On this page

Download the SACSF Guideline 18.0 - Cloud security

Purpose

This guideline has been developed to assist agencies and applicable suppliers to understand and implement the cloud computing requirements of the SACSF.

Scope


The SACSF policy statements related to this guideline are:

  • SACSF Policy Statement 2.11: Cloud Computing - Risk assessments must be performed by the agency prior to implementing any cloud computing service in order to assess the benefits of the service balanced with the additional jurisdictional, governance, privacy and security risks associated with the use of such services

Background

As described in the SACSF, agencies are required to assess the benefits of using a cloud service balanced with the additional jurisdictional, governance, privacy and security risks associated with the use of such services.

Cloud computing offers potential benefits, including cost savings and improved business outcomes for agencies, however, there are information security risks that need to be carefully considered. The adopted cloud service model (IaaS, PaaS, SaaS) will often have a significant impact in terms of responsibilities that are retained in-house and those that are outsourced.

Risks will vary depending on the sensitivity of the data to be stored or processed, and how the chosen cloud services provider has implemented their specific cloud services. Mitigating the risks associated with using cloud services is a responsibility shared between the agency and the cloud services provider, however the risk of using the service will remain with the agency and cannot be transferred.

The cloud deployment model (public, private, community or hybrid cloud) may also impact the control options that are available to manage information security within the context of cloud solutions, and therefore the risks to the security of agency information.

These guidelines will help agencies to protect the confidentiality, integrity, and availability of their information assets in a cloud environment.

Guideline

The following security considerations and recommended security mitigations should be considered when performing a security assessment on cloud services:

Maintaining availability and business functionality

  • Business continuity planning
  • Availability requirements
  • Backup and recovery
  • Redundancy
  • System performance and SLAs

Protecting data from unauthorised access

  • Information classification and handling
  • Data security
  • Access control and monitoring
  • Physical security

Maintaining system integrity

  • Change control
  • Audit trail
  • Data quality

Monitoring and reporting on cyber security incidents

  • Vendor support
  • Incident response (IR) plan
  • Logging and monitoring capability
  • Notification of security incidents

Maintaining compliance to legal and contractual requirements

  • Legislative obligations
  • StateNet Conditions of Connection
  • Data ownership
  • Data sovereignty
  • Data privacy
  • Right to audit

Refer below for guideline details.

Maintaining availability and business functionality

Agencies should identify and mitigate the risk of business functionality being negatively impacted by cloud services being unavailable. Understanding and documenting the availability requirements and preparing for business interruptive events are essential.

  • Business continuity planning
  • Availability requirements
  • Backup and recovery
  • Redundancy
  • System performance and service level agreements (SLAs)

Business continuity planning

  • Conduct Business Impact Assessment (BIA) to assess the business-critical data or functionality moving to the cloud and understand the potential impact to the business operations during downtime or outage.
  • Review the cloud service provider’s business continuity and disaster recovery plans to gain assurance that the vendor can respond to a major incident or outage that affects their service delivery.
  • Assess the vendor’s business continuity and disaster recovery plans that covers the availability and restoration of both data and the vendor’s services and evaluate the alignment with agency’s recovery objectives.
  • Understand and assess the time it takes for the data and services to be recovered after a disaster, and how the vendor prioritises the recovery resources among all customers and subscription plans.
  • Assess the level of support and cooperation during offboarding or transferring from current cloud service provider to a different vendor, to ensure the agency can get access to the data in a vendor-neutral format to avoid vendor lock-in.

Availability requirements

  • Assess the network connectivity between the agency to the cloud services for maintaining availability, including capabilities such as DoS protection, traffic throughput (bandwidth), prevention of delays (latency) and packet loss.
  • Assess the Service Level Agreement (SLA) with the vendor and guarantee availability, scheduled outage, and any possible downtime that may impact / interfere with critical business processes.
  • Understand the scalability, horizontally and vertically, of the cloud services and available spare computing resources that the vendor could provide to enable the usage of the vendor’s services to scale when required.

