By Natalie Butler, Special Counsel

The Australian Government’s Certified Cloud Services List (CCSL) was rolled up in July 2020, not long after the finalisation of the Cloud Services Certification Program (CSCP) in March, earlier this year.  The CCSL and CSCP have been replaced by a guidance package for cloud security assessments recently released by the Australian Cyber Security Centre (ACSC).

In this article, I explore the relevance of cloud security assessments to Privacy Impact Assessments (PIAs).  I consider how strategic sharing and collaboration across cyber and privacy teams can help agencies ensure privacy risks are approached as part of a broader portfolio of enterprise risk.  Finally, I advocate for the better use of existing resources, such as cloud security assessments, in order to save time and manage costs associated with large-scale PIAs without compromising the independence or integrity of the PIA process.  But first, a little about conceptualising cloud projects and what privacy practitioners should know about the cloud security assessment process.

Putting Cloud in Context

When looking at cloud projects from a privacy compliance and PIA perspective, I find it helpful to approach the project from a very basic outsourced information technology (IT) perspective.  While cloud-based solutions and the associated contracting arrangements are often anything but simple, a solid privacy assessment begins with a simple picture of the cloud solution, the boundaries between key systems and identifying each of the ‘players’ and their respective roles and responsibilities.

The extent of outsourcing will depend on a combination of factors, most notably, the cloud service model in conjunction with the cloud deployment model.[1]  Consider, for example, whether it’s a Software as a Service (SaaS) model – with or without a Platform as a Service (Paas) component – and whether the solution will be deployed through a public, private or community cloud (or a combination of any of those options).  The ACSC guidance material includes a useful summary of cloud service models and common cloud deployment options and is an excellent place to start when sketching the outsourcing ‘footprint’ for a cloud project.

Armed with your first PIA artefact, the initial sketch of the cloud-based solution, you are well placed to frame some of the key questions to ask and the background material to be assembled for the purposes of a PIA.  Just don’t get too attached to that sketch … it will evolve for a variety of reasons!

ACSC describes cloud computing as having, at its core, an element of outsourcing IT capability to a Cloud Service Provider (CSP).[2]  ACSC goes on to observe that outsourcing will inevitably shift the level of control and oversight an entity has over its technology stack ‘since the CSP invariably dictates both the technology and operational procedures available to the Cloud Consumers using its cloud services’.[3]  What ACSC characterises as the ‘shift’ around control and oversight (and I’d add, the acceptance or mitigation of risks identified as a result of that shift, many of which will be explored in the context of the cloud security assessment) will be relevant to a privacy compliance analysis and the exploration of the broader privacy impacts of cloud-based initiatives.

About the Cloud Security Assessment Process

A Cloud Security Assessment is a risk-based review of a CSP and its cloud service offerings.  It is intended to help agencies form a view about whether a particular cloud solution is suitable for handling its data.  Government entities will continue to self-assess, or engage an IRAP[4] Assessor to assess, systems that have been deployed to the cloud and the associated security responsibilities.

Template reports and the assessment cycle

The outcome of the assessment will be documented using the new Cloud Security Assessment Report Template.[5]  The framework for the security assessment is reflected in the report template.

Individual CSPs and cloud services are expected to be assessed on a 24 month cycle, unless certain events trigger an earlier reassessment.  A reassessment can be focused on changes made to security-related features since the CSP or services were last assessed, along with any new cloud-based services available to the cloud consumer agency.

The close of the CSCP and CCSL has voided all previous cloud certifications.[6]  The utility and relevance of existing cloud security assessment reports (prepared in support of certifications and re-certifications that are now void) is a matter for each agency.  Agencies are expected to take a risk-based approach when deciding whether those reports continue to provide sufficient coverage.

The ASCS expects reports prepared against the new guidance framework will begin to be released around December 2020[7], noting that assessment schedules for cloud service providers vary.

