Information Technology

Image: Yancy Min

techrepublic cheat sheet

Waydev, an analytics platform used by software companies, has disclosed a security breach earlier this month.
The company says that hackers broke into its platform and stole GitHub and GitLab OAuth tokens from its internal database.
Hackers pivoted from Waydev to other companies
Waydev, a San Francisco-based company, runs a platform that can be used to track software engineers’ work output by analyzing Git-based codebases. To do this, Waydev runs a special app listed on the GitHub and GitLab app stores.
When users install the app, Waydev receives an OAuth token that it can use to access its customers’ GitHub or GitLab projects. Waydev stores this token in its database and uses it on a daily basis to generate analytical reports for its customers.
Waydev CEO and co-founder Alex Circei told ZDNet today in a phone call that hackers used a blind SQL injection vulnerability to gain access to its database, from where they stole GitHub and GitLab OAuth tokens.

The hackers then used some of these tokens to pivot to other companies’ codebases and gain access to their source code projects.
GitHub’s security team discovered the breach
Circei said Waydev learned of the breach after one of its customers was contacted by GitHub’s security team after GitHub detected suspicious activity originating from the customer’s Waydev token.
The Waydev CEO told ZDNet they learned of the attack on July 3 and patched the vulnerability exploited by attackers on the same day. They also worked with GitHub and GitLab to delist their original apps, revoke all affected OAuth tokens, and create new OAuth apps — effectively invalidating the hacker’s access to Waydev customers’ GitHub and GitLab accounts.
Circei says that based on current evidence, the hackers appear to have gained access only to a small subset of its customer codebases.
At the time of writing, two companies have reported security breaches this month and blamed the incident on Waydev — loan app Dave.com and software testing service Flood.io.
Waydev said it also notified US authorities about the security breach.
“Due to GitHub’s privacy policy, they will inform the affected users personally,” Waydev said. “If you were affected by the attackers please contact us at security@waydev.co in order to connect you with the authorities.”
Circei said they’re also working with cyber-security firm Bit Sentinel on investigating the breach, and that they also deployed additional security protections to Waydev accounts, such as:
Manual access – It is now impossible to create an account without approval from our security team;
Monitoring all the activity;
Tokens resetting two times a day;
Reported the incident to authorities.
Hackers’ details
In a rare case of transparency, Waydev also released indicators of compromise associated with the hackers — such as email addresses, IP addresses, and user-agent strings — something that companies rarely do nowadays.
IP Addresses of the hacker: 193.169.245.24, 185.230.125.163, 66.249.82.0, 185.220.101.30, 84.16.224.30, 185.161.210.xxx, 151.80.237.xxx, 185.161.210.xxx, 81.17.16.xxx, 190.226.217.xxx, 186.179.100.xxx, 102.186.7.xxx, 72.173.226.xxx, 27.94.243.xxx
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Email addresses: saturndayc@protonmail.com, ohoussem.bale6@sikatan.co, 5abra.adrinelt@datacoeur.com, 4monica.nascimene@vibupis.tk
The indicators of compromise, along with instructions for Waydev customers on how to search their logs for the hacker’s presence, are available in this Waydev support page. More

The source code of the Android-based Cerberus banking Trojan is being auctioned off due to the break-up of the development team. 

As reported by Bleeping Computer, the malware’s maintainer recently posted an advert on an underground forum for Russian speakers offering the malware on a bidding basis, with the hopes of generating up to $100,000 from the sale. 
According to the post, spotted by Hudson Rock, the operator is attempting to sell off the full project at a starting price of $50,000, including the Trojan’s .APK source code, module code, the code for administrator panels, and servers. In addition, threat actors looking to adopt the malware into their own toolkits are being offered Cerberus’ customer base with active licensing and the required installation materials. 
See also: Cerberus banking Trojan infiltrates Google Play
The seller says that the project is being sold off due to a “lack of time” and because the “team has broken up” — leading to what appears to be a single maintainer left to support customers. 

