The internet has had a profound and positive impact on our personal and professional lives in terms of connectivity and efficiency, however, it is not without risk. Having one's private information stored remotely on the cloud can put them in a vulnerable position as hackers, companies and spy agencies seek to get hold of that information for monetary or intelligence gain.
The ramifications of having a data breach are ten-fold for government agencies who handle sensitive information such as personal, financial or criminal records. Even a minor breach has the potential to put a country’s security at risk or damage the valuable trust that exists between a government and its citizens.
Currently, there are more than 44 million items of content on federal government sites in Australia and more than 1,200 federal government websites. Given this volume, and the extensive travel schedule of politicians, staffers and workers in government agencies, having access to data stored on the cloud while being on the move is critical. However, is the convenience worth the risk?
Understanding the risks
In order for government agencies to utilise the cloud, it is vital that they understand the risks involved and the sentiment of the citizens they serve, many of whom feel uneasy over the prospect of their private information being stored on the cloud. Results of the 2017 Australian Community Attitudes to Privacy Survey revealed that 93% of Australians don’t want their data to be stored overseas and 73% don’t want their data shared with other organisations.
A safer path towards the cloud
With digital transformation being a top priority for government departments at all levels, the selection of the most secure cloud provider and cloud service via a rigorous, systematic procurement process is vital. This is because while control of private data is transferred to the cloud provider, the risk and ultimate responsibility remain with the agency owning the data.
One method developed by government cloud experts for measuring engagement and assessing risks on providers is called PAAM. The methodology of PAAM (Plan, Assess, Acquire and Manage) brings a deeper understanding of risks involved and improves management of these risks. Risk cannot be managed if it is not discovered, understood and monitored. A risk in one domain, such as security, can have impacts on the effectiveness of other domains such as legal and regulatory. Therefore, risk cannot be considered in isolation.
The methodology forms a staged approach that acts as an enabler for government departments and Agencies to bridge the gap between the intent of a cloud strategy and the security measures required to operate it securely.
Plan: Planning is the most critical aspect of cloud adoption. It sets the target state, the business goals, and defines the answer to the question ‘where do we want to be?’. Planning starts by identifying strategic business drivers, including key stakeholders and the targeted end state from a business outcomes perspective.
Assess: The Assess phase is the most effort intensive aspect of PAAM. It is the key activity in defining the target state’s legal, technical and security viability and shapes the plans for realisation.
Acquire: Once the target state has been defined, validated and a comprehensive assessment has been conducted, legal counsel is engaged to ensure that terms are incorporated into the contract allowing for management of identified risks, and ensure contractual terms are technically and strategically effective.
Manage: Manage is critical to the business realisation of the target state defined in the Plan stage. Cloud is an ongoing monitoring challenge for any organisation that manages classified, legal, or sensitive data (including that of private citizens). The data owner retains risk for the operation of the cloud deployment regardless of cloud provider, as such monitoring of the service in an ongoing manner is crucial to determine any changes in risk.
Implementing a process such as PAAM rather than a set-and-forget mindset can ensure organisation partners with the most appropriate cloud partner in the first instance but also has a system in place to ensure their strategy can evolve with constantly changing regulatory and security requirements.
Article by MNTR director - Cyber Security Practice, Ash Smith.