Agencies managing Australian government data are being warned that non-sovereign clouds are not always suitable for security-sensitive workloads.
This was highlighted by a recent review of the IRAP assessment reports of multiple cloud providers, which revealed a number of deficiencies and compromises that customers should carefully consider the cyber risks they are being asked to accept, says Roland Chan, Product Manager at Vault Cloud.
“Analysis shows that the global cloud providers are falling short on key ISM controls, even though they may be assessed for handling data up to the level of Protected,’’ says Chan.
“This is understandable, given that they operate in over 150 different jurisdictions worldwide, and their business model must be based on a ‘lowest common denominator’ approach to standards.
“But it’s a totally different philosophy to that of Vault Cloud. All our systems are designed and built from the ground up specifically to meet Australian government protocols.’’
Unacceptable compromises
CISOs and other IT leaders should be aware that not all IRAP certifications to Protected level are equal, Chan warns.
As one of the first cloud services providers to obtain an iRAP from the Australian Signals Directorate, Vault provides on average 40% greater compliance with IaaS ISM Controls ‘out of the box’ than other cloud providers, including the multinational players.
“There are three potential outcomes for an IRAP assessment of any given ISM control,’’ says Chan. “Either the cloud provider 1) has implemented the control, 2) has not implemented the control, or 3) they’ve implemented an alternate control.
“And it’s with these alternate controls that things start to get really interesting for a customer. Some are barely acceptable, and for certain types of customers and workloads I don’t believe they are acceptable at all.’’
A glaring example is compromise around employee screening and security clearances.
“The ISM stipulates that only personnel with appropriate security clearances should have access to data in a Protected-level solution,’’ says Chan. “So every Vault employee with access to our platforms and data is an Australian citizen who is based in Australia and holds the requisite security clearances.
“This is a security standard the global cloud players simply cannot meet given their follow-the-sun support model, which poses clearly unmitigated risks that are difficult if not impossible for customers to evaluate.’’
The threat from within
Before using any multi-tenanted service, cloud or on-premise for government or other security-sensitive workloads, government and business stakeholders should also consider the potential for bad actors to compromise them from within.
Because anyone with an internet connection and a credit card can access a public cloud service, hackers can easily place applications and seek internal vulnerabilities to penetrate the platform and neighbouring tenancies or available vulnerabilities, says Sebastian Phillips, Strategic Partner Manager at Vault.
“In a market where cloud services designed to Secret standards cost no more to operate than the lowest-level service on a public cloud, why would a business accept a lower level of security when the cyber threat landscape is worsening by the day?’’ says Phillips.
“If you’re a security-conscious customer, then you can substantially reduce your risk simply by choosing a cloud platform where random tenants aren’t allowed to exist right next to you,’’ he says. “It could make all the difference between your environment being hacked or not.’’
Best of both worlds
For organisations that must report on the compliance of their IT environments, the costs of maintaining cybersecurity and compliance are far lower when they are housed on a cloud platform that is compliant by design and maintained to current regulated levels at a minimum.
In today’s multi-cloud ecosystem, where public cloud services offer enormous benefits to organisations, Vault provides products which enable customers to leverage all the advantages of industry-leading public cloud services while at the same time maintaining a consistent and enhanced security position.
Examples of these products include Secure Backup as a service and Secure Container Cloud services (SCC), which extends Vault’s unmatched security and compliance-by-design capabilities beyond the Vault IaaS platform and integrates with the public cloud in a single, consistent environment.
SCC automates the deployment and hosting of containers across multiple clouds, while providing a single tool set and a single control centre to drive the provisioning and maintenance of security and compliance from an open-standard platform.
Offering all the advantages of multi-cloud together with an ISM-compliant security posture for any level of data classification, SCC is a highly cost-effective solution for retrofitting security and compliance into non-compliant clouds.
