to another classification zone with a piece of hardware – a much more difficult mistake to make.
This is not a theoretical discussion.
Data spills are common, more than we would like.
In 2016, the Red Cross published a data spill of 550,000 blood donors after their PII information was placed into an insecure environment. November 2017 a misconfigured storage service led to around 50,000 records from Australian Government Departments taken by a third party.
We have also seen vulnerabilities on hardware itself, such as Meltdown and Spectre, affecting Intel CPUs.
These hardware vulnerabilities allowed programs to steal data processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.
This is not possible if the hardware is physically separated.
Again, I do not wish to comment on any particular provider.
But cyber security and the safety of Government-held information in outsourced cloud environments is too important an issue to be trivialised or reduced to generalisations.
I genuinely wish other cloud providers luck in their endeavours to have their services listed on the CCSL – we at Macquarie Government can attest, it is a rigorous process.
That rigor is the reason it is valued.
As an industry, we have a responsibility to support processes designed to ensure agencies make informed decisions, and fully understand what constitutes an ASD assessment and what does not.
Aidan Tudehope is Managing Director of Macquarie Government