A decade earlier, the ongoing data was loaded to the physical server and the security was controlled by software . It was easier to manage. Though cloud adds mobility, flexibility, and cost optimized solutions to our data, the rules of data security become complex.
Cloud data security is the combination of technology solutions, policies, and procedures that you implement to protect cloud-based applications and systems, along with the associated data and user access.
If you are providing services to the Government, you will almost certainly need to ensure your Cloud Provider can guarantee that both your data and all the associated metadata, analytics and monitoring data will remain in Australia, on infrastructure owned and managed by Australian citizens.
- Do you know where your data goes – including the metadata, the monitoring data and the derived data?
- Is your Cloud Provider subject to extra-territorial jurisdictional (i.e., non-Australian) laws?
- Can a foreign government or authority request access to your data, from your Cloud Provider without your consent or even knowledge?
- Will all the service and support from your Cloud Provider (and their staff who have access to any of your data) be provided from within Australia by Australian citizens operating only under Australian law?
The relationship between you and your Cloud Provider is more than the sum of the commercial contracts and the technical agreements. It is based on trust around delivering confidentiality, integrity and availability of the service and related data combined with understanding of the relative roles and responsibilities.
- Do you know and are you confident with the maturity of your Provider’s security operations and governance processes?
- Are the roles and responsibilities of you and your Cloud Provider documented and clear?
- Have you checked that user access and activity is fully auditable? Relevant certifications (e.g., ISO27001) are a good indicator that the Cloud Provider is committed to best practice in information security, especially where the certification applies across all aspects of the organization, end to end development, management, operation and security of information systems and infrastructure as well as service delivery
- What certifications does your Cloud Provider hold that provides you with the confidence that can meet your information security, privacy and operational service delivery needs?
- If your provider is selling their capability based on non-Australian reference cases and attestation, are they capable of exact replication of the infrastructure, processes and people in Australia?
- How else is your Cloud Provider demonstrating compliance with any mandatory or regulatory infrastructure, security and privacy requirements (e.g. the ISM, PSPF, IRAP)?
The nature of your service or the data you have access to, may be subject to a specific data classification security requirement.
- Can your Cloud Provider meet your needs and accommodate you if there are any changes?
- Has your Cloud Provider demonstrated that they comply with the Australian Attorney General Departments’ Protective Security Policy Framework (PSPF) underpinned with controls outlined within Australian Signals Directorate’s Information Security Manual (ISM)? Compliance with these is mandatory when working with the government.
- Has your Cloud Provider demonstrated compliance with the new ASD/ACSC security assessment framework to OFFICIAL and PROTECTED controls?
Whatever your concern is, we can discuss how your organization can take the next step today.