Introduction
The use of cloud based Information and Communication Technology (ICT) services by organisations and individuals alike is growing rapidly, and the implications at a practical level are often not fully understood or consciously considered.
Generally speaking, the concept of cloud refers to the outsourcing of a consumer’s computing capabilities (for example, data storage, computer processing capacity, hosting, operating system, etc.), and the maintenance of those capabilities, to a third party service provider (a cloud service provider or CSP). That is, rather than buying its own computing hardware, infrastructure, storage capacity and data processing capability to host its operating systems and to use software applications, the customer pays the CSP to use the CSP’s owned, managed and maintained ICT infrastructure and computer processing power.
In the Commonwealth Government context, the shift from traditional on-premises and owned computing capability and ICT systems to cloud-based ICT services has required a more considered and security-focused approach than that taken by the private sector: this is obviously and justifiably dictated by national security concerns and public policy. More recently,1 a transition to secure cloud based computing solutions has become part of the Commonwealth’s endorsed strategic mandate.2
Outsourcing to cloud vs. traditional on-premises compute
The shift to cloud computing has the potential to enable Government to leverage, in a cost effective way, more modern and advanced technology which is operated and maintained by industry experts (and accordingly has the potential to be more secure). However, outsourcing obviously leads to a reduction of control and potentially an increase in vulnerability. In other words, without implementation of proper controls and oversight, the use of cloud could expose the Government to the exploitation of sensitive and official information (which, in turn, could lead to compliance risks and legal exposure) and security risks (the consequences of which can be catastrophic). As is expressly recognised in the Digital Transformation Agency’s Secure Cloud Strategy:
Assurance for citizens and agencies that their information and data stored in the cloud is secure, accurate and reliable is fundamental. Effective government cannot operate without such an assurance.
Below, we consider and explore the kinds of risks that may arise from the use of cloud based ICT services, and some of the ways that contractual protections can be implemented to effectively manage or mitigate risk.
Using trusted providers and services: assessment and certification of CSPs
One of the key initiatives of the 2017 Secure Cloud Strategy was to reduce bottlenecks and generate efficiencies by creating a common assessment framework allowing agencies to manage the assessment and certification of CSPs and their services. Generally speaking the Protective Security Policy Framework (PSPF) and the Australian Government Information Security Manual (also known as the ISM) specify the requirements, controls and processes that agencies and third party service providers must comply with when handling Government information.
Since the move away from the Australian Signals Directorate’s Cloud Services Certification Program (CSCP) and the associated Certified Cloud Services List (CCSL), the process for assessment of a CSP and its service offerings can now be led by individual agencies (with a view to assessments being be shared amongst the Commonwealth Government community).
Essentially, the process underpinning the assessment of a cloud service or a CSP involves measurement of a CSP’s compliance with the various controls and requirements set out in the ISM, to enable agency customers to determine, using a risk-based approach, whether the CSP and their services are appropriate for Government use in the circumstances. That is, the assessment allows an agency to determine the relevant risk of outsourcing its ICT capability to the CSP and using its services.
Additionally, in relation to data centre services and data hosting specifically, the Hosting Certification Framework provides a framework for the certification of hosting providers to two levels, and includes a mandate for agencies to determine and specify the certification level required by the CSP. Certifications under the Hosting Certification Framework focus more on ensuring the relevant CSP remains an appropriate entity to continue providing the relevant services, rather than the technical nature of the services and systems used to provide them.
Specific risks and contractual protections
Conducting assessments and ensuring certification of chosen CSPs and their cloud service offerings should not, however, be the end of the story regarding the management and mitigation of the risk involved in an agency’s assessment of cloud offerings. Rather, the dilution of control that comes with outsourcing warrants that customers of cloud services ensure that they have appropriate recourse to contractual protections and assurances in order to manage and mitigate risk and, ultimately, to prevent the improper use, and unauthorised access to and dissemination of information.
Below we explore a number of additional contract level controls and, for convenience, we’ve collected those controls into questions of who, how and what:
- who provides cloud services,
- how do they provide the services, and
- what (facilities, infrastructure, software and hardware) does the CSP provide as a service?
Who is providing the cloud services?
In the context of cloud services – where ICT hardware and infrastructure is utilised as a service (rather than owned as an asset) and where physical proximity is no longer essential – ownership and control over the CSP, the supply chains it uses and the jurisdictions in which the CSP operates are vital considerations during the procurement and contract negotiation stage. Indeed, the DTA’s Hosting Certification Framework provides a certification system so agencies can contract with vetted and trusted CSPs, and agencies are now required by the Framework to specify the level of certification required by CSPs in connection with procurements.
Although the initial certification process for providers under the Hosting Certification Framework is still in preliminary stages, once it has occurred and is in effect, the process of selecting who to contract with for cloud services may become simpler. But in any event, and consistent with the objectives of Hosting Certification Framework, on top of ordinary due diligence into the reliability and financial viability of potential CSPs, agencies should consider:
- the CSP’s vulnerability to foreign control or influence,
- the governance models under which the CSP operates and its broader commercial structure,
- the CSP’s supply chain and potential vulnerabilities in it, and
- the jurisdictions in which the CSP operates and laws that it is subject to.
