Anatomy of a Cloud Assessment and Authorisation

Introduction

Cloud computing offers a range of potential cyber security benefits for Cloud Consumers to leverage, providing access to advanced security technologies, shared responsibilities, fine-grained access management, comprehensive monitoring and highly redundant geographically dispersed cloud services. For many organisations, cloud computing can provide significant improvements to their cyber security, mitigating the risk of many current cyber threats.

While cloud computing can significantly enhance an organisation’s cyber security, it also presents other risks that need to be considered, such as multi-tenancy architectures, reduction in visibility of the physical and virtualisation layers, and possible foreign interference.

At its core, cloud computing involves outsourcing a part, or all, of a consumer’s information technology capability to a Cloud Service Provider (CSP). This outsourcing brings a reduction in control and oversight of the technology stack, as the CSP dictates both the technology and operational procedures available to the Cloud Consumers using its cloud services.

Cloud computing, by default, does not provide improved cyber security without effort on behalf of the Cloud Consumer to perform their security responsibilities in securing the cloud. If not properly managed, maintained and configured, it can increase the risk of a cyber security incident occurring. Cloud Consumers need to consider the benefits and risks of cloud computing, including their own responsibilities for securing the cloud and determining whether cloud computing meets their security needs and risk tolerance.

One of the biggest barriers to Cloud Consumers adopting cloud computing is the difficulty identifying and understanding the risks of using a CSP and its cloud services. Cloud computing presents a uniquely complex and layered technology stack that is rapidly evolving and resists traditional point-in-time assessments. This document guides CSPs, Cloud Consumers and IRAP Assessors on how to perform a comprehensive assessment of a CSP and its cloud services so that a risk-informed decision can be made about its suitability to store, process and communicate data.

The assessment and authorisation process detailed in this document uses the security requirements and cloud guidance detailed in the Attorney-General’s Department’s Protective Security Policy Framework (PSPF), the Australian Government Information Security Manual (ISM) and the Digital Transformation Agency’s (DTA) Secure Cloud Strategy. These documents provide the requirements and security controls for Cloud Consumers to use in the assessment of the CSP, its cloud services and a Cloud Consumer’s own systems.

The terminology and definitions used in this document for cloud computing are consistent with the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-145, The NIST Definition of Cloud Computing.