Consistency and efficiencies through sharing Cloud Assessment Reports

Cloud Security Assessment Reports are intended to be shared across government to reduce duplication and inefficiencies caused by multiple entities or IRAP Assessors assessing the same cloud service.  However, there will be no central register of assessment reports.

Government agencies are expected to liaise with CSPs to find out whether another agency or IRAP Assessor has already assessed the cloud service and to use that report rather than performing an assessment of their own.[8]

The expectation that reports will be shared (and proactively shared in the case of updates and addendums) is a welcome development from a PIA perspective.  More on this shortly.

An iterative approach to the scope of the assessments

 IRAP Assessors will conduct a ‘full assessment’ of a CSP’s security fundamentals and in-scope cloud services.[9]  It is then open to a CSP to prepare an addendum to an IRAP report to capture any changes or updates to security features or particular cloud services.  The addendums will not be independently verified, but by making them available to government cloud consumers using the relevant cloud services, agencies will be better placed to keep up to date with developments, proactively manage changes that may impact on their security arrangements and continue to align cloud solutions with their agency’s risk tolerance.

Additional assessments (characterised as either supplementary, new or updated assessments) may be conducted by an IRAP Assessor or an agency.  These assessments may include an assessment of specific cloud services not previously considered or changes made to services that have an impact on the security posture reflected in the most recent Cloud Security Assessment Report.  Agencies are encouraged to share additional assessments with each other, as well as the CSP, to avoid duplication of effort.

Strengthening the cyber and privacy alliance

It’s not likely to come as any great surprise to many in the cyber, privacy or risk & compliance space that a Cloud Security Assessment and PIA have some common ground.  A cursory review of the Cloud Security Assessment Report template reveals many issues that are foundation facts for a PIA or are otherwise relevant to the privacy assessment.  Examples include, but are not limited to:

• CSP locality and ownership, including location of data centres and administrative support services;
• data protections, deprovisioning/ disposal, transfers and portability;
• protection of data at rest and in transit, encryption and key management;
• data back-up and restore arrangements;
• approach to identity and access management;
• tenancy segmentation/ segregation; and
• the shared responsibility framework which sets out the roles and responsibilities of the CSP, agency and any other parties involved in providing the cloud service.

Though the cloud and privacy assessments are each conducted through their own technical lens, the assessment reports should nevertheless be compatible.  By compatible, I mean, capable of being read together to provide a consistent and complementary narrative about data management in a cloud environment.  And so continues the theme of sharing reports to drive efficiencies and avoid duplication (and from a PIA budget perspective, to save money).

Sequencing and timing of assessments

Agencies may well be embarking on a cloud security assessment process in parallel with a PIA for significant technology solutions.  Where that is the case, privacy practitioners and cloud assessment professionals should be connecting with each other early.  Whether that’s just the in-house teams or will also include outside privacy counsel and independent security assessors is often a strategic and resource/ capacity driven decision.  The point is, talk early and talk often, to share information and stay across emerging risks and likely treatments.

TIP:  Consider the scope of work for external advisers and assessors.  Should there be an express reference to collaboration and engagement with other advisers (facilitated by agency personnel) to ensure the timely sharing of information and a consistent understanding of the cloud solution across cyber and privacy teams?

In my experience, how to best utilise a security assessment for a PIA will depend on the manner in which you approach, structure and budget a PIA project.

Foundation PIAs are especially valuable for significant IT solutions where the solution will, over time, be leveraged by other projects and expanded by additional use cases.  Addendum PIAs for new and enhanced features then build on foundation assessments to avoid duplicating an analysis of the privacy impacts of the underlying solution.  An iterative and scaled approach to PIAs is especially useful when the recommendations included in the foundation PIA have been accepted and/ or implemented by the agency and the PIA report continues to provide an accurate description of the underlying solution.

TIP: Consider foundation PIAs for significant IT solutions where the baseline solution will be leveraged by other projects.  Use PIA Addendums to ‘top up’ the analysis where new software is added or enhancements are made.

