AGIMO DRAFT REPORT ON CLOUD SERVICE PROVIDER CERTIFICATION REQUIREMENTS. AIIA Response

Transcription

1 AGIMO DRAFT REPORT ON CLOUD SERVICE PROVIDER CERTIFICATION REQUIREMENTS AIIA Response 10 February 2013

2 INTRODUCTION AIIA welcomes the opportunity to provide comment on AGIMO s draft report on cloud service provider certification requirements. AIIA Cloud Special Interest Group, chaired by Fujitsu, has reviewed the draft and provided some comprehensive feedback. Individual members may also respond to AGIMO in their own right. The Australian Information Industry Association (AIIA) is the peak national body representing multinational and domestic suppliers and providers of a wide range of information technology and communications (ICT) products and services. We represent over 400 member organisations nationally, including global brands such as Apple, EMC, Fujitsu, Google, HP, IBM, Intel, Microsoft and Oracle; international companies including Telstra; national companies including Data#3, SMS Management and Technology, Technology One and Oakton Limited; and a large number of ICT SME s. SUMMARY FEEDBACK When setting objectives to encourage the uptake of cloud, government should orientate policies towards where industry will be five years from now, to ensure they remain appropriate in what is a challenging and fast moving environment. We understand Government is challenged to make the right decisions in this fast moving environment. Policy makers must be careful to intervene only where there is a clear opportunity to add value and address future market failure this is particularly true of cloud computing because of its dynamic and evolving nature. AIIA recommends AGMIO engage with equivalent state based government groups who are embarking on similar initiatives. Ensuring a national approach to assurance / certification will reduce duplication and costs and support harmonization with global markets. As cloud relies on economies of scale, service providers who make the investment for any certification would prefer to be then able to address a national market at least and prospectively also global markets. If the Commonwealth Government develops a unique certification requirement then the full benefits of cloud may not eventuate for all. An example is the recent NSW Government announcement attached. AIIA considers that the proposed approach which places emphasis on local standards, restrictions and government mandated limitations is significantly at odds with the adaptive, market-supportive strategy outlined by the Department of Broadband, Communications & the Digital Economy. Page 2 of 12

3 We congratulate the Government on its continuing efforts to secure efficiencies in the assessment and procurement of cloud computing offerings for use by departments and agencies. However, the proposed two stage process outlined in the draft report raises a number of significant and fundamental concerns for industry which are summarised below: 1. The five options considered in the draft do not in our view represent a comprehensive or complete range of the possibilities open to government. AIIA has proposed an alternative option that we believe addresses the needs of government whilst not unduly restricting nascent cloud services. 2. AIIA considers that the proposed strategy, based fundamentally on certification that aims to centralise and automate the process of managing cloud risk, is ill advised at this early stage of market development. The consequence for government of the proposed approach will be unnecessary limitation in the range of services available, additional cost and burden on cloud service providers. 3. Applying certification requirements to DCaaS offerings would impose an additional cost burden on all service providers, lower the potential economic viability of an already marginal business thereby reducing the number of potential market participants and represent an unwise first target for accreditation or baseline model for a future framework. 4. The proposed approach is inconsistent with the inherent dynamics of cloud service provision and consumption, which require both more sophisticated risk management frameworks on the consumer side as well as greater understanding of local requirements and commercial adaptation to the local market on the provider side. AIIA suggests a pathway for both sides to learn from each other in developing a mutually beneficial framework. The Commercial Service Provider Assurance Framework (CSPAF) referenced appears to address a separate and very specific government to citizen use-case that may or may not even be delivered as a cloud based service. AIIA views it having limited relevance for AGIMO s proposed scenario. Our view is that extending the restrictive CSPAF as proposed would result in an unworkable means of compliance for the IT industry and deny agencies the broadest contestable market. The approach that AIIA proposes as an alternative way forward is quite simple: i) In the short term, establish a working group that comprises representative local and global cloud providers, a representative sample of agencies that seek to procure and utilise cloud services along with key stakeholders from government including DSD and AGIMO. A possible charter for this working group is described later in the document. Page 3 of 12