Backup and recovery

  • Assess the cloud service provider’s capability of both full and partial recovery of systems from backups, including the timeframes expected.
  • Assess the requirement of maintaining an up-to-date backup copy of data located either at the agency’s premises or stored with a second vendor that has no common points of failure with the first vendor.
  • Assess the requirements for retaining backup copies, including the timeframe, format, security, and location for backup retention.

Redundancy

  • Assess potential single points of failure associated with the cloud service and redundant facilities such as secondary failover site and offsite backups to prevent disruptions of services.
  • Understand the requirement of replicating data or business functionality with a second vendor that uses a different data centre and ideally has no common points of failure with the first vendor.

System performance and service level agreements (SLAs)

Ensure contractual arrangements are clearly defined and documented in the SLAs, including the following performance expectations:

  • System up-time and/or maximum acceptable downtime (for example, 99% system up-time, less than 9 hours outage per year).
  • Scheduled maintenance, change windows, planned outage, and communication mechanism, notification channels.
  • Response and resolution timeframe for unplanned outage, security incident, and general request tickets.
  • Defined severity ratings and priority levels for general ICT incidents and cyber security incidents.
  • Performance review frequency and reporting and communication channel for performance and security monitoring.
  • Penalties for not meeting service levels and/or response / resolution timeframe, that adequately reflect the damage caused by a breach of the SLA.

The following security clauses should also be included in the contract with cloud service provider:

  • Appropriate protection applied to customer data and/or personal information (if applicable), including properly deleting data from vendor’s storage media when terminating the contract.
  • Agree provisions for at least annual testing of failover and disaster recovery capabilities as a part of contract terms.
  • Agency to reserve the right to audit of the security capabilities and controls maintained by the cloud service provider.

Protecting data from unauthorised access

Unauthorised access to information and data stored on cloud services should be prevented. The responsibility model for securing cloud environments is often a shared model between the cloud service provider and customer.

Agencies should understand the responsibilities of both parties and ensure vendors meet the requirements and expectations to protect data from unauthorised access.

  • Information classification and handling
  • Data security
  • Access control and monitoring
  • Physical security

Secure architecture design

  • Determine the cloud deployment model considering the information classification and public accessibility requirements of the cloud services. Deployment models include:
    • public cloud (potentially less secure but accessible from the public networks)
    • hybrid cloud or community cloud (potentially less accessibility but more secure)
    • private cloud (potentially most secure but may not be accessible from external networks).
  • If the cloud services are based on multi-tenant cloud infrastructure, the agency should acquire assurance from the vendor for:
    • Customer segregation - that adequate logical and network segregation is in place between multiple tenants.
    • Controls are in place to detect and prevent a tenant exploiting a publicly unknown or unpatched vulnerability in a hypervisor to compromise anther tenant’s data.
    • Assess if the cloud service provider security maturity and that of other customers can weaken the agency’s security posture. For example, malicious actors could use cloud infrastructure from the same vendor used by the target organisation to both serve malicious web content to the organisation’s users, and to exfiltrate the organisation’s sensitive data.

Information classification and handling

  • Understand the data security requirements associated with the cloud services. This should include the:
    • sensitivity of datasets, as well as if the aggregation of data makes it more sensitive than any individual piece of data
    • information classification level
    • volume of data being stored or processed by the cloud services
    • any personal information stored in the cloud storage.
  • Understand the media sanitisation and data decommissioning requirements associated with cloud services. This includes the following:
    • Defined processes to sanitise the storage media storing data at its end-of-life.
    • When portions of data or databases are deleted, the defined processes to sanitise the storage media before it is made available to another customer.
    • When terminating the cloud service contract or subscription, the defined processes to securely delete data in storage media.

