DSD Guidelines

Hot on the heels of my last post the Australian DSD published some excellent guidelines for those wishing to use Cloud services in government. Constructed as a set of questions you can download it from here.

Some of their recommendations mirror those raised on this BLOG in the past. It is pleasing to see the document isn’t a political one and it seems to have been written by people who understand security. Probably technical people. So no punches are pulled and they correctly identify the problems of sending data to third parties in other countries who are subject to different data, discovery and privacy laws. In a poke in the eye to the multi-nationals who provide almost all cloud services they recommend the data should stay inside Australia and the vendor be legally accountable to Australian laws.

This list is pretty comprehensive and by the time you’re halfway through the list you should start to see the gapping holes in the current level of service provision being offered. Many of the questions they ask are simply asking to verify the claims of the vendor. How do you know they have effect DR, or their backup system works quickly, or they priorly control access to their data centre? How can you be sure you aren’t sharing space with undesirables?

The issue here is the unanswerable nature of many of these questions. They are reasonable questions of due diligence but it strikes me many are not covered under this current generation of “all care but no responsibility” contracts. What we now is an enormous amount of are sales and marketing claims and very little in the way of accountability, risk assessment or transparency.

The publication is worth skimming for yourself so I’ll list just a couple of my favorites;

I retain the legal ownership of my data.
How many of us thought that by moving our own data to the cloud we might be losing our legal right to it?

I can audit the the vendors security.
What are the chances of that I wonder?

When I delete my data, the storage media is sanitized before reuse.
What about the other backup copies out there, do they get deleted?

The vendor will assist me with security investigations and legal discovery.
Yeah right, and I have a slightly used harbour bridge I can sell you.

All in all it’s clear with the current contracts and minimal service levels that nothing of value can safely be placed in the cloud.

Posted by Carlton Duston on 15 Apr 2011 | 0 comments
Tagged with Blog, Opinion, None

Comments

Post new comment

Your name: *

E-mail: *

The content of this field is kept private and will not be shown publicly.

Homepage:

Comment: *

• Node images can be embedded in this post. Format: [image:ID:TYPE:ALIGN:CAPTION]
  TYPE: thumb display logo
  ALIGN: left right center none
  CAPTION: <insert new> desc (image description) none
  Examples: [image:8:thumb:right:none] [image:12:display:none:Sunset]
• You can use Textile markup to format text.
• Adds typographic refinements.

More information about formatting options

4

What code is in the image?: *

Enter the characters shown in the image.