THE AUSTRALIAN Cyber Security Centre (ACSC) and the Digital Transformation Agency (DTA) have released new Cloud Security Guidance to support the secure adoption of cloud services across government and industry. The guidance clarifies controls over data imposed by jurisdictions in which the data servers are based.
Federal Defence Minister, Senator Linda Reynolds CSC said the new guidance, which has been co-designed with industry partners, would boost Australia’s cyber security resilience.
“The release of the new guidance coincides with today’s cessation of the Certified Cloud Services List (CCSL) which will open up the Australian cloud market, allowing more home grown Australian providers to operate and deliver their services,” Senator Reynolds said.
“This will provide opportunities for Commonwealth, State and Territory agencies to tap into a greater range of secure and cost-effective cloud services.”
Government Services Minister, Stuart Robert said the ACSC and DTA worked closely with industry to develop the new guidelines.
“Having been co-designed with industry, this will help and guide organisations to assess the suitability of a range of secure and cost effective cloud service providers to securely handle their data and ultimately boost Australia’s cyber security resilience,” Mr Robert said.
In addition, the ministers said the ACSC would grow and enhance the Information Security Registered Assessors Program (IRAP) to further support government and industry in implementing appropriate cloud security measures and increase their cyber security resilience.
Macquarie Government, part of the Macquarie Telecom Group, has welcomed the new guidelines.
Macquarie Government managing director Aidan Tudehope believes the guide highlights the importance of the legal authority that can be asserted over data based on its jurisdiction – with data hosted in global cloud environments at higher risk as it could be subject to multiple overlapping or concurrent jurisdictions, while in the hands of personnel outside of Australia.
“While we remain disappointed by the decision to discontinue the CCSL certification regime, we welcome the ACSC’s new guide for government departments to assess the security and risks of cloud service providers,” Mr Tudehope said.
“This is about more than simply the physical geographic location where data is stored. Data sovereignty is about the legal authority that can be asserted over data because it resides in a particular jurisdiction, or is controlled by a cloud service provider over which another jurisdiction extends.
“Data hosted in globalised cloud environments may be subject to multiple overlapping or concurrent jurisdictions as the debate about the reach of the US CLOUD Act demonstrates. As the ACSC points out, globalised clouds are also maintained by personnel from outside Australia, adding another layer of risk.
“The only way to guarantee Australian sovereignty is ensuring data is hosted in an Australian cloud, in an accredited Australian data centre, and is accessible only by Australian-based staff with appropriate government security clearances,” Mr Tudehope said.
“Taken alongside Minister Robert’s planned sovereign data policy, this guide opens new opportunities for Australian cloud service providers.”