Operational resilience

February 27, 2018

The adoption of cloud services is core to the Australian Government’s digital transformation strategy. Cloud services yield faster service delivery for agencies and ensure organisations only pay for what they consume. Yet, this shift to cloud introduces a degree of risk and uncertainty that needs addressing, so let’s look at this risk in terms of merging the Government’s foremost cyber security advice with the Digital Transformation Agency’s cloud-first strategy.  Read more to understand how the ASD’s Essential Eight supports the Australian Government’s move to Cloud.

Digital Transformation – understanding the impact on cyber security

It’s no secret that government departments have to assure the data they handle, given much of this data is confidential employee or citizen data. When information is moved from a locally-managed datacentre, where the agency had full control of its ICT stack, to the cloud, physical systems might now be collocated alongside other customers’ systems.  Disparate software-as-a-service capabilities, sourced from multiple providers, will come together on the desktop or lower down in the stack.

Understanding who is responsible for which parts of any solution is important when it comes to cyber security, agencies need to de-clutter their thinking about all this new technology to focus on getting security right, no matter how the services are wired up.  Ongoing diligence is required as digital transformation will significantly change your cyber attack surfaces.

 Digital Transformation – Cyber Security clarity in the Cloud

clarity in the cloudclarity in the cloudLast year, the Australian Signals Directorate (ASD) published its flagship cyber security advisory, known as The Essential Eight: Strategies to Mitigate Cyber Security Incidents. In this publication they identify eight critical cyber security controls which they claim, if implemented, will protect an organisation from over 85% of attacks.  Yet, the move to as-a-service models literally clouds the understanding of what cyber security means to an organisation, so clarity is required.

Who is accountable for Cyber Security in the Cloud?

Some think that by outsourcing to a cloud provider, the old security considerations are no longer relevant, and now it will be the cloud service provider that keeps their data safe. This thinking is dangerous, you can’t simply outsource risk.  The majority of cloud providers protect only the containers their services reside in (i.e. the tenancies for any given service and customer). The important stuff (the data and configuration) within that container remains the responsibility of the client, and is normally excluded from any service contract.

An organisation’s compliance requirements against legislation and governmental rules won’t change, even when the way ICT is procured does. Organisations will remain accountable for their data.

Cloud Providers Responsibilities

If an organisation decides to move its Windows server infrastructure into the cloud, the hardware and management interface for these servers will be handled by the cloud provider. While that certainly reduces the organisation’s capital expenditure and operating overhead of running a physical datacentre, the configuration of Windows Active Directory, the group policy settings and management of antivirus software and systems patching absolutely remain the organisation’s responsibility. This is why transformation requires careful planning and implementation.  It’s not as easy as simply migrating from an on premise to a cloud based platform, maintained by someone else.

The importance of working with service providers

Organisations need to work with their cloud service providers to model the new paradigm.  They need to understand their changing risk profile and how to manage it.  Whether cyber security was previously provided in-house or outsourced to an MSSP, the same levels of monitoring and risk management within the cloud services is required.

Using the Essential Eight as a cyber baseline of controls any changes in security posture can be measured to ensure the maintenance of an appropriate and ongoing level of protection, even as the organisation’s  ICT infrastructure and software moves to the  cloud.

Digital Transformation – ASD Essential Eight Cyber Mitigation Strategies in the Cloud

ASD Essential Eight Security Controls

Looking specifically at each of the ASD Essential Eight security controls, they are just as relevant in the cloud as on premise in maintaining sound measures of an organisation’s security posture: 

Application Whitelisting

Application whitelisting should still be used to prevent unauthorised applications being installed on cloud-hosted systems. Just because it’s in the cloud doesn’t mean you can safely ignore this control. If you are using a cloud-hosted Windows server, it’s easy enough to use Microsoft App Locker as your initial defence.

Restrict Admin Privileges

As with Application Whitelisting, there are a few changes to consider in the approach to restricting administrative privileges as you move from an analogue operating model. You’ll need to ensure restrictions are afforded to all privileged accounts and control over system administrators activities is maintained.

 Patch Operating System

Patching the operating system protects it from known vulnerabilities. This becomes an issue where cloud systems are software-as-a-service (SaaS) rather than infrastructure-as-a-service (IaaS). If the software is delivered as SaaS, the service provider will be responsible for applying the patches themselves, but organisations should still ask for evidence of patch deployment.

At the IaaS level, patching remains the responsibility of the customer, so all cloud based servers need patch monitoring just like servers were in a local datacentre.

Patch Applications

Like operating systems, application patching needs to be monitored on a regular basis.   If a provider offers SaaS, it’s important that the customers know what’s happening across the environment  and have the providers regularly show evidence of good security hygiene. If the service is IaaS, again the agency is wholly responsible for application patching.

Disable Untrusted Microsoft Office Macros

Untrusted Office Macros can be problematic as they perform malicious actions on the supporting systems. If a desktop system interacts with a cloud server, a malicious script could easily harm that service.  Organisations, therefore, must expect to lock these down in a cloud environment, just as they would on a local ICT platform.

User Application Hardening

In an IaaS model, user application hardening is as important as it is for local servers. Nothing has changed, except the physical location of the server. Applications need to be locked down and made safe for users; a full review and uplift in security configuration should be undertaken by experienced security professionals.

Multi-factor Authentication

Multi-factor authentication is more important in the cloud than in a local system under an organisation’s control.  As every cloud-hosted service is accessed via the Internet, multi-factor authentication significantly strengthens the identity and access architecture layer of the enterprise.

Daily Backup of Important Data

If a failure results in an attack that renders a system unusable or its data corrupted, recovery remains an important matter. Many cloud service providers offer clients backup and recovery options on top of their basic service, and these options should provide visibility of the current state. If data is lost and cannot be recovered, the organisation will be significantly harmed.

Digital Transformation – The Cyber Security Catalyst

digital transformation catalystdigital transformation catalyst

Drucker famously said “you can’t manage what you can’t measure”.  The Essential Eight security controls are important measures of your entity’s posture, whether it’s IT operations are on premise or in the cloud.  As analogue business models transform to more scalable, flexible and cost effective platforms, the implementation and management of sound security policies and frameworks will remain the key enabler for cloud based operations.

With the ASD Essential Eight being recommended for adoption across Federal government and the commercial sector, compliance will be provide a true measure of an organisation’s cyber posture.  It will also be a vital management tool in the active ongoing pursuit of digital transformation.

Essential 8 Security Controls Compliance Guide


Related Cybersecurity Content


Read by directors, executives, and security professionals globally, operating in the most complex of security environments.