ACSC Signals Importance of Australian Owned and Operated Clouds

CommandHub welcomes the new Cloud Assessment and Authorisation Framework released today by the Australian Cyber Security Centre. (The ACSC is the Australian Government lead agency for cybersecurity and is part of the Australian Signals Directorate based at the Australian Security Intelligence Organisation in Canberra.)

While oriented to Federal Government Agencies, we believe this is a major step in the next stage of digital transformation and is of considerable relevance to both government and the corporate sector for sensitive information.

CommandHub was pleased to have had the opportunity to participate in the Industry Consultation process that informed the development of the new cloud assessment framework and both CommandHub and its hosting partner are fully compliant with the new process.

ACSC Key Points

Some of the key ACSC points relate to Foreign Ownership and Operational Risks:

  • “The ACSC recommends Cloud Consumers use Cloud Service Providers (CSPs) and cloud services located in Australia for handling their sensitive and security-classified information. CSPs that are owned, based and solely operated in Australia are more likely to align to Australian standards and legal obligations, and this reduces the risk of any data type being transmitted outside of Australia. These CSPs are also less susceptible to extrajudicial control and interference by a foreign entity. This could include a foreign entity compelling a CSP to disclose its customers’ data unbeknownst to its customers. This can include foreign-owned CSPs that provide cloud services in and from Australia.”
  • “The ACSC considers that the involvement of CSPs who are likely to be subject to extrajudicial directions from a foreign government that conflict with Australian law, may risk failure to adequately protect Australian Government data from unauthorised access or interference.”
  • Foreign-owned CSPs, including those located in Australia, present additional risks that need to be considered as part of the overall risk posture. This includes foreign ownership, foreign interference and extrajudicial control over the CSP’s operations and data holdings”.