Maksim Kabakou - stock.adobe.com

Australia issues new cloud computing guidelines

The new guidance, which comes after the expiry of the government’s cloud services certification programme, will help to bolster Australia’s cyber security resilience

The Australian Cyber Security Centre (ACSC) and the Digital Transformation Agency have released new cloud security guidelines to support the secure adoption of cloud services across government and industry.

Issued today, the guidance, which follows the expiry of the Cloud Services Certification Programme, covers a range of assessment criteria that includes the physical security of public cloud datacentres, data protection, and other cloud security controls.

Australia’s minister for defence, Linda Reynolds, said the new guidelines, which were co-designed with industry partners, would boost Australia’s cyber security resilience.

“The release of the new guidance coincides with today’s cessation of the Certified Cloud Services List [CCSL] which will open up the Australian cloud market, allowing more homegrown Australian providers to operate and deliver their services,” Reynolds said.

“This will provide opportunities for commonwealth, state and territory agencies to tap into a greater range of secure and cost-effective cloud services,” she added.

Stuart Robert, Australia’s minister for government services, said the new guidelines will “help and guide organisations to assess the suitability of a range of secure and cost-effective cloud service providers to securely handle their data and ultimately boost Australia’s cyber security resilience”.

In addition, the ACSC will enhance the Information Security Registered Assessors Programme (IRAP) to further support government and industry in implementing appropriate cloud security measures.

Read more about cyber security in Australia

To help agencies navigate these new requirements, Amazon Web Services (AWS) has released documentation to help plan, architect, and self-assess systems built on AWS.

In July 2020, AWS successfully completed its third IRAP assessment at the protected level for its Asia-Pacific Sydney region, and now has 92 protected services for the region.

Iain Rouse, country director for AWS public sector in Australia and New Zealand, said the changes to the Cloud Services Certification Programme creates an opportunity for Australian government agencies to strengthen their secure cloud skills, knowledge and resources to foster ongoing innovation.

“AWS provides government customers with the most comprehensive set of security services and features to help them protect and secure their data. Australian organisations in the AWS Partner Network are ready to play their part in accelerating digital innovation across Australian government agencies,” he said.

New guidelines welcome

Aidan Tudehope, managing director at Macquarie Government, said that although the company was disappointed by the decision to discontinue the CCSL certification regime, it welcomed the new guidelines.

“This is about more than simply the physical geographic location where data is stored,” he said. “Data sovereignty is about the legal authority that can be asserted over data because it resides in a particular jurisdiction or is controlled by a cloud service provider over which another jurisdiction extends.

“Data hosted in globalised cloud environments may be subject to multiple overlapping or concurrent jurisdictions as the debate about the reach of the US Cloud Act demonstrates. As the ACSC points out, globalised clouds are also maintained by personnel from outside Australia, adding another layer of risk,” said Tudehope.

“The only way to guarantee Australian sovereignty is ensuring data is hosted in an Australian cloud, in an accredited Australian data centre, and is accessible only by Australian-based staff with appropriate government security clearances. Taken alongside minister Robert’s planned sovereign data policy, this guide opens new opportunities for Australian cloud service providers.”

In early July 2020, Robert said the government will consider whether certain government datasets should be declared sovereign and only be hosted in Australia in an accredited local datacentre, across Australian networks and only accessed by the government and Australian service providers.

Read more on Cloud security