Before you fly into the cloud, consider these 51 concerns cooked up by the federal government agency that defends Australia's cyber-borders.
One of Australia's most secretive government agencies is the Defence Signals Directorate, an organisation whose motto - 'Reveal Their Secrets – Protect Our Own' - tells you a lot about its dual role as a diviner of intelligence and a defensive force patrolling and hardening Australia's online borders.
|The DSD says it's role is to
"operate in the slim area between
the difficult and the impossible".
That second role means the Directorate is the federal government's preferred source of advice on how government agencies can stay secure. Increased interest in cloud computing meant the Directorate recently published a guide to staying safe in the cloud. The full document runs to 18 often-technical pages, but a useful place to start is this list of the 51 cloud computing security considerations the Directorate believes every organisation should consider.
The 51 things you need to worry about are:
- My data or functionality to be moved to the cloud is not business critical.
- I have reviewed the vendor's business continuity and disaster recovery plan.
- I will maintain an up to date backup copy of my data.
- My data or business functionality will be replicated with a second vendor.
- The network connection between me and the vendor's network is adequate.
- The Service Level Agreement (SLA) guarantees adequate system availability.
- Scheduled outages are acceptable both in duration and time of day.
- Scheduled outages affect the guaranteed percentage of system availability.
- I would receive adequate compensation for a breach of the SLA or contract.
- Redundancy mechanisms and offsite backups prevent data corruption or loss.
- If I accidentally delete a file or other data, the vendor can quickly restore it.
- I can increase my use of the vendor's computing resources at short notice.
- I can easily move my data to another vendor or inhouse.
- I can easily move my standardised application to another vendor or inhouse.
- My choice of cloud sharing model aligns with my risk tolerance.
- My data is not too sensitive to store or process in the cloud.
- I can meet the legislative obligations to protect and manage my data.
- I know and accept the privacy laws of countries that have access to my data.
- Strong encryption approved by DSD protects my sensitive data at all times.
- The vendor suitably sanitises storage media storing my data at its end of life.
- The vendor securely monitors the computers that store or process my data.
- I can use my existing tools to monitor my use of the vendor's services.
- I retain legal ownership of my data.
- The vendor has a secure gateway environment.
- The vendor's gateway is certified by an authoritative third party.
- The vendor provides a suitable email content filtering capability.
- The vendor's security posture is supported by policies and processes.
- The vendor's security posture is supported by direct technical controls.
- I can audit the vendor's security or access reputable third party audit reports.
- The vendor supports the identity and access management system that I use.
- Users access and store sensitive data only via trusted operating environments.
- The vendor uses endorsed physical security products and devices.
- The vendor's procurement process for software and hardware is trustworthy.
- The vendor adequately separates me and my data from other customers.
- Using the vendor's cloud does not weaken my network security posture.
- I have the option of using computers that are dedicated to my exclusive use.
- When I delete my data, the storage media is sanitised before being reused.
- The vendor does not know the password or key used to decrypt my data.
- The vendor performs appropriate personnel vetting and employment checks.
- Actions performed by the vendor's employees are logged and reviewed.
- Visitors to the vendor's data centres are positively identified and escorted.
- Vendor data centres have cable management practices to identify tampering.
- Vendor security considerations apply equally to the vendor's subcontractors.
- The vendor is contactable and provides timely responses and support.
- I have reviewed the vendor's security incident response plan.
- The vendor's employees are trained to detect and handle security incidents.
- The vendor will notify me of security incidents.
- The vendor will assist me with security investigations and legal discovery.
- I can access audit logs and other evidence to perform a forensic investigation.
- I receive adequate compensation for a security breach caused by the vendor.
- Storage media storing sensitive data can be adequately sanitised.