The joint announcement by ASD and DTA this week about the Cloud Services Certification Program (CSCP), including related CCSL and IRAP arrangements, has met with some surprising ire by commentators.
While the decision to move to self-assessment of cloud services by Commonwealth agencies may require some agencies to improve their cyber assessment capabilities, there is reasonable agreement that previous arrangements were no longer fit for purpose.
Where it started
Understanding the history is useful
Premised on a high intensity assessment of the security credentials of a relatively small number of prospective multi-tenanted IaaS cloud providers against Protective Security Policy Framework (PSPF) and ASD’s Information Security Manual (ISM) controls, ASD undertook to act as a ‘Certification Authority’ in lieu of individual agencies. This involved a review of the prospective provider’s IRAP assessment, further investigation of risks and establishment of a ‘list’ of ‘Certified Cloud Service Providers’. The aim – to support agencies in their internal risk assessment processes and provide them with a level of confidence in provider credentials. However, it was never intended that this process be a proxy for the ISM and PSPF requirement that responsibility for risk management of information governance of ICT systems and the underlying data, rested with the agency itself. This is, and has always been, the case.
As the cloud market matured, the formal remit of the program morphed into inclusion of both PaaS and SaaS services with resultant provider numbers seeking ASD as a Certification Authority increasing significantly. Unsurprisingly, the practical ability to sustain the Program (which included initial certification, reassessment of material changes and reaccreditation), proved challenging.
Further, gaps in the program, well understood in its establishment but which had not been addressed, limited scalability. Sustainability was exacerbated by a lack of capacity and, quite frankly, capability across some within the IRAP assessor community. And finally, credibility of the CCSL undermined when the extensive residual risks associated with high profile certifications were made public, leading to confusion across buyers, suppliers, security professionals and even journalists as to what best practice could and should look like, and how such risks could be mitigated.
Point in time assessment
It is worth reiterating that ASD only ever provided a point in time assessment, with the onus on agencies to assess the residual risks outlined in the accreditation caveats and requirement that they mitigate these to their satisfaction.
With confusions amplified by vendor claims, operational context changes with data aggregation and government procurement processes that mandated a position on the CCSL (which excluded the majority of NIST defined IaaS, PaaS and SaaS providers) a wholesale overhaul was long overdue.
What now?
So, what now? The suggestion that these “new” arrangements will require cloud providers bidding for government contracts to satisfy the requirements of the government agency in question is naïve. As already stated, this has always been the case, with the role and responsibility of the agency and the CISO clearly defined.
The undertaking by ASD (also in the announcement this week) to expand and improve the IRAP community will be the critical issue for both agencies and cloud providers. Investment in the IRAP community will go a long way to ensuring the capability of IRAP assessors, including assurance that the artefacts they create can be trusted. This applies equally to assessors working for agencies and supplying cloud partners.
Finally, establishment of the Cloud Security Consultative Forum to assist execution of new practical arrangements, provides agencies and industry the opportunity to build a more robust, effective, efficient and scalable risk management approach – with greater security and quality assurance that actually meets the risk and security requirements of individual agencies.
One final and important point.
New arrangements will create a more transparent investment environment, thereby encouraging industry to make even bigger and broader investments in secure IaaS, PaaS and SaaS services in Australia. Consequently, Australian Governments can be assured that they will experience world leading innovative services at competitive prices with no lock-in.
Furthermore, commentators should not be fearful as Australian investors and companies are more than capable of competing successfully in Australia against global companies and using their success to underpin regional and global businesses alike. This has been assisted by the related advice and updated control within the ISM that appears to have passed un-noticed by many, which states:
Foreign owned service providers and offshore services
Outsourced information technology or cloud services located offshore may be subject to lawful and covert collection, without an organisation’s knowledge. Additionally, use of offshore services introduces jurisdictional risks as foreign countries’ laws could change with little warning. Finally, foreign owned service providers operating in Australia may be subject to a foreign government’s lawful access.
Security Control: 0873; Revision: 6; Updated: Mar-20; Applicability: O, P, S, TS If using an outsourced information technology or cloud service, a service provider whose systems are located in Australia is used.
All this can be nothing but good news.