The Australian Cyber Security Centre (ACSC) and the Digital Transformation Agency (DTA) have released new Cloud Security Guidance to support the secure adoption of cloud services across government and industry.
Minister for Defence Linda Reynolds said the new guidance, which has been co-designed with industry partners, will boost Australia’s cyber security resilience.
“The release of the new guidance coincides with today’s cessation of the Certified Cloud Services List (CCSL) which will open up the Australian cloud market, allowing more homegrown Australian providers to operate and deliver their services,” Minister Reynolds said.
“This will provide opportunities for Commonwealth, State and Territory agencies to tap into a greater range of secure and cost-effective cloud services.”
Macquarie Government Managing Director Aidan Tudehope said he remains 'disappointed' by the discontinuation of CCSL certification but nonetheless welcomes the new guidance.
"While we remain disappointed by the decision to discontinue the CCSL certification regime, we welcome the ACSC’s new guide today for government departments to assess the security and risks of cloud service providers," Tudehope said. "This is about more than simply the physical geographic location where data is stored. Data sovereignty is about the legal authority that can be asserted over data because it resides in a particular jurisdiction, or is controlled by a cloud service provider over which another jurisdiction extends.
"Data hosted in globalised cloud environments may be subject to multiple overlapping or concurrent jurisdictions as the debate about the reach of the US CLOUD Act demonstrates. As the ACSC points out, globalised clouds are also maintained by personnel from outside Australia, adding another layer of risk.
"The only way to guarantee Australian sovereignty is ensuring data is hosted in an Australian cloud, in an accredited Australian data centre, and is accessible only by Australian-based staff with appropriate government security clearances. Taken alongside Minister Robert’s planned sovereign data policy, this guide opens new opportunities for Australian cloud service providers."
Minister for Government Services, Stuart Robert said the ACSC and DTA worked closely with industry to develop the new guidelines.
“Having been co-designed with industry, this will help and guide organisations to assess the suitability of a range of secure and cost effective cloud service providers to securely handle their data and ultimately boost Australia’s cyber security resilience,” Minister Robert said.
In addition, the ACSC will grow and enhance the Information Security Registered Assessors Program (IRAP) to further support government and industry in implementing appropriate cloud security measures and increase their cyber security resilience.