About the Strategy
In 2021, the DTA updated the ‘Frameworks and practices' section of the Strategy to align with the ACSC. In this month’s DTIG we’re going to focus on these updates and revisit the Secure Cloud Strategy given the ever-increasing importance of both cloud and security in the government environment.
Frameworks and practices
The updated section of the Secure Cloud Strategy includes six main topics:
- Cloud security considerations
- Hosting and data considerations
- Cloud service procurement
- Cloud Common Assessment Framework
- Responsibilities model
Cloud security considerations
Cloud security considerations focuses on Australia’s risk protection framework, specifically the (PSPF) and (ISM). It’s through these frameworks that tech services are authorised for government use. Cloud services are generally assessed by an IRAP assessor, and government information systems are usually granted an Authority to Operate by an authorising officer in the agency. In this way, agencies have autonomy in their security decisions. The Authority to Operate indicates that security mitigations are in place.
Finally, this section outlines the ASCS documentation available to agencies, specifically:
The DTA recommends risk assessments address the ISM security controls.
Hosting and data considerations
This section also includes one of the original initiatives, “Implement a layered certification model”.
Cloud service procurement
This section also includes one of the original initiatives, “Create a dashboard to show service status for adoption, compliance status and services panel status and pricing”.
Cloud Common Assessment Framework
The Cloud Common Assessment Framework provides a standardised approach to cloud, focusing on making sure it’s suitable for government use. The framework enables a consistent approach to cloud assessments and allows assessments to be reused.
This section also includes one of the original initiatives, “Create and publish cloud service qualities baseline and assessment capability”.
The responsibilities model focuses on the governance required around cloud services, including a clear understanding of provider responsibilities and agency responsibilities. The Strategy also refers people to the ACSC publication, for more information on shared responsibilities.
This section includes one of the original initiatives, “Build a cloud responsibility model supported by a cloud contracts capability”.
A reminder of the seven principles
One of the key takeaways from the Strategy is the seven principles that agencies should follow in terms of cloud security. While they were covered in our original blog, they’re worth repeating here:
- Make risk-based decisions when applying cloud security
- Design services for the cloud
- Use public cloud services as the default
- Use as much of the cloud as possible
- Avoid customisation and use services ‘as they come’
- Take full advantage of cloud automation practices
- Monitor the health and usage of services in real time
Salsa Digital’s take
The is an important document that ensures government agencies using cloud services are maintaining the appropriate levels of security. This is becoming increasingly important as more agencies adopt cloud services, coupled with the increased need for cyber security.