[LINK] Abolition of the Australian Signals Directorate’s centralised cloud services certification program

[Stephen Loosley]

ASD warned cloud accreditation U-turn jeopardises security, adoption

Service providers, IT industry body concerned by deregulation.

By Justin Hendry  Mar 5 2020
https://www.itnews.com.au/news/asd-warned-cloud-accreditation-u-turn-jeopardises-security-adoption-538913


The abolition of the Australian Signals Directorate’s centralised cloud services certification program (CSCP) has surfaced very real concerns over the future security of government data and the impact on public sector cloud adoption rates.

The policy U-turn was revealed on Monday after an independent review recommended closing the program from July and creating “new co-designed cloud security guidelines with industry”.

The ASD and Digital Transformation Agency are expecting the change to “open up the Australian cloud market” and give agencies a “greater range of secure and cost-effective cloud services”.

But the move to effectively deregulate how cloud services are accredited for government has been met with mixed reaction by cloud providers and the broader IT industry.

While the CSCP and the accompanying certified cloud service list (CCSL) was by no means perfect, having created bottlenecks and confusion, it had become the trusted benchmark for government cloud services.

Moving to a scheme of self-regulation, where agencies are responsible for their own cloud security assessments based on advice, could become equally difficult to traverse.

And if agency compliance with the cyber security components of the protective security policy framework is anything to go by, such a change could risk the security of government data.

It comes at a time when cyber security threats are increasing and government trust is at an all-time low.

This is recognised by the Australian Information Industry Association, which is concerned that ASD ceasing cloud security assessments may impact government cloud adoption.

The industry body is worried that the shift “may cause confusion” amongst agencies, who will now become responsible for their own cloud security assessments.

“The mixed ability for small and even larger government agencies to conduct cyber threat risk assessments may lead to risk adverse behaviours due to a lack of cyber skills in agencies resulting in a decline in adoption of latest cloud technologies and digital services.”

This concern, particularly around cyber security, is shared by a number of cloud providers who have been accredited to carry protected Australian government data.

Vault Cloud, which was one of the first providers to gain protected-level certification in 2017, considers regulation necessary requirement for cloud services that hold sensitive government data.

It is one of only six cloud providers to have been certified to a protected level to date. Other providers include Amazon Web Services, Microsoft, Macquarie Government, Sliced Tech and NTT Australia.

CEO Rupert Taylor-Price told iTnews the decision was significant, with the ASD certification process pivotal to Vault Cloud increasing its security posture over the last seven years.

“The cyber threat that Australia faces has never been greater, the role ASD has played in protecting the sensitive and personal data the government holds cannot be overstated,” he said.

“Going forward as an industry we need to deliver a level of security that citizens can continue to trust.”

Macquarie Government managing director Aidan Tudehope said the program had helped and encouraged agencies to adopt cloud services by placing a “spotlight on cyber security".

“It basically forced the cloud providers to look at themselves and for them to be assessed against the Australian government’s information security manual,” he told iTnews.

“Not against their own benchmarks, not against whatever they felt like was the right hurdle, but against what the Australian government needed and required.

Tudehope said the challenge for government now was determining what the new “new benchmark” will look like.

But he said this could be particularly problematic for smaller agencies, which don’t necessarily have extensive cyber experience.

“There are a lot of providers out there talking about cyber security and how they’re secure, but no benchmark now as how to assess them,” Tudehope said.

Sliced Tech echoed Tudehope’s concerns, suggesting that there is “considerable work to be undertaken within agencies to understand the ramifications of these ASD changes”.

“Sliced Tech looks forward to greater communication, guidance and support to both agencies and industry to reduce possible confusion during this transitionary period,” it said.

But it also believes that strengthening the IRAP assessor program will “ensure greater confident in the program and further drive enablement of cloud services adoption within government agencies”.

Other protected-level certified cloud providers like Microsoft were less perturbed by the change, despite only emerging from the onerous cloud certification process less than two years ago.

“Microsoft welcomes the certainty around government cloud assurance arrangements that the announcement from ASD and DTA provide,” a Microsoft spokesperson said.

“Microsoft is committed to continuing to undertake IRAP assessments of our services to support agencies to meet their requirements under the government information security manual and to appropriately access and manage risk in their adoption of cloud services.”

SAP and Equinix, who aren't present on the CCSL and stand to benefit from the changes, welcomed the decision.

"The announcement is a positive step towards addressing long standing concerns that previous arrangements hindered the government and the public’s ability to benefit from cloud services offered by a broader range of providers,“ SAP said.

Equinix Australia public sector head Derek Paterson said the decision will have an “extremely positive impact on the industry and accelerate the government’s digital transformation journey“.