Data security

  • Consider the requirements for encrypting data at rest, these include:
    • That the strength of cryptographic algorithm is enough to protect the data at rest based on information classification and data sensitivity.
    • The implementation of encryption is comprehensive enough to cover all the storage, devices, and media that contain cloud service customer data and cloud service derived data.
    • That approved hash algorithms are used to prevent brute force techniques to crack and recover relatively weak passwords and keys.
  • Consider the requirements of encrypting and protecting data in transit, these include:
    • The cryptographic controls the cloud service provider uses to protect data in transit, such as TLS, HTTPs, SFTP.
    • The gateway environment is aligned with agency security policies and standards to secure the network links and data in transit, including firewalls, traffic flow filters, content filters, antivirus software and data diodes.
    • Defined onboarding and change management processes are used to ensure that cloud infrastructure software and hardware has been supplied by a legitimate source and has not been maliciously modified in transit.
  • Consider the requirements of key management activities for data encryption. This includes the following:
    • Assess if the vendor provides a centralised key management service to manage cryptographic keys for the agency’s cloud services in a consistent and secure manner.
    • Assess if the vendor supports key generation and rotation, that allows the agency to generate new keys when needed and rotate the keys periodically to enhance security.
    • Assess if the vendor provides secure storage and protection for private keys, such as hardware security modules or software-backed encryption keys. Understand if the vendor provides features for centralised key storage and external or on-premise customer key storage.
    • Assess if the vendor provides robust access controls for encryption keys, including features such as role-based access control, multifactor authentication (MFA) and privileged access management (PAM) tools to prevent unauthorised access.
    • Assess how the vendor manages key suspension and destruction processes, ensuring that suspended and retired keys are not used or accessible.
  • Consider hiding sensitive data (for example, personal information) using techniques such as data masking, pseudonymisation or anonymisation. The examples are:
    • Data masking is a set of techniques to conceal, substitute or obfuscate sensitive data items. Data masking can be static (when data items are masked in the original database), dynamic (using automation and rules to secure data in real-time) or on-the-fly (with data masked in an application’s memory).
    • Anonymisation irreversibly alters personal information in such a way that the personal information principal can no longer be identified directly or indirectly.
    • Pseudonymisation replaces the identifying information with an alias. Knowledge of the algorithm (sometimes referred to as the ‘additional information’) used to perform the pseudonymisation allows for at least some form of identification of the personal information principal. Such ‘additional information’ should therefore be kept separate and protected.
  • Consider the controls to prevent and mitigate data spills. The examples are:
    • Clarify the level of information classification and data sensitivities of the cloud services. Avoid uploading data that is exceeding the defined security level.
    • If data that the agency considers is too sensitive to be stored in the cloud is accidentally placed into the cloud (referred to as a data spill), ensure the spilled data can be deleted using forensic sanitisation or other data cleansing techniques.
    • Ensure the relevant portion of physical storage media is purged and/or the timeframe for the deleted data to be overwritten as part of normal operation.
    • Examine if the spilled data can be forensically deleted from the vendor’s backup media and where else the spilled data is stored.

Access control and monitoring

  • Cloud service providers should provide the following functionalities and security features to customers:
    • Support third-party identity and access management technologies for its cloud services and the associated administration interfaces. These technologies enable easier integration and user identity administration between the customer’s system and the cloud service, and can make the use of multiple cloud services easier through capabilities such as single sign-on.
    • Secure authentication techniques for authenticating customer cloud service administrators to the administrative capabilities of a cloud service, according to the identified risks. For example, the cloud service provider can provide multi-factor authentication capabilities or enable the use of third-party multi-factor authentication mechanisms.
      • Break glass accounts are provided as emergency access accounts that are used to access critical systems or resources when other authentication mechanisms fail or are unavailable.
      • Access logs, audit logs, logins review and reports for customer to perform access review and incident investigation. The logs should be able to integrate with the customer’s security information and event management (SIEM) system.
  • Agencies should check that the vendor’s remote access is properly monitored and managed if the vendor has access to agency cloud infrastructure or application components, including:
    • understanding if the vendor needs to perform remote access from outside Australia
    • assurance from the vendor for patch compliance reports and other details about the security of workstations used to perform remote access
    • the controls that prevent the vendor’s employees from using untrusted or personally owned devices to store or process customer data.

Physical security

  • Examine the vendor’s physical security posture and ensure the vendor’s physical data centre is designed to prevent the tampering or theft of servers, infrastructure, and the data stored on them.
  • Understand if dedicated servers are required for the agency’s cloud services and if the agency has some control over the physical computer that runs the cloud services and virtual machines.

