The Commonwealth government’s secure cloud strategy may be trying to clear out a cloud-services certification logjam, but worrying cloud malware figures suggest that agencies face an uphill battle sifting through an ever-expanding array of options to match the policy’s goals with the technologies they actually implement.
Shepherded by the Digital Transformation Agency (DTA), the new secure cloud strategy “focuses on what will make it easier for government agencies to use cloud services”, the agency said in introducing the new policy.
The secure cloud policy lists the balancing of security and opportunity as a key government goal, highlighting a certification model that it says “gives government agencies more clarity on the role those practices and the Australian Signals Directorate (ASD) will play in their decision making.”
The new guidelines are also heavy on compliance, with a common framework being developed to help all agencies assess and record cloud services information. A responsibilities model helps agencies clarify responsibilities and streamline contract management.
Delays and “frustration” due to the government’s previously implemented compliance model – based on the Certified Cloud Services List (CCSL) used to track ASD security certification of cloud products using IRAP processes – identified the process as a roadblock to greater cloud usage and led the government to review the process by which cloud services are evaluated.
Agencies will follow the IRAP take a greater role in cloud-security assessments, allowing them to use existing assessments as baselines for reuse. Also aiming to speed the process, agencies can already access the DTA’s cloud-testing proving grounds at cloud.gov.au, where more than 80 applications are in development or non production.
Even as the government works to improve its agility around secure cloud processes, it and other cloud adopters will need to consider their methods for managing the data even on services that are held to be secure.
A recent study by Bitglass, for example, analysed data stored in customers’ cloud environments and found that an average of 44 percent of its customers had malware in at least one of their cloud applications. This included 55 percent of OneDrive users, 43 percent of Google Drive, and 33 percent of Box and Dropbox users.
The average organisation was using almost 450,000 files in the cloud, with 1 in 20,000 containing malware, according to Bitglass’s analysis. Some 42 percent of the infected files were scripts and executables, while 21 percent were Office file formats, 10 percent Windows system files, 8 percent compressed formats, and 19 percent other file formats.
The prevalence of such files is a cautionary note for government agencies that take the new cloud strategy as carte blanche to double down on their cloud investments – which, according to Gartner’s recent 2018 CIO Agenda Survey of 3160 CIOs in 98 countries, will be driven by a need to leverage open data and analytics capabilities in the quest to realise digital transformation that was ranked as the most important government IT priority (named by 18 percent of respondents).
Reflecting the challenges that government CIOs and CSOs face, the next two top priorities were security, safety, and risk (named by 13 percent of respondents) and governance, regulations and compliance (12 percent).
"Government CIOs have conflicting priorities — to bring transformative change to their organizations, while pursuing compliance-oriented priorities," said Rick Howard, research vice president at Gartner in a statement. "They will need to work constructively with other business leaders to agree how to balance risk and innovation to support digital transformation."
Technology initiatives and improvements were named as the top priority by 11 percent of respondents, with cloud services and solutions the top-ranked technology priority. Fully 17 percent of government CIOs expect to boost spending in cyber and information security – and vendors have been lining up to provide options for government agencies that face pressure to be more dynamic and responsive.
Palo Alto Networks, for example, is taking the wraps off of its Next-Generation Security Platform. Barracuda Networks debuted expanded public-cloud management capabilities, while Gemalto extended its [[xref:https://safenet.gemalto.com/data-encryption/ |SafeNet data encryption tools to natively integrate with Google Cloud.
BMC’s recent Multi-Cloud Survey picked up on the confusion caused by competing pressures, with 57 percent of Australian respondents admitting they don’t know how much their business is spending on cloud services – well ahead of the 40 percent globally.
This suggests that cloud deployments are widely decentralised and poorly controlled – which has implications for the security goals set out in the new government policy. Despite this shortcoming, however, respondents named the implementation of security and governance policies within the cloud as the most important focus over the next few years.