Our client is a large Federal Government agency with a national footprint who is trusted to safeguard information regarding the majority of Australians. As the agency evolves and migrates their technology to the cloud, they need a plan to ensure their cloud architecture is ready for the storage and processing of PROTECTED classified information.
north was engaged by the agency to identify the processes, resources and capabilities required to uplift their cloud environments to PROTECTED.
We worked with a large cross-section of stakeholders including the agency’s Information Systems security, cloud engineering and cloud operations teams to understand and analyse the agency’s current systems and processes to design, implement, authorise and sustain cloud-based systems for PROTECTED
classified information. A key driver being the need for common standards for encryption of the agency’s information in cloud hosted systems and implementation of automated credential rotation in production environments.
We assesed these existing systems and processes against the Information Security Manual (ISM), Protective Security Policy Framework (PSPF), Digital Transformation Agency (DTA) blueprints, cloud service provider (CSP) best-practice guidance and our own expertise in cloud computing and sensitive Federal Government systems.
Throughout our analysis, we considered each finding through the lens of the agency’s legislation, which applies extremely strict controls on how the agency’s information is collected, stored and used and presents a unique challenge in the use and authorisation of cloud for PROTECTED information. Guided by the principle that using cloud services for sensitive information is based on a clear understanding of both the potential benefits and risks, we focused on providing accurate and actionable information to inform strategic risk-based decision making.
north delivered a clear and actionable roadmap for the agency’s cloud and security experts that defined two high-level lines of effort:
- Engineering the cloud for PROTECTED
- Assessing and authorising the cloud for PROTECTED
Within these lines of effort, we detailed necessary technology, policy and process changes and defined the key skills, resources, dependencies and timeframes needed to implement these change across the agency’s cloud services and identified the agency stakeholders responsible and accountable for the sucessful delivery of the overall program. Working with north has provided the agency with a scalable, consistent and sustainable strategic program to develop, implment, authorise and monitor cloud services for PROTECTED.