Vault Cloud CEO Rupert Taylor-Price chats to Government News about what cloud compliance is and why it matters.

GN: What is cloud compliance and why is it important?

RTP: The Australian Signals Directorate looks into a large number of Cyber Security incidents and they put a significant effort into understanding how to prevent future incidents. The output of this work  forms “controls” which are the building blocks of compliance. Being “Compliant” means that you have addressed known attack vectors, which results in reduced risk to the data being protected and increases safety.  

Where does Vault Cloud sit in this space? 

As you might expect from the company’s name, Vault has invested heavily in Government-grade compliance. Fit for purpose is an important factor here, a car door, a house door and the door of a bank vault might be all of equal quality but serve to protect against different threat landscapes.

Vault Cloud has invested from the source code up to be natively compliant to a TOP SECRET grade of Government security and in 2017, Vault became the first certified system to have zero non compliances at a “PROTECTED” level.   

What are the risks of not ensuring cloud compliance?

Each non compliance means that there is a potential vulnerability that could be exploited. These noncompliances can sit both in the cloud platform and the configuration of the cloud by the user. Every day a large number of data breaches occur as a result of noncompliances in the cloud platform and noncompliances in the configuration of cloud platforms. 

What are the biggest challenges the government faces in achieving cloud compliance?

The threat landscape for the Government is often more adverse than for the commercial sector. Foreign state actors can be better resourced and more organised than criminals – materialy so. The majority of cloud platforms on the market are designed for commercial use. Government agencies have to commit a lot of resources to take these commercial grade platforms to a government-grade use case. Unfortunately the nature of the problem is that you need highly skilled resources and if they get everything 99% correct it is the 1% where the problem comes from. 

What are the biggest mistakes the government makes when it comes to cloud compliance?

The world’s best car door does not make a very good tank door. The effort to remediate the noncompliances of a car door would likely take more effort than starting from the ground up with a new tank design. In the IT world we unfortunately do this every day in a digital sense. We start with a commercial grade IT system and try to mitigate risks to get to a government level of compliance and security. We see time and time again the total effort and cost is to start with solid foundations – a platform designed from the ground up to be fit for purpose. The outcomes of starting with platforms that are not fit for purpose result in two outcomes: (1) systems that are never fully compliant resulting in data loss risks, or (2) very poor value for money due to ongoing remediation costs.  

With a constantly evolving environment, how do agencies keep up?

Government has 3 main options for their digital infrastructure:

On-premise

Government cloud

Commercial (public) cloud 

It is no secret that maintaining an on-premise environment is a challenging prospect in an evolving environment, and commercial grade platforms are challenging to bring up to compliance. For this reason government cloud has been the increasing option that has been adopted globally by governments. Government cloud has both the primary focus of meeting a government grade of security and the scale to efficiently deliver.

What implication does cloud compliance have for critical infrastructure in an increasing threat environment?

A single CI asset can be generally viewed as a commercial operation, the challenge comes when you look at a group of CI assets through a national security lens. You quickly realise that the threat landscape more closely resembles that of the government than a commercial entity. 

For this reason a government grade of security is needed from a national security perspective, but commercial entities that operate CI assets historically may have only viewed their risks from a commercial perspective and relied on the Government for matters of national security. 

The recent amendments of the Security of Critical Infrastructure (SOCI) Act have created a positive security obligation on commercial entities that operate CI assets. As a result, compliance in general will become a stronger focus of CI providers and government grade cloud presents a compelling way to meet compliance obligations in a cost effective manner. 

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter