Cloud Compliance Myths
Halvard Skogsrud
YOW! 2016 CTO Summit Sydney
Wednesday 7 December 2016
Regulatory bodies and frameworks
APRA: Australian Prudential Regulation Authority
APP: Australian Privacy Principles
ASD: Australian Signals Directorate
iTnews, 27 February 2015
http://www.itnews.com.au/news/boq-takes-10m-hit-on-salesforce-crm-401001
APRA
Australian Prudential Regulation Authority
Myth
Offshoring and data centres
“Using a cloud provider that is incorporated in another country is considered offshoring by APRA regardless of where the data centre is located.”
Sources of myth?
- Prudential Practice Guide CPG 235 - Managing Data Risk:
Six of eight mentions of "outsource" is written as“outsource/offshore”
- 2010 APRA letter to regulated entities contained the subject line
“Outsourcing and offshoring - Specific considerations when using cloud computing services'
Evidence against myth
APRA Prudential Standard CPS 231 - Outsourcing:
“Offshoring includes arrangements where the service provider is incorporated in Australia, but the physical location of the outsourced activity is outside Australia.”
“Offshoring does not include arrangements where the physical location of an outsourced activity is within Australia but the service provider is not incorporated in Australia.”
Myth
Business continuity
“APRA's prudential standards says we must be ready to move applications back in-house at short notice in case of a significant disruption at the cloud provider.”
Source of myth?
APRA Prudential Standard CPS 231: Outsourcing
“An APRA-regulated institution must be able to demonstrate to APRA that [...] it has taken into account [...] contingency issues in accordance with Prudential Standard CPS 232 Business Continuity Management should the outsourced activity need to be brought in-house”
Evidence against myth [1]
APRA Information Paper: Outsourcing involving shared computing services (including cloud)
“[...] under CPS 231 and SPS 231, APRA-regulated entities must develop contingency plans that allow for the shared computing service to be transitioned to an alternative service provider (or brought in-house), if required.”
Evidence against myth [2]
No mention of "in-house" in CPS 232
“An APRA-regulated institution must maintain at all times a documented BCP [business continuity plan]”
“Where material business activities are outsourced, an APRA-regulated institution must satisfy itself as to the adequacy of the outsourced service provider's BCP”
Demonstrate Understanding
From 2010 letter on 'Outsourcing and offshoring - Specific considerations when using cloud computing services':
“In APRA's view, both materiality and risk assessments necessitate a detailed understanding of the [...] business processes [..], the technology architecture and the sensitive information [...] impacted by the outsourcing arrangement. APRA has observed that, to date, assessments of cloud computing proposals typically lack sufficient consideration of these factors.”
APP
Australian Privacy Principles
Myth
“The Australian Privacy Principles mean that personal information cannot touch servers outside Australia without first obtaining the individual's consent.”
Source of myth?
APP 8: Cross-border disclosure of personal information
“8.1: Before an APP entity discloses personal information [...] the entity must take such steps [...] to ensure that the overseas recipient does not breach the Australian Privacy Principles”
“8.2: Subclause 8.1 does not apply [...] if [...] the entity expressly informs the individual [...] [and] the individual consents to the disclosure”
'Use' or 'disclose'?
APP 6 guidelines: Use or disclosure of personal information
“An APP entity 'uses' information where it handles [...] the information, within the entity's effective control.”
“An APP entity 'discloses' personal information where it makes it accessible to others outside the entity and releases the subsequent handling of the information from its effective control.”
“[...] the distinction is relevant to [...] the disclosure of personal information to an overseas recipient.”
'Use' or 'disclose'? [2]
APP 8 guidelines:
Cross-border disclosure of personal information
“[...] routing personal information, in transit, through servers located outside Australia, would usually be considered a 'use'”
ASD
Australian Signals Directorate
Myth
Multi-tenancy and virtualisation
“The Australian Signals Directorate (ASD) does not allow government agencies and departments to use shared multi-tenant hosting due to the risk of breach from a compromised tenant.”
Source of myth?
ASD Cloud Computing Security Considerations (Sept 2012)
“For Infrastructure as a Service, the virtualisation software [...] was typically not originally designed to provide segregation for security purposes.”
Virtualisation advice
From ASD's Information Security Manual - Controls:
“When using a software-based isolation mechanism to share a physical server's hardware, agencies must ensure that:
- the isolation mechanism is from a vendor that uses secure programming practices [...]
- the configuration of the isolation mechanism is hardened [...]”
- [...]
Virtualisation risk
From ASD's Cloud Computing Security for Tenants:
Risk: “Tenant's data compromised by another malicious/compromised tenant”
Mitigation: “Use multi-tenancy mechanisms provided by the CSP [cloud service provider] e.g. to separate the tenant's web application and network traffic from other tenants”
Interesting quote
From ASD's Cloud Computing Security for Tenants:
“Organisations need to perform a risk assessment and implement associated mitigations before using cloud services. [...] Organisations need to compare these risks against an objective risk assessment of using inhouse computer systems which might: be poorly secured; have inadequate availability; or, be unable to meet modern business requirements.”
Read the policies yourself!
Most of what you hear is interpretations of policies.
Thank you!
Halvard Skogsrud
APRA References
- APRA Information Paper: Outsourcing involving shared computing services (including cloud) (6 July 2015) [PDF]
- APRA Prudential Standard CPS 231: Outsourcing (July 2017) [PDF]
- APRA Prudential Standard CPS 232: Business Continuity Management (July 2017) [PDF]
- APRA Prudential Practice Guide CPG 234: Management of Security Risk in Information and Information Technology (May 2013) [PDF]
- APRA Cross Industry Prudential Standards
- APRA Cross Industry Prudential Practice Guides
APP References
- Australian Privacy Principles (January 2014) [PDF]
- APP guidelines: Chapter B: Key concepts (Version 1.2, March 2015)
- APP guidelines: APP 6 — Use or disclosure of personal information (Version 1.0, February 2014)
- APP guidelines: APP 8 — Cross-border disclosure of personal information (Version 1.1, March 2015)
- APP guidelines: APP 11 — Security of personal information (Version 1.1, March 2015)