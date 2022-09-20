GCSB HQ, Wellington. Credit: Supplied

The Government Communications Security Bureau has issued guidance highlighting public cloud risks that need to be understood and managed.

A new chapter added to the agency's information security manual said public cloud services could provide government agencies with significant security benefits when adopted in a "controlled and well understood manner".

"Due to differences in how cloud providers operate, there is no single model that can fully describe the boundary between agency security responsibilities and those of the cloud service provider," the guidance said. "Cloud service provider responsibilities may even vary between their different service offerings."

The significant security benefits of cloud included: a pervasive identity and authorisation model; consistent, software-orchestrated environments running immutable workloads; automated responses to security incidents or misconfigurations; and scalable logging, monitoring and audit.

However, public cloud also introduced new areas of risk such as a significant reduction to barriers limiting the movement of agency data across legal jurisdictions.

Cloud service provider self-service tools could also be subject to manipulation, impacting agency infrastructure and cloud-based systems were typically accessible from the internet unless controls were put in place.

"Agency data is stored on shared platforms, in multiple locations, with agencies ultimately being accountable for ensuring information is secured," the new chapter advised.

"Cloud environments present large, high value targets, where single exploits can impact large numbers of customers."

Cloud services were also easier to consume without needing to involve common governance processes, such as change control, increasing the risk of using shadow services without adequate information security controls.

Public cloud also potentially introduced fiscal risks.

"On-demand services, coupled with rapid-elasticity, can lead to inappropriate use of agency cloud environments," GCSB warned. "Agencies are responsible for tracking billing and usage metrics and ensuring appropriate controls are in place to manage fiscal constraints."

The use of public cloud services created a unique threat environment, the advice said. This included access to the underlying infrastructure by the public cloud service provider's systems and staff and security controls defined and implemented by the public cloud service provider.

The ease of extending access to third parties, including to third party applications, through in-built federation and directory integration services in public cloud also posed a potential threat.

In August 2013, the government established a "cloud first" policy and an all-of-government direction to cloud services development and deployment. This set an expectation that agencies would adopt approved cloud services when faced with new procurements or extending contracts.

In July 2016, cabinet agreed that agencies could also use public cloud to deliver office productivity services, provided they complied with security guidance issued by the Government Chief Digital Officer (GCDO) and the GCSB.

Agencies were also required to identify and manage risks associated with cloud services through the GCDO cloud risk assessment process.

The updated guidance also delivered a new section on inverse split-tunnel VPN and updates to DMARC/DKIM domain security.

