Managing cloud data risks — protected cloud certification

Macquarie Government
By Derek Fittler
Monday, 18 June, 2018

Commonwealth agencies are responsible for managing the risk associated with the loss of any information they hold.

All ICT systems used by federal government agencies in Australia are required to comply with common rules to ensure they are safe and secure. Agencies must certify that their systems, including cloud and protected cloud environments, meet these rules. The rules are set out in the Information Security Manual (ISM) produced by the Australian Signals Directorate (ASD).

Data is classified on a scale from unclassified to top secret, depending on the consequences of damage from unauthorised compromise or misuse of the information. The more sensitive the data, the more restrictive the controls to minimise the risk of unauthorised compromise or misuse.

Government departments and agencies are responsible for:

  • Assessment of the suitability and implementation of security measures.
  • Certification that the ISM security controls are implemented effectively and identifying any residual risk.
  • Accreditation that any residual risk is recognised and mitigated, and this is accepted by the agency.

If the agency uses an external supplier, then the agency must satisfy itself that it has managed its risks with those elements of its ICT systems that it has outsourced.

Rules for the cloud

When it comes to cloud, the ASD provides additional guidance to help agencies understand how to meet their obligations.

ASD has recently published a guide to the process for cloud certification, Anatomy of a Cloud Certification (PDF). The guide highlights the three-step process for accreditation:

  1. Independent Security Assessment — performed for a cloud services provider (CSP) by a registered InfoSec Registered Assessors Program (IRAP) assessor contracted by the CSP to review its own environment.
  2. Certification by the agency formally recognising and accepting the security measures for a system, as implemented effectively and identifying the residual security risks.
  3. Accreditation by the agency to accept the residual risks.

Agencies may rely on the independent security assessment of an IRAP assessor and use a cloud service not on the Certified Cloud Services List (CCSL). The IRAP assessor (as noted by ASD) is engaged by and paid for by the cloud provider. The IRAP assessor validates that it is satisfied the provider meets the relevant security controls in the ISM; or, for those parts that do not specifically comply, alternative controls to satisfactorily mitigate risk have been implemented.

The agency then needs to perform both the certification and accreditation roles as part of the sign-off.

The IRAP assessment might give the agency additional comfort, but the assessment is paid for by the provider; therefore the assessment process is not fully independent, and applies only to those parts of the service the provider has asked to be accessed. Ultimately the risk remains with the agency.

The CCSL ‘gold standard’

The gold standard of certification is inclusion by the ASD on its CCSL. To support adoption of cloud services by government, ASD implemented an initiative under the ISM to certify cloud service providers that met the relevant security controls for a data classification. The CCSL lists ASD-certified cloud providers for Unclassified DLM and PROTECTED data classifications.

ASD examines the IRAP assessment and the provider’s environment and makes an independent decision about whether the service complies with the ISM, or that it has sufficiently mitigated any risk not specifically compliant with the ISM. As Anatomy of a Cloud Certification makes clear, this is more than just ticking off a checklist:

“Inclusion on the Certified Cloud Services List demonstrates that ASD has certified the CSP. ASD certification of cloud services includes confirmation of physical, personnel and information security requirements as detailed in the Protective Security Policy Framework and ISM, including on-site inspections. It is not merely a compliance exercise.

“ASD also calls out that the duration of the CCSL certification process is highly variable, and in some cases may never be achieved if the service cannot meet the minimum required standards for protecting government information.”

As government agencies increasingly adopt cloud services it is critical to ensure that the security risks are properly assessed, certified and accredited. The gold standard of the ASD CCSL, with its independent government assessment, will continue to be a key differentiator for agencies in managing their risk position and getting the best outcome for Australia.

Macquarie Government was the first Australian cloud certified by ASD, and is listed on the CCSL for Unclassified DLM and Protected cloud services — read more about its government protected cloud at

Macquarie Government strengthens cybersecurity capability with FireEye partnership

Macquarie Government has recently partnered with cybersecurity company FireEye to extend its suite of advanced cybersecurity solutions for government.

FireEye is an intelligence-led, NASDAQ-listed security company that helps government organisations globally protect nation-state secrets and critical infrastructure, and counter new and evolving cyber threats.

“We are delighted to leverage the economies of scale of our government cloud to offer affordable advanced-email security to all federal and state government customers,” said Aidan Tudehope, Macquarie Government’s Managing Director.

As part of the ASX-listed Macquarie Telecom Group, Macquarie Government provides cloud and security solutions to Australian government organisations. With data centres in Canberra and Sydney, Macquarie Government’s cloud is certified by Australian Signals Directorate’s (ASD) for classified (PROTECTED) workloads and has over 100 Australian Government cleared NV1 engineers and architects.

Derek Fittler is National Director for Macquarie Government, and its local senior executive in Canberra. He has been with Macquarie Telecom Group for more than 16 years, serving in a range of roles from legal to sales to commercial. He owns strategy for Macquarie Government’s engagement with the public sector, and has responsibility for all panel and head agreement commercial arrangements.

Image credit: ©

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Related Sponsored Contents

IRAP Assessed Cloud Collaboration for Federal Government

Now is not the time to compromise on security.

Shifting to cloud? Don't leave your documents behind.

Balancing risk with agility for better government services.

How Spatial Data Is Helping Government Plan More Sustainable Communities

Spatial technology company Aerometrex has developed a diverse suite of climate change mitigation...

  • All content Copyright © 2022 Westwick-Farrow Pty Ltd