4 ii) In the medium term, leverage the working group above and other resources to establish a framework that aligns Australian requirements and global practices. AIIA considers that the proposed approach which places emphasis on local standards, restrictions and government mandated limitations is significantly at odds with the adaptive, market-supportive strategy outlined by the Department of Broadband, Communications & the Digital Economy. We believe our alternative approach is more reflective of a genuine government-industry partnership as sought by Prime Minister Gillard in her speech at the Digital Economy Forum in October We believe it will maximise the benefit of perhaps the most significant advance in information technology for all of the Australian government, for business and for consumers. EXPANDED FEEDBACK Better approach required: Streamlining the evaluation process for a growing pool of cloud candidate offerings may have merits. Nevertheless we caution against an over-ambitious first attempt to apply prescriptive means of compliance against a highly diverse set of offerings that are not yet systematically or systemically described. Cloud computing has developed from the premise that standardisation coupled with scale (and hyperscale in some cases), can provide an economically attractive alternative means of sourcing IT requirements. Cloud computing offerings continue to develop apace addressing the current and emerging gamut of typical IT operations and business services within agencies. This evolution tends to confound simplistic risk categorisation based on a series of presently described prescriptive security requirements. We note that there is no indication in the document of the need to have a clear understanding of various cloud offerings and capabilities that would make it easier to perform a comparative evaluation. Certainly, AIIA sees the development of a consensus-agreed taxonomy or terminology for cloud services being of value. Members of the ICT industry have noted a similar desire amongst large commercial organisations to streamline the process of cloud selection and procurement especially by organisations in the financial services industry where risk management is a core business competency. In this sector the approach to cloud risk assessment has been conservative with the application of a case-by-case risk assessment of the many cloud proposals. In addition individual firms, together with the industry as a whole, have maintained a supporting, rolling review of assessments to identify logical groupings of services and risk patterns that can then be used to identify future opportunities for more streamlined assessment. Suggested action: We encourage AGIMO to consider a similar approach to that adopted in the financial services industry by following the Protective Security Policy Framework (PSPF) Page 4 of 12

5 requirements for agency risk management in respect of specific cloud proposals. We would further encourage AGIMO to take a lead role in harvesting learnings from these individual assessments across government to identify natural groupings or patterns of cloud risk that might be incorporated into some form of consolidate guidance. DCaaS is not an appropriate foundation: The DCaaS is a mechanism established to assess the feasibility of applying cloud computing to the long-tail problem of IT contracting where the market descriptively involves a high value by contract number but low individual and aggregate value of service provision. Although no specific numbers have been published to date, the IT industry is conscious that agency uptake has been low. This suggests that the mechanism remains unattractive to agencies at this point. Certainly the work involved to set up and operate such cloud offerings without any indication or commitment of agency demand and at a maximum price point of $80,000 already imposes severe economic limitations on suppliers. Consequently providers have had to make in good faith investment decisions to participate and the extent of market provision is yet to stabilise. We suggest that the additional burden of the type of certification implied in the draft would further erode the viability of the DCaaS rather than enhance it. The UK G-Cloud initiative pursues a similar objective and has already developed a certification program to underpin this App store approach. However as outlined in a study paper by Queen Mary University of London School of Law 1, it has already become clear that a significant cost and resource burden challenges suppliers contemplating selling under this regime. DCaaS has a defined narrow scope specific to a particularly IT-centric scenario. It does not provide a solid foundation for a framework to evaluate such divergent cloud services as citizen-relationship management, or social networking within the enterprise. Extending scope of CSPAF ill-advised: The Commercial Service Provider Assurance Framework (CSPAF) addresses a very specific use case - citizens using government services in a particular scenario around authentication and secure mailbox. Our understanding is that it was not constructed to address the circumstances of government using cloud in support of its own broader technology requirements. The actors and transactions and hence the risk profiles of cloud scenarios are likely to diverge very widely from this narrow use case. 1 Queen Mary University of London, School of Law, Legal Studies Research Paper No 115/2012 UK G-Cloud v1 and the impact on cloud contracts. W Kuan Hon; Christopher Millard; Ian Walden Page 5 of 12

6 For this reason we believe that the CSPAF is unsuitable for application to cloud accreditation for the purpose envisioned by AGIMO. In particular, we refer to the following key challenges with this proposed approach: i. The CSPAF s definitions of Digital Mailbox and Digital Vault embrace the specific requirements of a personal vault concept and would not suitably reflect the broad range of cloud service descriptions likely to interest government agencies. ii. The identity component of the CSPAF is based on references to early works in progress and does not represent a fully developed basis on which to support any accreditation scheme. The DVS, for instance, is currently a government runway to validate the authenticity of a paper-based ID credential and only lightly utilised within government. The National Trusted Identities Framework (NTIF), although a welcome initiative with considerable merit, is currently at the early exploratory stages of development and lacks a formal work stream. Additionally, the NTIF proposes an approach to claims-based ID that runs counter to the remainder of the ID and security approach in the CSPAF thereby establishing an apparent internal consistency. iii. Encryption requiring Public Key Infrastructure (PKI) must comply with Australianspecific Gatekeeper requirements which not only precludes any global IT cloud vendors from providing services involving PKI but also encumbers local providers with a significant cost burden. iv. No commercial model reflecting the cost of ID provisioned and risk apportionment for the operation of such an Assurance framework has been articulated and therefore its viability and the potential imposts for stakeholders are unknowable at this point. v. We provide additional detailed, line item feedback in Appendix 1 at the end of this document and refer the reader to this for specific details. A PROPOSED ALTERNATIVE APPROACH AIIA does not consider that the options presented in the draft paper represent a complete articulation of the possible range of approaches, nor do we consider the proposed preferred option of extending the DCaaS MUL or the CSP Assurance Framework is the right course for the Australian government to take. We would however like to suggest a possible alternative approach based on a set of principles that can enable a consistent evaluation of cloud service options. Start with principles as a basis We suggest that any framework to facilitate evaluation and adoption of cloud services by government agencies should be founded on a set of core principles, including: Page 6 of 12

