First published: 18 Dec 2014
Last updated: 18 Jan 2024

Content written for

Small & medium business
Large organisations & infrastructure
Government

Introduction

This publication is designed to assist Cloud Service Providers (CSPs) in offering secure cloud services. It can also assist assessors in validating the security posture of a cloud service, which is often verified through an Infosec Registered Assessors Program (IRAP) assessment of the CSP services.

An organisation’s cyber security team, cloud architects and business representatives should refer to the companion Cloud Computing Security for Tenants publication.

Cloud computing as defined in National Institute of Standards and Technology (NIST) Special Publication 800-145, The NIST Definition of Cloud Computing, offers organisations potential benefits such as improved business outcomes.

Mitigating the risks associated with using cloud services is a responsibility shared between the organisation (referred to as the ‘tenant’) and the Cloud Service Provider (referred to as the ‘CSP’), including their subcontractors. However, organisations are ultimately responsible for protecting their data and ensuring its confidentiality, integrity and availability.

Organisations need to perform a risk assessment and implement associated mitigations before using cloud services. Risks vary depending on factors such as the sensitivity and criticality of data to be stored, processed and communicated; how the cloud service is implemented and managed; how the organisation intends to use the cloud service; and challenges associated with the organisation performing timely cyber security incident detection and response. Organisations need to compare these risks against an objective risk assessment of using in-house computer systems which might be poorly secured, have inadequate availability or be unable to meet modern business requirements.

The scope of this publication covers Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), provided by a CSP as part of a public cloud, community cloud and, to a lesser extent, a hybrid cloud or outsourced private cloud.

This publication focuses on the use of cloud services for storing or processing sensitive and highly sensitive data. For Commonwealth entities, and for the purposes of this publication, sensitive data is defined as OFFICIAL: Sensitive. Highly sensitive data is defined as data classified as PROTECTED. Additionally, this publication can assist with mitigating risks to the availability and integrity of non-sensitive data, defined for Commonwealth entities as unclassified publicly releasable data. Mitigations are listed in no particular order of prioritisation.

