Anatomy of a Cloud Assessment and Authorisation

ACSC., ASD
July 27, 2020

REPORT Details

Introduction

Cloud computing offers a range of potential cyber security benefits for Cloud Consumers to leverage, providing access to advanced security technologies, shared responsibilities, fine-grained access management, comprehensive monitoring and highly redundant geographically dispersed cloud services. For many organisations, cloud computing can provide significant improvements to their cyber security, mitigating the risk of many current cyber threats.

While cloud computing can significantly enhance an organisation’s cyber security, it also presents other risks that need to be considered, such as multi-tenancy architectures, reduction in visibility of the physical and virtualisation layers, and possible foreign interference.

At its core, cloud computing involves outsourcing a part, or all, of a consumer’s information technology capability to a Cloud Service Provider (CSP). This outsourcing brings a reduction in control and oversight of the technology stack, as the CSP dictates both the technology and operational procedures available to the Cloud Consumers using its cloud services.

Cloud computing, by default, does not provide improved cyber security without effort on behalf of the Cloud Consumer to perform their security responsibilities in securing the cloud. If not properly managed, maintained and configured, it can increase the risk of a cyber security incident occurring. Cloud Consumers need to consider the benefits and risks of cloud computing, including their own responsibilities for securing the cloud and determining whether cloud computing meets their security needs and risk tolerance.

One of the biggest barriers to Cloud Consumers adopting cloud computing is the difficulty identifying and understanding the risks of using a CSP and its cloud services. Cloud computing presents a uniquely complex and layered technology stack that is rapidly evolving and resists traditional point-in-time assessments. This document guides CSPs, Cloud Consumers and IRAP Assessors on how to perform a comprehensive assessment of a CSP and its cloud services so that a risk-informed decision can be made about its suitability to store, process and communicate data.

The assessment and authorisation process detailed in this document uses the security requirements and cloud guidance detailed in the Attorney-General’s Department’s Protective Security Policy Framework (PSPF), the Australian Government Information Security Manual (ISM) and the Digital Transformation Agency’s (DTA) Secure Cloud Strategy. These documents provide the requirements and security controls for Cloud Consumers to use in the assessment of the CSP, its cloud services and a Cloud Consumer’s own systems.

The terminology and definitions used in this document for cloud computing are consistent with the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-145, The NIST Definition of Cloud Computing.

Publisher's website.

DOWNLOAD

Price: FREE

DOWNLOAD COUNT: 1,230

SHARE:
Share on linkedin
Share on facebook
Share on twitter
Share on email

DOWNLOAD

Price: FREE

COVER

PROVIDER

ASD
The Australian Signals Directorate (ASD) is a vital member of Australia’s national security community, working across the full spectrum of operations required of contemporary signals intelligence and security agencies: intelligence, cyber security and offensive operations in support of the Australian Government and Australian Defence Forces (ADF).
ACSC.
The Australian Cyber Security Centre is the Australian Government lead agency for cybersecurity. The ACSC is part of the Australian Signals Directorate and based at the Australian Security Intelligence Organisation headquarters in the Ben Chifley Building.

TOPICS

more from this PUBLISHER

Advisory 2020-008: Copy-Paste Compromises – tactics, techniques and procedures used to target multiple Australian networks
Fri, Jun 19
Free Direct Download
Advisory 2020-008: Copy-Paste Compromises – tactics, techniques and procedures used to target multiple Australian networks
ACSC.
Summary of Tradecraft Trends for 2019-20: Tactics, Techniques and Procedures Used to Target Australian Networks
Thu, May 28
Free Direct Download
Summary of Tradecraft Trends for 2019-20: Tactics, Techniques and Procedures Used to Target Australian Networks
ACSC., ASD
COVID-19: Remote Access to Operational Technology Environments
Thu, May 28
Free Direct Download
COVID-19: Remote Access to Operational Technology Environments
ACSC., ASD
Detect and Prevent Web Shell Malware
Fri, Apr 24
Free Direct Download
Detect and Prevent Web Shell Malware
ASD, NSA

MORE FOR YOU

Developing Future-Fluent Asian Leaders: Myths We Must Debunk
Fri, Sep 25
Free Direct Download
Developing Future-Fluent Asian Leaders: Myths We Must Debunk
ADP, Center for Creative Leadership
Beyond Disruption 2020
Thu, Sep 24
Free Direct Download
Beyond Disruption 2020
DXC Technology
Gaming: You Can’t Solo Security
Thu, Sep 24
Free Direct Download
Gaming: You Can’t Solo Security
Akamai Technologies
Data Integrity: Recovering from Ransomware and Other Destructive Events
Thu, Sep 24
Free Direct Download
Data Integrity: Recovering from Ransomware and Other Destructive Events

TRENDING NOW IN THE MARKETPLACE

Developing Future-Fluent Asian Leaders: Myths We Must Debunk
Fri, Sep 25
Free Direct Download
Developing Future-Fluent Asian Leaders: Myths We Must Debunk
ADP, Center for Creative Leadership
Beyond Disruption 2020
Thu, Sep 24
Free Direct Download
Beyond Disruption 2020
DXC Technology
Gaming: You Can’t Solo Security
Thu, Sep 24
Free Direct Download
Gaming: You Can’t Solo Security
Akamai Technologies
Data Integrity: Recovering from Ransomware and Other Destructive Events
Thu, Sep 24
Free Direct Download
Data Integrity: Recovering from Ransomware and Other Destructive Events
Scroll to Top