Industry figures have expressed concern about new government procurement guidelines that encourage government agencies to work with industry to vet the security of the cloud services they adopt.

Developed by the Australian Cyber Security Centre (ACSC), the newly activated Cloud Security Guidance (CSG) package has replaced the long-running Certified Cloud Services List (CCSL), and Cloud Services Certification Program (CSCP), which evaluated commercial cloud platforms based on standards set by the ACSC’s Information Security Registered Assessors (IRAP) program.

The program had certified several commercial cloud service providers (CSPs) – including the likes of Sliced Tech, Vault Systems, Microsoft and Amazon Web Services – as being suitable for processing and storage of government data up to PROTECTED level.

The government announced the closure of the program on 2 March after a review of the CSCP and IRAP programs recommended the CSCP be closed and cloud security standards be developed in collaboration with industry moving forward.

Such changes would “open up the Australian cloud market to allow for more homegrown Australian providers to operate”, the ACSC said at the time.

“This will also give government customers a greater range of secure and cost-effective cloud services.”

CSG includes three core templates and guidelines designed to help agencies and IRAP assessors evaluate the security of CSPs they may be interested in adopting.

Anatomy of a Cloud Assessment and Authorisation, for example, lays a framework to help agencies make a “risk-informed decision” about a particular cloud service’s “suitability”.

The Cloud Security Assessment Report Template outlines the assessment findings that should be included during the Phase 1 assessment of a cloud evaluation in a move that will, the ACSC said, “improve the consistency of the Cloud Security Assessment reports, allowing cloud consumers to more easily compare CSP’s against one another”.

The third element is a Cloud Security Controls Matrix (CSCM) that helps IRAP assessors document the security controls necessary to run cloud services on an ongoing basis.

Taken together, the ACSC said in announcing the resources, the co-designed CSG “will guide organisations… on how to perform a comprehensive assessment of a cloud service provider and its cloud services, so a risk-informed decision can be made about its suitability to handle an organisation’s data.”

Agencies assume their own risk

With the launch of the CSG package, government agencies – freed from the requirement to purchase only cloud services that are on the CCSL – are responsible for their own assurance and risk management activities.

Yet this approach would potentially create new problems for a government sector that has struggled to meet baseline information security standards.

Despite years of efforts to improve government security, one recent review of government security found that only 1 of 18 examined agencies had met the requirements of the government’s Protective Security Policy Framework (PSPF).

This had happened despite the ACSC’s ‘Cyber Uplift’ program – a series of cybersecurity ‘sprints’ designed to help 25 Commonwealth agencies rapidly improve their overall security posture.

Given their repeated failure to improve internal security capabilities, industry figures were concerned that the removal of a centralised mandate would exacerbate problems for government agencies.

In the absence of prescriptive guidelines, Vault Cloud CEO Rupert Taylor-Price said in a statement, agencies may “experience inconsistent standards” and “struggle to understand which cloud providers meet these high security standards”.

“The bar for achieving ASD certification was extremely high,” Taylor-Price explained, “and provided certainty into data protection…. Although there may be initial cost savings for the ASD there may be overall cost, delays and security implications in the future.”

Macquarie Government, which became the first Australian cloud provider to be listed on the CCSL back in 2017, welcomed the CSG’s launch but remains “disappointed” in the program’s cessation.

Managing director Aidan Tudehope flagged concerns about the potential for overlapping jurisdictions if relaxed cloud guidelines allow Australian government services to store data in cloud services’ overseas data centres.

“This is about more than simply the physical geographic location where data is stored,” Tudehope said, noting that the government’s mooted sovereign data policy would provide much-needed guidance in this respect.

Data hosted by offshore CSPs, he said, would be maintained by non-Australian personnel and “may be subject to multiple overlapping or concurrent jurisdictions… adding another layer of risk.”

Citing moves by the NSW government to develop a cyber security ratings system, Taylor-Price said, “there is still a need for government entities to access standardisation certificates, otherwise it will be difficult for a cloud provider to achieve the same level of trust or security.”

Ultimately, he added, the new CSG regime should encourage cloud providers and government bodies to “come together as a security ecosystem to improve the security, compliance, and risk posture of all agencies”.