Where a PIA will focus on a particular application to be deployed to the cloud, will it include an assessment of the underlying cloud solution or will it build on an earlier foundation PIA?  For these projects, it’s highly likely the PIA will postdate the cloud security assessment which makes the security assessment report (or parts of it) important primary reference material.

A valuable PIA takes the security assessment into account

Maximising the value of a PIA as a design, risk management and compliance tool will depend, in part, on the extent to which it takes relevant parts of the security assessment into account.

It’s inevitable that a cloud security assessment report will only be shared on a need-to-know basis.  How the report (or information derived from the report) is shared is ultimately a question for the cyber and privacy teams to resolve.  However, strategic sharing of cloud security assessment reports is consistent with the objectives articulated by the ACSC.

TIP: If outsourcing the PIA, consider how you will share the Cloud Security Assessment Report.  Will you provide a copy, include relevant extracts with the briefing material or partner with a representative from the cyber team to provide privacy advisers with a background briefing about the report?

When done with the right protections, sharing the cloud security assessment report[10] is a sensible strategy to avoid PIA budget over-runs and promote consistency in terms of:

• characterising the cloud capability;
• the business application/ implementation of the solution;
• risk management approach; and
• the accountability framework that flows from the roles and responsibilities of each of the participants in the cloud-based solution.

Factual inconsistencies and assessment reports that are poorly aligned (or worse, contradictory) don’t tend to play out well when projects are subject to external scrutiny.  Nor should one assessment dictate the outcome and the recommendations of the other.

A privacy impact or a potential privacy compliance issue may have already been called out, and mitigated/ resolved, via a security assessment.  However, a PIA that looks beyond mere compliance to consider privacy perceptions and user experience, for example, may approach that same risk, and any treatments proposed, in a very different way.  That does not necessarily mean the two assessments are at odds with one another.

The practical reality is that a PIA that is not grounded in an understanding of relevant parts of a security assessment will ultimately leave work for someone else to do.  That’s ok, if there is someone in the agency who brings the cloud security assessment and PIA together, but that may not always be the most efficient and cost effective approach.  An integrated and collaborative approach to PIAs, on the other hand, will better position an agency to navigate:

• project specific recommendations which, if accepted/ endorsed by key stakeholders and business areas, may have broader implications for enterprise risk management; and
• inherited risk mitigation strategies that have themselves generated an unintended privacy impact or entrenched a known and previously accepted risk, but the volume and scale of the cloud-based activity has changed the risk profile.

Timely sharing of information, insights and risk mitigation strategies that stem from cloud security assessments and PIAs will enhance the combined contribution that these assessments make to your agency’s data governance and privacy risk management.

[1] The ACSC guidance material includes a useful summary of cloud service models and cloud deployment models.  See ‘Cloud Computing Security Considerations’, April 2020 https://www.cyber.gov.au/acsc/view-all-content/publications/cloud-computing-security-considerations (accessed 5 August 2020), pp2 – 3.

[2] Australian Signals Directorate and Australian Cyber Security Assessment, Anatomy of a Cloud Assessment and Authorisation, July 2020, p1 https://www.cyber.gov.au/acsc/view-all-content/publications/anatomy-cloud-assessment-and-authorisation (accessed 5 August 2020).

[3] Anatomy of a Cloud Assessment and Authorisation, p1.

[4] Information Security Registered Assessors Program (IRAP).

[5] The template report is available at: https://www.cyber.gov.au/acsc/view-all-content/publications/cloud-security-assessment-report-template

[6] Could assessment and authorisation – frequently asked questions (ACSC FAQs) https://www.cyber.gov.au/acsc/view-all-content/publications/cloud-assessment-and-authorisation-frequently-asked-questions (accessed 5 August 2020).

[7] ACSC FAQs.

[8] ACSC FAQs.

[9] ACSC FAQs.

[10] Consider the adequacy of panel arrangements which impose contractual obligations of confidentiality, legal professional privilege, non-disclosure agreements and/ or security clearances.