Verifying the Security of Cloud Services for Australian Government
James Kavanagh, Chief Security Advisor, Microsoft Australia
The Australian Attorney Generals Department has released a revised framework for assessing compliance and risk for cloud services. Microsoft welcomes this forward-looking guidance that describes a streamlined decision-making process while reinforcing the need for risk assessment and compliance with Australian security requirements.
Microsoft is making available an assurance handbook consistent with this new guidance that enables any organisation to compare alternative cloud services on the basis of capability, compliance and risk. This handbook is technology and service agnostic and can be used for any cloud service from any cloud provider.
Trust, but Verify.
But are cloud services safe? Will personal data be adequately protected? If a government agency makes the decision to put data in the cloud, will they still comply with the appropriate regulatory obligations and community expectations? Are there risks that government is not aware of or don’t understand? These are important questions to ask.
Answering these question requires a level of investigation and appropriate due diligence, as outlined by the Attorney General Department’s policy paper.
A huge diversity of cloud service providers exist today. This diversity can be highly beneficial, enabling an agency to find the right combination of services to fit their needs. But each service may integrate differently, apply security differently, have different expectations of privacy and commit to different contractual terms. Agencies have many choices, but they need to know which options are safe. The challenge is to perform reasonable due diligence, but in a way that enables direct comparison of alternative providers. And to do this assessment quickly and consistently, so as to maintain a focus on delivering outcomes.
Introducing the SAFE Approach
What we need is a structured, lightweight methodology for comparative assessment of capability, compliance and risk. This methodology should be service and technology agnostic so it can be used to compare alternative options that may comprise such delivery models as on premise, private cloud, hosted cloud, public cloud or any combination. It should support a comparison of multiple alternative solutions on a consistent basis, building on the policy guidance and frameworks of government but adaptable to the variety of choices offered by cloud technologies.
This is the purpose of the Microsoft Security Assurance Framework for Evaluation (SAFE), a framework developed in Australia published by Microsoft under Creative Commons for use by any government or enterprise.
The SAFE methodology consists of five distinct stages to enable comparative evaluation of alternatives based on capability, compliance and risk:
Understand Strategic Intent: Firstly, the agency develops a clear statement of strategic intent, benefits and options along with a description of their assurance objectives. Assurance objectives are the desired characteristics of any viable solution in terms of trustworthiness, resilience and adaptability.
Define Requirements: The second stage is about defining internal and external requirements. External requirements may come from legislation, regulator guidance, and so on. Internal requirements come from security policies, existing infrastructure and strategies.
Verify Claims: Stage three is about verifying that the cloud service can actually satisfy requirements. A combination of technical documentation, contract terms and independent verification informs this process.
Assess Risk: There will always be some unknowns, so the fourth stage is about performing a holistic risk assessment across each assurance domain and considering impacts of a strategic, operational, compliance or technical nature. And, if necessary, diving deeper into specific threats and mitigations.
Decide & Plan: The final step is to combine all of the previous inputs to provide an executive recommendation on how the agency should proceed.
This methodology is described extensively with templates, risk catalogues and risk assessment tools in the Microsoft SAFE Handbook.
Download the Attorney General Department: Information Security Management Guidelines – Risk management of outsourced ICT arrangements (including Cloud)
Download the Microsoft Security Assurance Framework for Evaluation