DTA Secure Cloud Strategy — cyber security update

Digital Transformation in Government #131

Article summary: Late last year, the Digital Transformation Agency (DTA) updated its Secure Cloud Strategy to specifically align with the Australian Cyber Security Centre (ACSC). The updated section covers frameworks and practices, such as cloud security considerations, procuring cloud services and a common assessment framework.

On this page:

Date:
15 June 2022
Author:
Phillipa Martin

About the Strategy

In 2018 we did a detailed review of the DTA’s Secure Cloud StrategyExternal Link , focusing on the seven principles and eight initiatives (read our blog on the Secure Cloud StrategyExternal Link ).

In 2021, the DTA updated the ‘Frameworks and practices' section of the Strategy to align with the ACSC. In this month’s DTIG we’re going to focus on these updates and revisit the Secure Cloud Strategy given the ever-increasing importance of both cloud and security in the government environment.

You can also download the full Secure Cloud StrategyExternal Link .

Frameworks and practices

The updated section of the Secure Cloud Strategy includes six main topics:

  1. Cloud security considerations
  2. Hosting and data considerations
  3. Cloud service procurement
  4. Dashboard
  5. Cloud Common Assessment Framework
  6. Responsibilities model

Cloud security considerations

Cloud security considerations focuses on Australia’s risk protection framework, specifically the Protective Security Policy FrameworkExternal Link (PSPF) and Information Security ManualExternal Link (ISM). It’s through these frameworks that tech services are authorised for government use. Cloud services are generally assessed by an IRAP assessor, and government information systems are usually granted an Authority to Operate by an authorising officer in the agency. In this way, agencies have autonomy in their security decisions. The Authority to Operate indicates that security mitigations are in place.

Finally, this section outlines the ASCS documentation available to agencies, specifically:

The DTA recommends risk assessments address the ISM security controls.

Hosting and data considerations

The hosting and data section refers to the Hosting Certification FrameworkExternal Link , which was developed to support the Hosting StrategyExternal Link and to help securely manage government systems and data.

This section also includes one of the original initiatives, “Implement a layered certification model”.

Cloud service procurement

Cloud service procurement focuses on the Cloud Services Panel, however it includes an update that the Cloud Services Panel was replaced by the Cloud MarketplaceExternal Link in April 2021.

Dashboard

This section calls for transparency across cloud services in terms of use, cost and certification. This will allow agencies to conduct better risk assessments of cloud services. It will also drive competition in the marketplace.

This section also includes one of the original initiatives, “Create a dashboard to show service status for adoption, compliance status and services panel status and pricing”.

Cloud Common Assessment Framework

The Cloud Common Assessment Framework provides a standardised approach to cloud, focusing on making sure it’s suitable for government use. The framework enables a consistent approach to cloud assessments and allows assessments to be reused.

The framework itself is presented as a diagram in the Secure Cloud StrategyExternal Link . It covers cloud quality, including what’s being measured, how it’s being measured and how it meets the measure.

This section also includes one of the original initiatives, “Create and publish cloud service qualities baseline and assessment capability”.

Responsibilities model

The responsibilities model focuses on the governance required around cloud services, including a clear understanding of provider responsibilities and agency responsibilities. The Strategy also refers people to the ACSC publication, The Anatomy of a Cloud Assessment and AuthorisationExternal Link for more information on shared responsibilities.

This section includes one of the original initiatives, “Build a cloud responsibility model supported by a cloud contracts capability”.

A reminder of the seven principles

One of the key takeaways from the Strategy is the seven principles that agencies should follow in terms of cloud security. While they were covered in our original blog, they’re worth repeating here:

  1. Make risk-based decisions when applying cloud security
  2. Design services for the cloud
  3. Use public cloud services as the default
  4. Use as much of the cloud as possible
  5. Avoid customisation and use services ‘as they come’
  6. Take full advantage of cloud automation practices
  7. Monitor the health and usage of services in real time

You can read our original blog on the Secure Cloud StrategyExternal Link or download the full StrategyExternal Link for more information on these principles.

Salsa Digital’s take

The DTA’s Secure Cloud StrategyExternal Link is an important document that ensures government agencies using cloud services are maintaining the appropriate levels of security. This is becoming increasingly important as more agencies adopt cloud services, coupled with the increased need for cyber security.