To try and lure potential bidders, the seller claims that the Android malware is generating $10,000 in profit per month. 
Cerberus has been in circulation since 2019 and was spotted earlier this month in the Google Play store, having bypassed Google’s app protections. A seemingly-legitimate currency converter app designed for Spanish speakers — downloaded over 10,000 times before its removal — deployed the Trojan on Android devices by way of a malicious update performed months after the app passed security inspections. 
CNET: 4 signs your Android phone has hidden malware, and how to deal with it
Researchers from Avast say that in March, the app acted as a legitimate utility. However, after the user base had reached levels in the thousands, the trap was sprung and dormant code transformed into a Cerberus dropper. 
Once deployed on a device, the malware creates overlays across existing financial service and banking apps in order to steal account credentials that are then sent to the attacker’s command-and-control (C2) server. The Trojan is also able to intercept 2FA mechanisms, such as one-time passcodes (OTP), to obtain the information necessary to pilfer financial accounts. 
TechRepublic: Companies turning to isolation technology to protect against the internet’s biggest threats
ThreatFabric researchers said in February that test versions of the malware are able to abuse Android Accessibility privileges to steal OTPs from Google Authenticator, software designed to enhance the security of 2FA in comparison to one-time SMS messages. 
Cerberus has many of the standard capabilities of Remote Access Trojans (RATs), including data theft modules, keylogging, phone call recording, and SMS grabbing. The malware is also advertised as being able to lock mobile devices, uninstall apps, push notifications, and self-destruct.  

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft says it is working on a fix for an error that prevents Windows Sandbox and Windows Defender Application Guard from opening. 
The issue affects Windows 10 versions 1903, 1909, and 2004. When failing to open, the bug triggers the error message ‘ERROR_VSMB_SAVED_STATE_FILE_NOT_FOUND (0xC0370400)’ or ‘E_PATHNOTFOUND (0x80070003)’.

Windows 10

Windows Sandbox is a relatively new feature of Windows 10 Pro and Enterprise editions since version 1903 that lets users launch a virtual machine with a basic version of Windows 10 to run potentially suspicious software without the risk of it affecting the main Windows 10 installation. 
The feature has proved popular with IT pros because of its ability to safely run potentially risky executables in a container, and Microsoft included several improvements to Windows Sandbox in Windows 10 version 2004.   
Windows Defender Application Guard (WDAG) is also a relative newcomer in Windows 10 Pro and Enterprise editions that admins can use to create a list of trusted websites and local resources. 

WDAG comes into play when users access a URL outside that list. It launches Microsoft Edge in a Hyper-V container to keep the browser isolated from the operating system. Microsoft released WDAG extensions for Chrome and Firefox last year.   
“To mitigate this issue after receiving one of the above error messages, you will need to restart your device,” Microsoft explains in a support note. 
Microsoft plans on addressing the bug in an upcoming release of Windows 10. However it hasn’t said when the fix is expected to arrive. 
The company hasn’t listed the issue on its Windows release health dashboard for any of the affected versions, which may be because there is a simple workaround.
As Bleeping Computer notes, a similar issue affected Windows Sandbox on Windows 10 Insider previews last year after users installed the KB4497936 update. More

Over four million victims of ransomware attacks have now avoided paying over £600 million in extortion demands to cyber criminals in the first four years of Europol’s No More Ransom initiative.
First launched in 2016 with four founding members, No More Ransom provides free decryption tools for ransomware and has been growing ever since, now consisting of 163 partners across cybersecurity, law enforcement bodies, financial services and more.
Together, they’ve released free decryption tools for over 140 families of ransomware which have been downloaded a combined total of over 4.2 million times – something which Europol estimates has prevented $632 million from being paid out to cyber criminals.
Among the top contributors to the project are Emisisoft, which has provided 54 decryption tools for 45 ransomware families, founding member Kaspersky, which has provided five tools for 32 ransomware families and Trend Micro, which has provided two decryption tools for 27 ransomware families.
Other cybersecurity firms which have provided multiple tools to No More Ransom include Avast, Bitdefender, Check Point, ESET and founding member McAfee.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
No More Ransom is now available in 36 languages and has received visitors from 188 countries around the world. The largest number of visitors come from South Korea, the US, Brazil, Russia and India.
“No More Ransom is everything coming together – key partners and law enforcement agencies from across the world – and everyone is going in the same direction. As everyone contributes what they have in relation to this threat, we are seeing concrete steps to counter ransomware on a preventative level.” Edvardas Šileris, head of Europol’s European Cybercrime Centre (EC3) told ZDNet.
“Ultimately, it doesn’t matter how much money is saved, but rather how many people get their files back for free. It is just as important for a parent to recover the pictures of their loved ones as it is to recover a corporate network,” he added.
While No More Ransom has proved useful to victims of ransomware, Europol itself still recommends that prevention is the best means of staying safe from attacks – especially as the ever-evolving nature of ransomware means there are many forms of the malware out there which don’t have free decryption tools and maybe never will.
Preventative steps recommended by Europol include backing up important files offline, so that in the event of an attack, files can be immediately retrieved, no matter if a decryption tool is available or not. Europol also recommends that users don’t download programs from suspicious sources or open attachments from unknown senders, so as to avoid falling victim to email-based attack.
Despite the best efforts of No More Ransom and other cybersecurity initiatives, ransomware remains a highly effective moneymaking tool for cyber criminals, who in many cases can make hundreds of thousands or even millions from a single attack. However, applying security updates and patches to PCs and networks can go a long way to stopping attacks in the first place.
“No More Ransom is like a car seatbelt: it’s a critical safety net, but it’s best to abide by the rules of the road to lessen the chance of needing to use it. Or, to be put it another way, ransomware is definitely a case in which prevention is better than cure,” says Brett Callow, threat analyst at Emsisoft.
“Ransomware attacks are becoming ever more sophisticated and the big game hunters are successfully hunting ever bigger game. Consequently, companies of all sizes need to ensure their security is up to snuff”.
READ MORE ON CYBERSECURITY More