As noted in the Australian Cyber Security Centre’s 2020 publication Anatomy of a Cloud Assessment and Authorisation:
Foreign-owned CSPs may be subject to extrajudicial control and interference by a foreign entity. This could include a foreign entity compelling a CSP to disclose its customers’ data unbeknownst to its customers. This can include foreign-owned CSPs that provide cloud services in and from Australia.
Katrina Monagle recently explored some of the risks arising in relation to contracting US-based cloud providers in the wake of the enactment of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) in response to the US Supreme Court proceedings in United States v. Microsoft Corporation.3
In the Australian Government context, the seriousness of a change in ownership over a CSP was highlighted by the acquisition of a large share of the parent of Global Switch (an Australian data centre operator) by a Chinese consortium. Media publications indicate that the change triggered a number of Commonwealth agencies with data stored in the facility to consider a transition out of the data centre at what was reportedly a significant cost to the public purse.
Noting the risks from a contracting and risk management perspective, it is important to ensure that the CSP, and the providers within its supply chain, are and remain an appropriate entity to host and process the customer’s data, and that changes to the CSP entity and its supply chain (i.e., through restructuring, disposal of assets, novation, or a change in control or acquisition of a controlling interest, and similar changes in relation to subcontractors and other parts of the supply chain)4 can be controlled to limit the impact on the customer and to address any newly emerging risk. In this regard, the customer should ensure its contracts contain strong rights that it can leverage, either to obtain specific protections, or assurances in response to potential changes to the CSP that may impact it, including:
- requirements for prior notice in relation to a change,
- consent (or approval) rights (which can allow the customer to block the transaction where it has enough commercial significance, or which the customer can leverage to obtain further layers of protection),
- rights to terminate or de-scope the arrangement and transition to a new CSP,
- rights to recover transition or relocation costs, and
- other remedies which may be essential where the customer’s reliance on the CSP is such that it cannot simply and easily terminate its relationship with the CSP.
The Hosting Certification Framework purports to require certified CSPs to include contractual assurances in their contracts with agencies to similar effect in order to maintain their certified status.
How cloud services are provided?
At the working level (i.e., in a statement of work or list of specifications), the contract documents governing the provision of the service should require the CSP to meet high standards in relation to keeping customers’ data secure and preventing unauthorised access and improper use or dissemination without the consent of the data owner. In this context ensuring that ownership and control of data remains with the customer is critical, and the contract should require the CSP to employ sound practices, and allow the customer to strictly control and monitor what happens to its data, who has access to it and what it’s used for. Consider, for example, requirements for the CSP to:
- ensure its staff involved in the provision of the services have security clearances commensurate with their responsibilities and privileges,
- implement industry best practices to prevent cyber attacks,
- monitor trends and emerging threats,
- identify vulnerabilities and develop patches, updates and bug fixes to address those vulnerabilities,
- conduct real time monitoring of access to data and maintain a log of access,
- report all anomalies in relation to access to, use and transfer of data, and
- allow and assist Commonwealth audits.
What comprises the cloud services?
Often an ICT system’s vulnerability to cyber threats is inherent in its design features, physical characteristics and functional capabilities. Where an organisation leverages an ICT system owned, operated and maintained (for profit) by a CSP, the design of the system can create vulnerabilities that a customer would not ordinarily allow in a self-managed, on-premises system. In this regard it’s essential that contracts include specifications and design features that ensure security of their information. Ultimately, the Government policy such as the PSPF and ISM dictate the technical and physical security requirements for facilities used in the provision of ICT services to government. But as a thought exercise, consider:
- whether software involved in the delivery of service is prone to attack, and whether it is still supported (e.g., updated to address vulnerabilities, bugs, etc.),
- if the system involves storing customer-owned information and data with data from other customers and sources,
- whether there is secure separation (e.g., locked doors) between hardware and data servers hosting sensitive information, and servers hosting information for other customers,
- what hardware is being used in the storage or transfer of information and whether it may be subject to known vulnerabilities (e.g., Wi-Fi or Bluetooth enabled equipment),
- whether appropriate encryption is applied to data that is vulnerable in states of storage or transmission,
- whether the infrastructure (cabling, etc.) meets the standards required for transfer of data of the kind (and sensitivity) being transferred, and
- what rights to audit and test physical security and ICT systems for compliance may be required.
Conclusion
Obviously CSPs will not always be willing to grant rights necessary to fully protect a customer’s data in a commercial bargain, but wherever there is risk, a decision must be made as to what should be done to eliminate or mitigate that risk (and at what cost). With the Commonwealth’s current and very publicised concern regarding information security and the current state of alertness regarding cyber threats, now is an opportune time to:
- seek to leverage the heightened attention around cyber risk to gain traction with stronger contractual positions in procurement processes, and
- review current cloud service arrangements and seek to negotiate better contractual protections to keep Government information secure, and to maintain public confidence that it’s information is safe.