| I know this is a popular way to look at things around here, but no. It's not about cloud / no cloud. People with sensitive data welcome VMs and cloud deployment - as long as the cloud is in a very separate datacentre with only local people handling it. Look at the actual rules and what risks they want to protect from: http://www.abs.gov.au/websitedbs/D3310114.nsf/4a256353001af3... Here are some of them: 2. an audited linking environment, involving staff activity being logged, monitored and, if
inappropriate activity is found, investigated. Any misuse would result in immediate
termination of access for the staff member, with further sanctions imposed if necessary;
3. ABS staff and in-posted officers sign legally binding Undertakings of Fidelity and Secrecy to
ensure they are aware of their obligation to protect confidential information, and the
consequences of disclosure (which include criminal penalties);
4. enforcement of the clear desks and clear screen policy;
5. access on a ‘need to know’ basis;
How do you enforce those rules on AWS / Azure / whatever provider's staff? How do you make sure only people with appropriate clearance access the servers? 7. Vulnerability Assessments are carried out on all new IT Systems by specialised staff in IT
Security trained in the field of Ethical Hacking;
How do you get those providers to agree to internal pentest exercises?At that point, it's just easier to stuff some more servers in the government datacentre - completely isolated from other projects. And whether it's cloud or not is a completely separate thing - it may as well be on OpenStack. > Older people are suspicious of cloud. The younger generation are more savvy. So no, this is complete bullshit. (and so is putting this as us-vs-them - I'm part of a fairly young generation in the CS, working on cloud infrastructure, and I still would not want to see census data processed anywhere outside of "no phones in the building" government environment) |