Key Points:

Assessment, accreditation, and good governance will keep your cloud services as secure as possible.

Many public and private sector organisations around the world, including in Australia, are currently using cloud services to enable their business and this trend is likely to continue. You and the people around you also interact with cloud services, probably on a daily basis ‒ if you use online banking, social networks or email accounts such as Gmail or Hotmail, you are using cloud services.

Cloud computing has been defined as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (eg., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." Bypassing the technical language, cloud computing is essentially the delivery of computing services over the internet.

The widespread and constant use of cloud services means that substantial repositories of data are held in the cloud, and are therefore at risk of intrusion by cyber attackers.

Assessing the risks of cloud computing generally

The responsibility to mitigate risks associated with cloud computing is shared between the organisation (referred to as the "tenant organisation") and the Cloud Service Provider. However, ultimate responsibility for protecting data and ensuring its integrity, confidentiality and availability lies with the tenant organisation and its senior management.

Before using cloud services, tenant organisations should perform a risk assessment and implement relevant mitigation strategies to manage any financial, jurisdictional, legal, governance, data ownership, data sovereignty, privacy, technical and security risks.

Risks will vary between tenant organisations, depending on various factors such as:

  • the intended use of the cloud service;
  • how the cloud service will be implemented and managed;
  • the sensitivity of the data to be stored or processed;
  • the location of the cloud (in Australia or overseas); and
  • difficulties the tenant organisation will face in detecting and responding to incidents with its data.

Tenant organisations will also need to compare the risks associated with using a cloud service against those associated with using in-house or otherwise dedicated computer systems, such as inadequate security or capability.

Some points to consider include:

  • whether your data will reside onshore or offshore (and if so where) and therefore be subject to lawful access by a foreign government and/or laws;
  • your information will be stored in various separate locations, and multiple people will have access to it, increasing opportunities for it and your networks to be compromised;
  • cloud computing means multiple customers are hosted on the same infrastructure, also increasing the risks of unauthorised access or network compromise;
  • while you can include legal protections in your contract with your Cloud Service Provider, you cannot directly control all of the security measures ‒ some will become the responsibility of the Cloud Service Provider, even if they were previously visible to and controlled by you.

Assessing the risks of cloud computing for Government agencies: ASD certification

Every Australian Government agency contracting cloud computing services needs a security assessment and certification to achieve accreditation of an outsourced service. To streamline the process and avoid agencies working in isolation, the Australian Signals Directorate (ASD) is conducting certification activities.

Some cloud computing services have been awarded with ASD certification and Australian Government agencies contracting these services are advised to request the ASD Certification Letter and Report from the Cloud Service Provider. ASD Certification will help agencies to understand the information security risks when contracting cloud computing services but agencies should also perform their own due diligence reviews.

What are some key risks of cloud computing and what can you do to mitigate them?

Your tenant organisation fails to maintain and protect the confidentiality, integrity and availability of its data

To mitigate this risk, even if you are a private sector organisation you could use a cloud service:

  • that has been assessed and endorsed by the ASD Information Registered Assessors Program; and/or
  • that has been certified and accredited against the ASD Information Security Manual at the appropriate classification level.

Data compromised in transit by a malicious third party

You could use cryptographic controls that have been approved by ASD to protect data moving between your tenant organisation and the Cloud Service Provider and data at rest on storage media in transit via post/courier, for example when transferring data as part of on-boarding or off-boarding employees.

Cloud service account credentials compromised by a malicious third party

To mitigate this risk, you could use a secured computer, multi-factor authentication security access control, a robust passphrase, limit access to the minimal level possible, and encrypt network traffic.

You could also obtain and analyse time-synchronised logs and real-time alerts for your tenant organisation's cloud service accounts which are used to access and administer the cloud service.

It is also important to protect authentication credentials ‒ so avoid using Application Programming Interface authentication keys on unsecured computers or in source code software that is accessible by unauthorised third parties.