7 1. Assume a collaborative approach. Collaboration between industry and government including user-agency representatives will be critical to ensure that the benefits and risk of cloud based IT service delivery is maximised for government and the stakeholders of government 2. Least possible infringement on innovation and choice: Cloud computing services are an emerging industry that offers tremendous potential benefit for government. It incorporates a wide variety of services, mechanisms for delivery, underlying technologies and commercial models. Any artificial limitations imposed through policy or regulation will inhibit necessary market innovation on one hand, and lessen the compelling value of cloud services on the other. 3. Standardisation where applied, should be globally relevant not locally biased: To secure maximum efficiency and resilience, cloud services are often standardised at a global level, even if delivered from a local data centre. Where possible, any unique requirements should be identified in a way that enables separate use cases to be isolated and accommodated without impacting the benefits of broader standardisation. Introducing unique local regulations or requirements will diminish the potential for a wide range of cloud providers to offer services locally. For Australian based cloud service providers, Australian-specific requirements may in the short term help restrict competition, but in the long term will hamper their ability to compete in an increasingly global market. 4. High standards of business conduct and demonstrated openness are paramount: Many of the operational, security, privacy and commercial protections of a cloud service consumer are embodied in commercial contracts and the business practices of the cloud provider. Transparency and accountability in these practices is essential and cloud providers should be prepared to table their practices in an open way that encourages scrutiny. The Cloud Security Alliance STAR registry is a positive example. 5. Security controls should be appropriate to cloud services and proportional to the risk: Traditional security controls and frameworks such as the Federal Information Security Manual are premised on agencies having direct control over the technology and controls supporting a particular IT service. These prescriptive approaches do not translate well into the circumstances of multi-tenancy, virtualisation and georedundancy that are features of cloud services. Achieving the right level of security protection in cloud services requires different types and mechanisms of control than Page 7 of 12

8 would be expected for an on-premise or hosted system. It is not possible to sensibly apply many of the controls with the ISM to a cloud service. 6. Treat assessment holistically. Certification and assurance should advance from a sound understanding of the stakeholders, assets and transactions. Risk should be apportioned and addressed by the entities most able to address it. Instantiate a framework embracing stakeholders, assets and risk The framework approach outlined in the Service Provider Certification Requirements for Australian Government (SPCR) and the Commercial Service Provider Assurance Framework (CSPAF) attempts to outline a set of prescriptive must haves rather than setting out a clear way of understanding the stakeholders, their relationship and responsibilities to each other, the information, and the risk associated with their interaction. An alternative model would look to bring together the three groups of stakeholders that each brings their perspective to a cloud option: 1: Government Protective security frameworks, such as the Business Impact Level models defining impact characteristics of information assets Sundry policies and constraints determining the boundaries of acceptable risk. 2: An agency cloud acquirer A set of business capability requirements A budget 3: Cloud computing vendor A prescribed set of offerings (service descriptions) A set of contractual undertakings A set of controls implementing these undertakings Possible 3 rd party attestations of performance against them Viewing the decision making more holistically like this will then enable AGIMO to describe the outcomes required, the limitations or parameters imposed by various government and related requirements and set the boundaries for a more targeted, streamlined risk assessment process. Page 8 of 12

