About the Strategy
In 2018 we did a detailed review of the DTA’s Secure Cloud , focusing on the seven principles and eight initiatives (read our blog on the Secure Cloud ).
In 2021, the DTA updated the ‘Frameworks and practices' section of the Strategy to align with the ACSC. In this month’s DTIG we’re going to focus on these updates and revisit the Secure Cloud Strategy given the ever-increasing importance of both cloud and security in the government environment.
You can also download the full Secure Cloud .
Frameworks and practices
The updated section of the Secure Cloud Strategy includes six main topics:
- Cloud security considerations
- Hosting and data considerations
- Cloud service procurement
- Cloud Common Assessment Framework
- Responsibilities model
Cloud security considerations
Cloud security considerations focuses on Australia’s risk protection framework, specifically the Protective Security Policy (PSPF) and Information Security (ISM). It’s through these frameworks that tech services are authorised for government use. Cloud services are generally assessed by an IRAP assessor, and government information systems are usually granted an Authority to Operate by an authorising officer in the agency. In this way, agencies have autonomy in their security decisions. The Authority to Operate indicates that security mitigations are in place.
Finally, this section outlines the ASCS documentation available to agencies, specifically:
- The Anatomy of a Cloud Assessment and
- Cloud Security Assessment Report Template
- Cloud Security Controls Matrix
The DTA recommends risk assessments address the ISM security controls.
Hosting and data considerations
The hosting and data section refers to the Hosting Certification , which was developed to support the Hosting and to help securely manage government systems and data.
This section also includes one of the original initiatives, “Implement a layered certification model”.
Cloud service procurement
Cloud service procurement focuses on the Cloud Services Panel, however it includes an update that the Cloud Services Panel was replaced by the Cloud in April 2021.
This section also includes one of the original initiatives, “Create a dashboard to show service status for adoption, compliance status and services panel status and pricing”.
Cloud Common Assessment Framework
The Cloud Common Assessment Framework provides a standardised approach to cloud, focusing on making sure it’s suitable for government use. The framework enables a consistent approach to cloud assessments and allows assessments to be reused.
The framework itself is presented as a diagram in the Secure Cloud . It covers cloud quality, including what’s being measured, how it’s being measured and how it meets the measure.
This section also includes one of the original initiatives, “Create and publish cloud service qualities baseline and assessment capability”.
The responsibilities model focuses on the governance required around cloud services, including a clear understanding of provider responsibilities and agency responsibilities. The Strategy also refers people to the ACSC publication, The Anatomy of a Cloud Assessment and for more information on shared responsibilities.
This section includes one of the original initiatives, “Build a cloud responsibility model supported by a cloud contracts capability”.
A reminder of the seven principles
One of the key takeaways from the Strategy is the seven principles that agencies should follow in terms of cloud security. While they were covered in our original blog, they’re worth repeating here:
- Make risk-based decisions when applying cloud security
- Design services for the cloud
- Use public cloud services as the default
- Use as much of the cloud as possible
- Avoid customisation and use services ‘as they come’
- Take full advantage of cloud automation practices
- Monitor the health and usage of services in real time
You can read our original blog on the Secure Cloud or download the full for more information on these principles.
Salsa Digital’s take
The DTA’s Secure Cloud is an important document that ensures government agencies using cloud services are maintaining the appropriate levels of security. This is becoming increasingly important as more agencies adopt cloud services, coupled with the increased need for cyber security.