Monitoring and reporting cyber security incidents

Vendors should have sufficient capabilities to monitor the security posture of cloud environments and report cyber security incidents to the customer. Agencies should understand if vendors can maintain the required level of incident response readiness and provide sufficient support during and after a cyber security incident.

  • Vendor support
  • Incident response (IR) plan
  • Logging and monitoring capability
  • Notification of security incidents

Vendor support

  • Assess the level and scope of vendor support and understand if the agency can acquire timely and sufficient support for investigating, responding, and resolving a cyber security incident associated with the cloud service. This includes the following aspects of vendor support:
    • The vendor is readily contactable and responsive to requests for support - an agreed communication channel is established to raise requests and exchange information.
    • The vendor assists agency investigations if there is a security breach such as an unauthorised disclosure of data, or if there is a need to perform legal electronic discovery of evidence.
    • The maximum acceptable response and resolution times are captured in the SLA, and that timeline is defined based on the severity and priority levels of the cyber security incident. While general ICT support during service outages and availability issues may be documented in vendor contracts, the specific requirements of cyber security incident support are commonly not agreed or documented in the SLA.
    • Understand if vendor support is provided within Australia or from a foreign resource, or even from several foreign countries and time zones.
    • The vendor adequately compensates the customer if the vendor’s actions, faulty software or hardware contributed to a security breach.

Incident response (IR) plan

  • Review the vendor’s cyber security IR plan and understand how the vendor detects and responds to cyber security incidents.
  • Understand if the scope of vendor’s cyber security IR plan covers the services they delivered to the agency. If the vendor offers additional or modified cloud services or functions to agency, ensure the vendor has updated the IR plan and procedures aligned with the offering.
  • Examine if the vendor performs regular testing of the IR plan and provides training to their employees to properly identify and report potential security incidents.

Logging and monitoring capability

  • Assess the vendor’s security monitoring capabilities and understand if they are continuously monitoring their IT environments and the cloud services they are offering for cyber security events and incidents.
  • Understand if the agency’s existing security monitoring tools and SIEM solution can be integrated or connected with the cloud service.
  • Understand if the agency must learn to use additional tools provided by the vendor for monitoring the performance and security events of the cloud services, and assess the capacity and resources needed to perform monitoring activities.
  • Understand if the agency can access the logs generated by the cloud service and ensure the agency can obtain access to audit logs and other logs to perform forensic investigations.
  • Assess if the log retention settings of the cloud services are aligned with agency requirements and compliance obligations.
  • Examine the logs from cloud services to ensure they are time synchronised with a trusted Network Time Protocol (NTP) server, and that the logs are created and stored so as to be suitable evidence for a court of law.

Notification of security incidents

  • Examine the vendor’s procedures for notifying customers of security incidents within their corporate environments and within cloud services they provided to customers. This should also include if a cyber security incident occurs within a forth parties’ environment (for example, the suppliers, contractors or third parties of the vendor).
  • Understand the reporting portal and communication channels that vendor may notify agency of any cyber security incidents, and the information required to be reported.
  • Understand if the vendor will automatically notify law enforcement or other authorities, who may confiscate computing equipment used to store or process agency data.

Maintaining system integrity

Any changes to the cloud service and data held within the cloud service should be recorded and managed to protect the system integrity and data quality. Agencies should understand how much the vendor can support the identification, correction, and investigation of integrity issues.

  • Change control
  • Audit trail
  • Data quality

Change control

  • Assess the vendor’s change management processes to ensure that changes in cloud services and products are managed properly throughout the entire system development life cycle to maintain system integrity.
  • Examine the vendor’s change control procedures and release control procedures to understand if they include the following elements:
    • plan and assess the potential impact of changes on customers
    • obtain approval and authorisation of changes from appropriate stakeholders
    • communicate changes to cloud service customers
    • test changes from functionality and security perspectives
    • maintain and provide records of changes to customers if required.
  • Understand if cloud service customers can track the changes and versions and roll back to the previous version if needed.