9 Build out a clear risk evaluation path and process for agencies Industry accepts that government agencies need assistance to assess and evaluate cloud options and to assure themselves of an adequate level of security and operational reliability. It is therefore proposed that the following course of action be adopted: 1. In the short term, establish a working group that comprises representative local and global cloud providers, a representative sample of agencies that seek to procure and utilise cloud services along with key stakeholders from government including DSD and AGIMO. The charter of this working group would be to establish: a. Consensus principles of a framework that would enable government to more effectively and efficiently evaluate and risk assess cloud service options, while enabling the nascent cloud industry to develop, adapt and innovate b. Support the creation of risk management guidance and resources for the comparative evaluation of alternative cloud solutions, perhaps to include consensus agreed terminologies, taxonomies and evaluation templates. A set of evaluation guides based on a risk management approach could be developed by AGIMO together with the working group to help agencies interpret the relative merits of different cloud services and specifically assess issues like security, standards support, privacy protections, contractual processes, etc. c. It may be feasible to develop a standard format by which providers of cloud services can document the services that they provide to a minimal level of depth. This description could be comprehensive and document the types of services offered, operating models, security frameworks, privacy and data protection controls, etc. Importantly, it could detail whether specific international standards or frameworks are complied with such as ISO 27001, Cloud Security Alliance, etc. The government need not establish any formal registry as such, but it should be understood by the cloud provider industry that agencies or AGIMO may request the description documents during an evaluation or informal assessment of options. d. The group would build upon the Business Impact Level concept and other mechanisms from the PSPF to establish appropriate guidance for risk which would then inform subsequent candidate risk analysis. The DSD Cloud Computing Considerations could be reviewed to move beyond their quite narrow and restrictive beginnings. It is understood that the DSD guidance at present is built from a foundation of highest sensitivity to risk with an assumption of control over the physical and logical implementations. They may be appropriate for BIL levels 3+, but guidance for BIL 1-2 at the very least, should be developed with the working group. Page 9 of 12

10 2. In the medium term, leverage the working group above and other resources to establish a framework that aligns Australian requirements and global practices. In the end, the most efficient and effective outcome for Australian government will come about if this alignment exists. Local standards, local restrictions, local procurement nuances will only serve to increase the costs to government, limit the range of available choices and diminish the opportunities of local cloud service providers in the global market. Already the global market has coalesced around ISO standards and the Cloud Security Alliance. Australia s international allies have progressed cloud evaluations against mechanisms like Impact Levels in the UK and FedRAMP in the US. For Australia to invent a new framework would be counterproductive. Page 10 of 12

11 APPENDIX 1: Additional detailed feedback on specific line items. A review of both the Service Provider Certification Requirements for Australian Government (SPCR) together with Commercial Service Provider Assurance Framework (CSPAF) to which the former references has identified a number of inconsistencies. We have provided some examples below which, although not exhaustive, do indicate that the work stream requires considerable work. In referencing Business Impact Levels (BILs) in Attachment 3, The SPCS provides for a BIL 0. However, the formal description of these levels in the Attorney Generals public document of 21 June 2011 titled Protective security governance guidelines - Business impact levels makes no such reference. Page 8 of CSPAF describes requirements for Information Security Management Systems for LOA 1 and references requirements for DSD Cloud Computing Considerations as a baseline and the DSD Top Neither of these documents is actually control frameworks but rather guidance or discussion papers intended to precede a fuller risk analysis. Together with this DSD guidance, Page 8 of CSPAF for LOA 1 demands the requirement for documented Security Risk Management Plan including mitigation strategies. This presumably follows the Protective Security policy Framework (PSPF) requirement that agency heads ensure Risk Management principles are comprehensively applied within their agencies. However, if this is deemed necessary at the lowest LOA level, would it not be logical to subject all such cloud options to a snapshot Cloud Risk Assessment rather than trying to prematurely encapsulate the risk profile within an accreditation for a particular offering. The approach appears inconsistent. This would enable any risk to be identified formally, appropriate mitigations agreed and any necessary controls formalised with suppliers in a fully auditable way. These could later be formalised as natural patterns amongst cloud use emerge over time. Page 8 of CSPAF calls for I-RAP assessment for LOA 2. Cloud computing delivered by a supplier with infrastructure based outside Australia or even having infrastructure within Australia but servicing other geographies - either in a primary or failover capacity - would be unable to practically conform to this requirement. The multi- 2 Page 11 of 12

12 tenancy nature of cloud computing both at the infrastructure and the application layers means that it would be untenable for customer-led audits to be performed. For this reason many cloud providers have provided for third party yearly audits and made the results of these available publically. Given the market is already offering this form of attestation, would it not make more sense to cross recognise between government requirements and these? Page 8 of CSPAF demands encryption at rest as a base requirement for the lowest level LOA 1. In requiring encryption at this low risk level, government is imposing considerable cost burden to suppliers, and considerably narrowing the field of candidate suppliers and offerings which will tend to obviate the value of cloud as a service model. Additionally, the requirement for encryption at rest does not appear to recognise the need for complex key management in order to ensure any benefit and the cost and performance imposts this makes. Nor does it address the need for applications to operate on such encrypted data and hence the challenges of managing the trust chain in any processes involved together with attendant key management. Page 12 of 12