Cloud computing offers potential benefits including cost savings and improved business outcomes for organisations. However, there are a variety of information security risks that need to be carefully considered. Risks will vary depending on the sensitivity of the data to be stored or processed, and how the chosen cloud vendor (also referred to as a cloud service provider) has implemented their specific cloud services.
This discussion paper assists organisations to perform a risk assessment to determine the viability of using cloud computing services. This document provides an overview of cloud computing and associated benefits. Most importantly, this document provides a list of thought provoking questions to help organisations understand the risks that need to be considered when using cloud computing. Developing a risk assessment helps senior business representatives make an informed decision as to whether cloud computing is currently suitable to meet their business goals with an acceptable level of risk. The questions in this document address the following topics:
- availability of data and business functionality
- protecting data from unauthorised access
- handling security incidents.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) strongly encourages both senior managers and technical staff to work through this list of questions together. The questions are intended to provoke discussion and help organisations identify and manage relevant information security risks associated with the evolving field of cloud computing. In particular, the risk assessment needs to seriously consider the potential risks involved in handing over control of your data to an external vendor. Risks may increase if the vendor operates offshore.
This document complements the advice on cloud computing in the Australian Government Information Security Manual (ISM). The ACSC recommends against outsourcing information technology services and functions outside of Australia, unless organisations are dealing with data that is all publicly available. The ACSC strongly encourages organisations to choose either a locally owned vendor or a foreign owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australian borders. Note that foreign owned vendors operating in Australia may be subject to foreign laws such as a foreign government’s lawful access to data held by the vendor.