Audit trail

  • Understand how the cloud service maintains an audit trail of activities performed by both the vendor and customer.
  • Understand how the vendor supports customers to set up and access the audit trail, as well as how to search, download, archive, analyse, respond to and manage access to the audit trail.
  • Assess if the vendor or unauthorised personnel can delete or alter the audit trail to compromise the integrity and accuracy of the records.
  • Assess the location and media for storing the audit trail and logs to ensure it aligns with the agency’s log retention policy.

Data quality

  • Understand how the cloud service provider standardises and maintains the consistency of data formats and database schemas.
  • Assess if the vendor offers built-in validation tools to help identify and correct errors or data inconsistencies, or if the cloud service can be integrated with the agency’s existing data validation tools.
  • Examine if the vendor adheres to industry standards and can simplify the process of integrating data from multiple sources or migrating data to another vendor or cloud service.
  • Assess if the vendor supports master data management (MDM) so the agency can clean, match, and integrate data discovered across distributed storages and sources and use it to create master data objects stored in a central MDM system.

Maintaining compliance with legal and contractual requirements

Agencies should understand their obligations related to the cloud services and data uploaded to the cloud. Vendors should be able to assist agencies to maintain compliance with applicable regulations and security frameworks. Agencies should acquire sufficient assurance of compliance from the vendor using contractual terms and security SLAs.

  • Legislative obligations
  • StateNet Conditions of Connection
  • Data ownership
  • Data sovereignty
  • Right to audit

Legislative obligations

  • Understand the data and information assets associated with the cloud services that the agency has to protect and manage under applicable legislations and laws, for example the State Records Act 1997 or the Privacy Act 1988.
  • Assess if the vendor contractually accepts adhering to the obligations and helping the agency to ensure that the obligations are met.
  • Understand the obligations and requirements of the Premier and Cabinet Circular PC 012 - Information Privacy Principles (IPPS) Instruction that are associated with the cloud services, including the following:
    • Where the information to be maintained under cloud computing arrangements is of a highly sensitive or personal nature, confirm that any arrangement with a cloud service provider must involve storage of the records in a jurisdiction with a privacy regime equivalent to Australia’s and with adequate security measures in place.
    • Ensure that all privacy requirements applicable to the agency are considered and addressed in contracts with the cloud service provider.
  • Understand the obligations and requirements of the State Records Act 1997 that are associated with the cloud services, including if:
    • the transfer or storage of official records outside of state or country boundaries is permitted under local regulatory frameworks and agency policy.
    • if contract terms address data sovereignty issues to the satisfaction of the agency. Specifically, these terms should establish and agree the location of all cloud service provider data held on behalf of the agency under contractual terms. Consider the location of:
      • the primary data store
      • replication of data to support high-availability solutions and/or authentication
      • online and offline backups
      • administration and support staff who may access the processing environment and data.

StateNet Conditions of Connection

  • Assess if the cloud service falls within the scope of the StateNet Conditions of Connection.
  • If in-scope, ensure that StateNet Conditions of Connection requirements are considered in all stages of the cloud service lifecycle, including requirements definition, architecture design, contract requirements, security risk assessments and ongoing governance.

Data ownership

  • Understand the contract terms and agreements on data ownership. Ensure the agency retains legal ownership of the government data stored or processed by the cloud service.
  • Assess how the vendor protects the intellectual property (IP) and the ownership of the information assets generated by agency while using the cloud services.

Data sovereignty

  • Understand what countries the agency’s data is stored, transmitted, and processed in. Data stored outside of Australia may be subject to the laws and regulations of the host country. These laws may not align with Australian privacy regulations and may allow foreign countries to subpoena data.
  • Understand if the vendor has failover or redundant data centres that support the cloud services and have access to agency data. For example, agency data that is held in an Australian data centre could be duplicated to a secondary data centre outside Australia for business continuity purposes.
  • Assess if the vendor has a documented procedure to notify customers of changes in data sovereignty and foreign ownership of the company or facilities. For example, a foreign owned vendor may be subject to their country’s laws even if the vendor is operating within Australia. If the vendor is subpoenaed by a foreign law enforcement organisation for access to data belonging to the vendor’s customers, the vendor may be legally prohibited from notifying their customers of the subpoena.

