Opportunities and Risks: ACSC Cloud Guidance defines the playing field

“People who don’t take risks generally make about two big mistakes a year. People who do take risks generally make about two big mistakes a year.”

- Peter Drucker

I’ll come back to Mr Drucker later, but back in March when it was announced that the Certified Cloud Services List (CCSL) was being consigned to the history books, there was a mixed reaction in the market. Those of you who read my blog post at the time would remember that I was positive about this move because I believe it empowers customers to make their own risk-based choices on technology without having to wait for an official stamp of approval. At the same time, I also recognised that it has always been the responsibility of agencies to assess, accept and mitigate risks, but many may feel that without the additional assurance that the CCSL provided, this process would now be more difficult.

Last week, the Australian Cyber Security Centre (ACSC) published their first set of post-CCSL guidance which is what I am going to comment on in this post, but firstly I want to commend the ACSC on their approach to including industry in the consultation process and for listening and incorporating our feedback into the document. It was great to be part of the panel alongside other cloud vendors, both local and hyper-scale, as well as representatives from various government agencies and IRAP assessors. Taking the feedback of this group would have been a gargantuan task as there was consensus in many areas as well as equally differing opinions in others!

I am not going to deconstruct all of the new assets in detail as I highly encourage you to read and digest them yourself; if nothing else I suggest you read the “Anatomy of a Cloud Assessment and Authorisation” document. I did, however, want to pull out a few of my favourite sections from this latest guidance:

Focus on the Cloud Service Provider (CSP)

When you move to the cloud, you are transferring control of certain aspects of your security operations, so you must be confident that you are not just selecting a cloud service that meets your technical and functional needs, but also a partner that you can trust. As Microsoft CEO, Satya Nadella, constantly reminds us, “Microsoft Runs on Trust”, which is why I find the focus on trust to assess the CSP as a great move. Security is not just about technical controls; you need to consider the CSP itself. What does the ownership chain look like? Do they have local presence? Do they have vetting procedures in place for employees? How do they secure their supply chain? All are great questions to ask.

However, what has been interesting to note has been the commentary from some that this new guidance now excludes any provider that isn’t 100% Australian in every aspect. This couldn’t be further from the truth and intention of the ACSC. While the document does say that CSPs based and solely operated in Australia are more likely to align to Australian standards and legal obligations, it is also important to note this guidance is aimed at all cloud providers of which there are many and not all clouds are created equal!

The other factor to consider, as pointed out later in the document, is that ”… a CSP may be at low risk of foreign interference, but may lack security controls in other areas, possibly posing a greater risk than a provider who is not solely operated in Australia, but who has effective security controls that meet the security requirements and risk tolerances of the Cloud Consumer”

As someone who spends a significant amount of time with customers helping them understand how Microsoft operates behind the scenes, I can attest to our investment in security; from our data centres and Threat Intelligence teams that engage in nation-state tracking, to the 24x7 Cyber Defence Operations Centre which ingests over 8 trillion security signals per day, all of which is combined with our continual global assessment and accreditation programs underpinned with legal commitments and alignment to local laws and regulations. It is also important to remember that every CSP in Australia, albeit to differing degrees, relies on a supply chain that originates outside of Australia, be that for hardware, software, or other outsourced business functions. What matters is that we all do our utmost in every one of these areas to provide the best overall outcome from the cloud consumer. The ACSC sums it up when it states: “Cloud Consumers need to consider all aspects of a CSP to make an informed decision about its use and not rely on a single factor to determine a CSP’s suitability”.  In other words, don’t lose sight of the big picture and work with your CSP to understand the balance of risk, which after all, is what really matters.

Recognition that the Cloud brings security benefits

I really enjoyed reading a recent blog post from the National Cyber Security Centre team in the UK titled “Why Cloud First is not a Security Problem”, where the author talks about the fact that public cloud providers pay a lot of attention to the ‘nightmare scenarios’ and often have early access to vulnerability information, and that as a customer, you would therefore need to be able to match the security of a cloud provider merely to keep pace with the risk. This viewpoint has been echoed in the section on Cloud Computing vs. Self-Managed in the ACSC paper, where it states that as part of a cloud risk assessment, consideration should also be given to “…the risks of not transitioning to cloud computing” while also noting that “CSPs can provide substantial cyber security improvements beyond what is feasible when an organisation owns and manages its own IT infrastructure”. 

Drawing a link to the quote from Peter Drucker at the beginning of this piece – this is good recognition from the ACSC that a status quo approach likely carries more risk than moving to a modern and secure way of operating on the cloud. However, just moving to the cloud doesn’t automatically make you more secure, which leads me my favourite focus and topic of conversation…

Shared Responsibility

On 19th June 2020 when the Australian Prime Minister spoke about recent state-based cyber activity, Defence Minister Linda Reynolds said "I remind all Australians that cybersecurity is a shared responsibility of us all". I couldn’t have been happier to hear those words come from a Minister on live national television! Understanding which security controls you inherit from the CSP vs those that are your responsibility is essential to securing cloud applications and services. It is therefore great to see this section in the assessment guidance alongside corresponding controls in the Australian Government Information Security Manual (ISM). I am also excited to share a small pre-announcement which is aligned to the understanding of cloud risk and responsibility zones.

For the past few months, we have been working with a well-respected cyber security organisation with a wealth of experience both in delivering IRAP assessments as well as helping customers perform their own risk assessments. Shortly, we will be releasing a paper titled “Assessing Risk and Compliance in the Cloud” aimed primarily at Government customers, and it will also have value to commercial customers in understanding how to assess risk when adopting cloud services. This guide has intentionally been kept to ~20 pages and is designed to be a primer to help you get started on your risk assessment journey and nicely complements the new ACSC Cloud Guidance… so stay tuned.

Conclusion

In closing, I have only picked out three areas of the new guidance here. There is certainly much more for you to go and read up on and while I certainly welcome many of these new changes, it would be remiss of me if I didn’t also point out that there are certain areas which require refinement as well as additional clarification. However, this is post-CCSL version 1 guidance, so I am confident this will evolve over time as it is used in practical application and additional feedback is provided to the ACSC. My recommendation for anyone seeking clarification is to reach out to the ACSC directly for guidance and counsel. 

Finally, I wanted to reiterate what I said back in March with regards to our commitment to IRAP, which is that we will continue to invest in IRAP assessments of our platform and services in alignment to the guidance within the ISM. The IRAP assessment reports will continue to be made available on the Australia-specific page of the Microsoft Service Trust Portal for customers and partners to use as part of their risk assessment process as defined in the ISM.