On 27 July 2020, following the closure of the Cloud Services Certification Program (CSCP) and the associated Certified Cloud Services List (CCSL), the Australian Cyber Security Centre (ACSC) and the Digital Transformation Agency (DTA) released new cloud security guidance co-designed with industry to support the secure adoption of cloud services.
The cloud security guidance aims to guide organisations, cloud service providers (CSPs) and Infosec Registered Assessors Program (IRAP) assessors on how to perform a comprehensive assessment of CSPs and their cloud services so a risk-informed decision can be made about their suitability to handle organisations' data.
Anatomy of a Cloud Assessment and Authorisation
The Anatomy of a Cloud Assessment and Authorisation is co-designed with industry to support the secure adoption of cloud services across government and industry.
Cloud Assessment and Authorisation – Frequently Asked Questions
This publication provides answers relating to frequently asked questions on the Australian Cyber Security Centre (ACSC)’s new cloud security guidance, future support, government self-assessment and cloud security assessment reports.
Cloud Computing Security Considerations
Cloud computing offers potential benefits including cost savings and improved business outcomes for organisations. However, there are a variety of information security risks that need to be carefully considered. Risks will vary depending on the sensitivity of the data to be stored or processed, and how the chosen cloud vendor (also referred to as a cloud service provider) has implemented their specific cloud services.
Cloud Computing Security for Cloud Service Providers
This publication is designed to assist assessors validating the security posture of a cloud service in order to provide organisations with independent assurance of security claims made by Cloud Service Providers (CSPs). This publication can also assist CSPs to offer secure cloud services.
To assist with the assessment of CSPs and their cloud services, the Cloud Security Controls Matrix (CSCM) can be used by IRAP assessors to capture the implementation of security controls from the Australian Government Information Security Manual (ISM). The latest CSCM can be found on the webpage for the Australian Government Information Security Manual.
The CSCM provides indicative guidance on the scoping of cloud security assessments, and inheritance for systems under a shared responsibility model, though it should be noted that guidance is not definitive and should be interpreted by the assessor in the context of the assessed system. Further, these comments have generally been developed with reference to OFFICIAL: Sensitive and PROTECTED public clouds. This does not preclude their use for other types of cloud services, though additional scrutiny should be applied to their reference in this case. Importantly, the CSCM also captures the ability for cloud consumers to implement security controls for systems built on top of the CSP's services by identifying where they are responsible for configuring the service in accordance with the ISM.
Finally, the DTA provides the Whole-of-Government Cloud Services Panel (CSP), a non-mandatory procurement mechanism to enable Commonwealth entities to procure cloud services. The CSP lists cloud service providers who have negotiated a contractual head agreement with the DTA for use by the whole of Australian Government.