Right to audit

  • Maintain the right to perform security audits on the vendor’s cyber security posture and relevant controls. If auditing is not possible, ensure a reputable third-party has performed audits and relevant control testing on the vendor. The right to audit should be defined in the contract and include the following requirements:
    • Review the policies and processes supporting the vendor’s cyber security posture, including threat and risk assessments, ongoing vulnerability management, a change management process that incorporates security, regular penetration testing, logging and regular log analysis, incident management, access management, and compliance with Australian Government or internationally recognised security standards and regulations.
    • Assess the technical controls supporting the vendor’s cyber security posture, including timely application of security patches, regularly updated antivirus software, defence in depth mechanisms to protect against unknown vulnerabilities, hardened operating systems and software applications configured with the strongest possible security settings, cryptographic protocols and processes, intrusion detection and prevention systems, and data loss prevention mechanisms.
  • Understand what level of internal audits the vendor performs, and which compliance standards and other recommended practices from organisations such as the Cloud Security Alliance are used for these assessments and review a copy of the recent reports.
  • Review copies of independent assurance reports of certification to information security standards that include the specific cloud services being used within scope. Where possible, contractually require that regular copies of certification and maintenance audits are provided for review. Examples of relevant security certifications include IRAP (Australia), ISO/IEC 27001, and SOC 2.

Definitions

Infrastructure as a Service (IaaS) - Involves the vendor providing physical computer hardware including CPU processing, memory, data storage and network connectivity. The vendor may share their hardware among multiple customers referred to as ‘multiple tenants’ using virtualisation software. IaaS enables customers to run operating systems and software applications of their choice. Typically, the vendor controls and maintains the physical computer hardware. Typically, the customer controls and maintains the operating systems and software applications.

Platform as a Service (PaaS) - Involves the vendor providing Infrastructure as a Service plus operating systems and server applications such as web servers. PaaS enables customers to use the vendor’s cloud infrastructure to deploy web applications and other software developed by the customer using programming languages supported by the vendor. Typically, the vendor controls and maintains the physical computer hardware, operating systems, and server applications. Typically, the customer only controls and maintains the software applications developed by the customer.

Software as a Service (SaaS) - Involves the vendor using their cloud infrastructure and cloud platforms to provide customers with software applications. Example applications include email and an environment for users to collaboratively develop and share files such as documents and spreadsheets. These end user applications are typically accessed by users via a web browser, eliminating the need for the user to install or maintain additional software. Typically, the vendor controls and maintains the physical computer hardware, operating systems, and software applications. Typically, the customer only controls and maintains limited application configuration settings specific to users.

Public cloud - Involves an organisation using a vendor’s cloud infrastructure which is shared via the internet with many other organisations and other members of the public. This model has maximum potential cost efficiencies due to economies of scale. However, this model has a variety of inherent security risks that need to be considered.

Private cloud - Involves an organisation’s exclusive use of cloud infrastructure and services located at the organisation’s premises or offsite and managed by the organisation or a vendor. Compared to the public cloud model, the private cloud model has reduced potential cost efficiencies. A well architected private cloud properly managed by a vendor provides many of the benefits of a public cloud, but with increased control over security. A managed private cloud may enable enterprise customers to negotiate suitable contracts more easily with the vendor, instead of having to accept the generic contracts designed for the consumer mass market that are offered by some public cloud vendors.

Community cloud - Involves a private cloud that is shared by several organisations with similar security requirements and a need to store or process data of similar sensitivity. This model attempts to obtain most of the security benefits of a private cloud, and most of the economic benefits of a public cloud. An example community cloud is the sharing of a private cloud by several departments of the same government.

Hybrid cloud - Involves a combination of cloud models. An example is using commodity resources from a public cloud such as web servers to display non-sensitive data, which interacts with sensitive data stored or processed in a private cloud.