Cloud Computing Security for Cloud Service Providers

RiskReferenceMitigations
Most Effective Risk Mitigations Generally Relevant to All Types of Cloud Services
Overarching failure to maintain the confidentiality, integrity and availability of the tenant’s data1 - GeneralAssess the cloud service and underlying infrastructure (explicitly addressing mitigations in this publication) by an IRAP assessor against the ISM at least every 24 months at the appropriate classification level required to handle the tenant’s data.1
2 - GeneralImplement security governance involving senior management directing and coordinating security-related activities including robust change management, as well as having technically skilled staff in defined security roles.
3 - GeneralImplement and annually test a cyber security incident response plan providing the tenant with emergency contact details, the ability to access normally inaccessible forensic evidence and notification of cyber security incidents.
Tenant’s data compromised in transit by malicious third party4 - GeneralSupport and use ASD approved cryptographic controls to protect data in transit between the tenant and the CSP e.g. application layer TLS or IPsec VPN with approved algorithms, key length and key management.
5 - GeneralUse ASD approved cryptographic controls to protect data in transit between the CSP’s data centres over insecure communication channels such as public internet infrastructure.
6 - GeneralSupport and use ASD approved cryptographic controls to protect data at rest on storage media in transit via post/courier between the tenant and the CSP when transferring data as part of on-boarding or off-boarding.
Tenant’s cloud service account credentials compromised by malicious third party 2 3 4 5 67 - GeneralProvide Identity and Access Management e.g. multi-factor authentication and account roles with varying privileges for the tenant to use and administer the cloud service via the CSP’s website control panel and API.7
8 - GeneralSupport and use ASD approved cryptographic controls to protect credentials and administrative activity in transit when the tenant uses and administers the cloud service via the CSP’s website control panel and API.
9 - GeneralEnable the tenant to download detailed time-synchronised logs and obtain real-time alerts generated for the tenant’s cloud service accounts used to access, and especially to administer, the cloud service.
Tenant’s data compromised by malicious CSP staff or malicious third party10 - GeneralEnable the tenant to download detailed time-synchronised logs and obtain real-time alerts generated by the cloud service used by the tenant e.g. operating system, web server and application logs.
11 - GeneralDisclose the countries and legal jurisdictions where tenant data is (or will be in the coming months) stored, backed up, processed and accessed by CSP staff for troubleshooting, remote administration and customer support.
12 - GeneralPerform background checks of CSP staff commensurate with their level of access to systems and data. Maintain security clearances for staff with access to highly sensitive data.8
13 - GeneralUse physically secure data centres and offices that store tenant data or that can access tenant data.9 Verify and record the identity of all staff and visitors. Escort visitors to mitigate them accessing data without authorisation.
14 - GeneralRestrict CSP staff privileged access to systems and data based on their job tasks.10 Require re-approval every three months for CSP staff requiring privileged access. Revoke access upon termination of CSP staff employment.
15 - GeneralPromptly analyse logs of CSP staff actions that are logged to a secured and isolated log server. Implement separation of duties by requiring log analysis to be performed by CSP staff who have no other privileges or job roles.
16 - GeneralPerform a due diligence review of suppliers before obtaining software, hardware or services, to assess the potential increase to the CSP’s security risk profile.
17 - GeneralUse ASD approved cryptographic controls to protect highly sensitive data at rest. Sanitise storage media prior to repair, disposal, and tenant off-boarding with a non-disclosure agreement for data in residual backups.
Tenant’s data compromised by another malicious/compromised tenant 11 12 13 1418 - GeneralImplement multi-tenancy mechanisms to prevent the tenant’s data being accessed by other tenants. Isolate network traffic, storage, memory and computer processing. Sanitise storage media prior to its reuse.
Tenant’s data unavailable due to corruption, deletion, or CSP terminating the account/service1519 - GeneralEnable the tenant to perform up-to-date backups in a format that avoids CSP lock-in. If an account or cloud service is terminated, immediately notify the tenant and provide them with at least a month to download their data.
Tenant’s data unavailable or compromised due to CSP bankruptcy or other legal action20 - GeneralContractually ensure that the tenant retains legal ownership of their data.
Cloud service unavailable due to CSP’s inadequate network connectivity21 - GeneralSupport adequately high bandwidth, low latency, reliable network connectivity between the tenant and the cloud service to meet the contracted level of availability required by the tenant.
Cloud service unavailable due to CSP error, planned outage, failed hardware or act of nature22 - GeneralArchitect to meet the contracted level of availability required by the tenant e.g. minimal single points of failure, clustering and load balancing, data replication, automated failover and real-time availability monitoring.
23 - GeneralDevelop and annually test a disaster recovery and business continuity plan to meet the contracted level of availability required by the tenant, e.g. enacted for cyber security incidents that cause enduring loss of CSP staff or infrastructure.
Cloud service unavailable due to genuine spike in demand or bandwidth/CPU denial of service24 - GeneralImplement denial of service mitigations to meet the contracted level of availability required by the tenant e.g. redundant high bandwidth external and internal network connectivity with traffic throttling and filtering.
25 - GeneralProvide infrastructure capacity and responsive automated scaling to meet the contracted level of availability required by the tenant.
Financial consequences of a genuine spike in demand or bandwidth/CPU denial of service26 - GeneralEnable the tenant to manage the cost of a genuine spike in demand or denial of service via contractual spending limits, real-time alerts, and configurable maximum limits for their use of the CSP’s infrastructure capacity.
CSP’s infrastructure compromised by malicious tenant or malicious third party27 - GeneralUse corporately approved and secured computers, jump servers, dedicated accounts, strong passphrases and multi-factor authentication, to provide customer support and administer cloud services and infrastructure.
28 - GeneralUse ASD approved cryptographic controls to protect credentials and administrative activity in transit over insecure communication channels between the CSP’s data centre and CSP administrator / customer support staff.
29 - GeneralImplement network and application segmentation and segregation between the internet, CSP infrastructure used by tenants, the network that the CSP uses to administer cloud services and infrastructure, and the CSP’s corporate LAN.16 17 18
30 - GeneralUtilise secure programming practices for software developed by the CSP and consider secure-by-design and secure-by-default principles.19 20 21 22 23 24
31 - GeneralPerform secure configuration, ongoing vulnerability management, prompt patching, annual third party security reviews and penetration testing of cloud services and underlying infrastructure.
32 - GeneralTrain all CSP staff, especially by providing privileged user training for administrators, on commencement of employment and annually, to protect tenant data, maintain cloud service availability, and proactively identify cyber security incidents.
Most Effective Risk Mitigations Particularly Relevant to IaaS
Tenant’s Virtual Machine (VM) compromised by malicious third party 251 - IaaSProvide network access controls enabling the tenant to implement network segmentation and segregation, including a network filtering capability to disallow remote administration of their VMs except from their IP address.26
2 - IaaSProvide the tenant with securely configured and patched VM template images. Avoid assigning a weak administrative passphrase to newly provisioned VMs.
Most Effective Risk Mitigations Particularly Relevant to PaaS
Tenant’s data compromised by malicious third party1 - PaaSHarden and securely configure operating system, web server and platform software. Limit inbound and outbound network connectivity to only required ports/protocols. Promptly perform patching and log analysis.
Most Effective Risk Mitigations Particularly Relevant to SaaS
Tenant’s data compromised by malicious third party1 - SaaSImplement controls specific to the cloud service e.g. for email delivered as a service, provide features including content filtering with automated dynamic analysis of emails and email attachments.
2 - SaaSImplement general controls e.g. limited inbound and outbound network connectivity/web application firewalls to only required ports/protocols, antivirus software updated daily, intrusion prevention systems and prompt log analysis.27

Further information

The Information Security Manual is a cyber security framework that organisations can apply to protect their systems and data from cyber threats. The advice in the Strategies to Mitigate Cyber Security Incidents, along with its Essential Eight, complements this framework.

Contact details

If you have any questions regarding this guidance you can write to us or call us on 1300 CYBER1 (1300 292 371).

Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it