Australian intelligence agency Defence Signals Directorate (DSD) has urged government agencies to conduct a risk assessment to determine the viability of Cloud computing technology before jumping head first.
The 18-page document (PDF), released this week, recommended risk assessments of the technology weigh up whether the agency is prepared to trust its reputation, business continuity, and data to a vendor that could potentially transmit, store and process the agency’s data insecurely.
DSD also urged agencies to consider which offshore location data is stored, backed up and processed in, which country hosts the failover or redundant data centre and whether or not the vendor will notify the agency of any change in this area. To mitigate against major data sovereignty concerns, agencies were urged to opt for locally owned vendors or foreign vendors located within Australia that store and manage sensitive data within the country. Agencies were also asked to question vendors on whether data is stored or processed in the cloud as classified, sensitive, private or publicly available.
“The contract between a vendor and their customer must address mitigations to governance and security risks, and cover who has access to the customer’s data and the security measures used to protect the customer’s data,” the document reads. “Vendor’s responses to important security considerations must be captured in the Service Level Agreement or other contract, otherwise the customer only has vendor promises and marketing claims that can be hard to verify and may be unenforceable.”
Should agencies adopt the advisory, they would be required to allocate additional funds to maintain up-to-date backup copies of data and consider additional replication of data or business functionality with a second vendor for redundancy.
Should sensitive data be accidentally placed in the Cloud, or “spilled”, agencies should be aware of what action the vendor can take to permanently delete the data using forensic sanitisation techniques, whether the storage portion will be zeroed once this occurs or if not, how long it will take to overwrite the deleted data.
The directorate's recommendations come as the Australian Government this week finalised its Cloud computing strategy, one it had began to explore at the beginning of the year following traditional aversion to the technologies. Local vendors like Telstra have also begun to push their own service to government agencies in hopes of capitalising on a softening approach to the capability.
The full list of Cloud computing security considerations from the directorate:
- My data or functionality to be moved to the cloud is not business critical
- I have reviewed the vendor’s business continuity and disaster recovery plan
- I will maintain an up to date backup copy of my data
- My data or business functionality will be replicated with a second vendor
- The network connection between me and the vendor’s network is adequate
- The Service Level Agreement (SLA) guarantees adequate system availability
- Scheduled outages are acceptable both in duration and time of day
- Scheduled outages affect the guaranteed percentage of system availability
- I would receive adequate compensation for a breach of the SLA or contract
- Redundancy mechanisms and offsite backups prevent data corruption or loss
- If I accidentally delete a file or other data, the vendor can quickly restore it
- I can increase my use of the vendor’s computing resources at short notice.
- I can easily move my data to another vendor or inhouse
- I can easily move my standardised application to another vendor or inhouse
- My choice of cloud sharing model aligns with my risk tolerance
- My data is not too sensitive to store or process in the cloud
- I can meet the legislative obligations to protect and manage my data
- I know and accept the privacy laws of countries that have access to my data
- Strong encryption approved by DSD protects my sensitive data at all times
- The vendor suitably sanitises storage media storing my data at its end of life
- The vendor securely monitors the computers that store or process my data
- I can use my existing tools to monitor my use of the vendor’s services
- I retain legal ownership of my data (20i)
- The vendor has a secure gateway environment
- The vendor’s gateway is certified by an authoritative third party
- The vendor provides a suitable email content filtering capability
- The vendor’s security posture is supported by policies and processes
- The vendor’s security posture is supported by direct technical controls
- I can audit the vendor’s security or access reputable third party audit reports
- The vendor supports the identity and access management system that I use
- Users access and store sensitive data only via trusted operating environments
- The vendor uses endorsed physical security products and devices
- The vendor’s procurement process for software and hardware is trustworthy
- The vendor adequately separates me and my data from other customers
- Using the vendor’s cloud does not weaken my network security posture
- I have the option of using computers that are dedicated to my exclusive use
- When I delete my data, the storage media is sanitised before being reused
- The vendor does not know the password or key used to decrypt my data
- The vendor performs appropriate personnel vetting and employment checks
- Actions performed by the vendor’s employees are logged and reviewed.
- Visitors to the vendor’s data centres are positively identified and escorted.
- Vendor data centres have cable management practices to identify tampering
- Vendor security considerations apply equally to the vendor’s subcontractors
- The vendor is contactable and provides timely responses and support
- I have reviewed the vendor’s security incident response plan
- The vendor’s employees are trained to detect and handle security incidents
- The vendor will notify me of security incidents
- The vendor will assist me with security investigations and legal discovery
- I can access audit logs and other evidence to perform a forensic investigation
- I receive adequate compensation for a security breach caused by the vendor
- Storage media storing sensitive data can be adequately sanitised.
Follow Chloe Herrick on Twitter: @chloe_CW
Follow Computerworld Australia on Twitter: @ComputerworldAU