Atlassian believes Australia’s encryption-busting legislation continues to have a negative impact on the country’s technology sector, both from the perspective of partnering with an Australian company and attracting tech talent down under.
“The Act’s passage has significantly degraded the global reputation of the Australian tech sector, as local companies and multinationals alike question whether actions compel them to the Act will degrade industry’s ability to secure customer data and place their employees at individual peril,” Atlassian head of IP, policy, and government affairs Patrick Zhang said.

“We have received inquiries from customers asking about the impact of TOLA and what it may obligate Atlassian to do … our fear is that these questions are not ones that we will necessarily hear from customers and customers who shy away from our products or services may never tell us that it is due to TOLA, so understanding that is a difficult proposition to accept, but there has been, at the very least, anecdotal outreach from our customers, especially in Europe around the security of their data.”
Zhang was appearing before the Parliamentary Joint Committee on Intelligence and Security (PCJIS) and its review of the amendments made by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act).
The TOLA Act was rammed through Parliament back in late 2018. Under the laws as currently written, agencies can issue:
Technical Assistance Notices (TAN), which are compulsory notices for a communication provider to use an interception capability they already have;
Technical Capability Notices (TCN), which are compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and
Technical Assistance Requests (TAR), which have been described by experts as the most dangerous of all.
TANs and TARs can currently be approved by the head of the requesting law enforcement or intelligence agency. TCNs must be approved jointly by the attorney-general and the minister for communications.
Zhang said the “very rushed” nature in which TOLA was created, alongside the rights granted to the government under the Act, are to blame for its negative global impact.
“The impact is twofold … the first is around TANs and TCNs … in terms of the breadth of the rights that are being granted to law enforcement and national security agencies to request not just assistance in decrypting intercepted data but in actually making changes to the systems and products of technology companies,” he explained.
“I think the fear is that by working with an Australian company … is that company going to be subject to orders by the government to weaken its security or to build backdoors that will make the product less secure and expose a weak link, if you will, in the technology supply chain?”
Not this again: Australia’s encryption laws are ‘highly unlikely’ to dragoon employees in secret
The other part of the damage, according to Zhang, is around individual employees, pointing again to the unclear nature of definitions used in the Bill.
“Under a strict, literal reading of the language, and the definition of DCPs (designated carriage providers) that individual employees could be characterised as a DCP and be made subject to notices by the government that compel them to do certain acts and, when coupled with the secrecy provisions, it would make it appear that the employee was being made to work in a way that is at odds with his employer and held to a secrecy standard that would prevent him from seeking assistance from his employer,” Zhang continued.
“I think there has been a concern that Australian employees are in some sense more vulnerable to this right to compel by the government and that has damaged the reputation of the Australian tech sector and potentially the willingness of technology talent residing outside of Australia to come to Australia and work here.”
While Zhang accepts the Bill was born of legitimate concerns to give law enforcement a way to combat the trend of “going dark” due to greater use of encryption technologies, he said such powers “must be granted in a clear and proportionate way and with safeguards that retain the public’s trust in the government’s exercise of power”.
“They must also not create self-inflicted wounds for industry as it looks to secure customer data in today’s challenging cybersecurity environment,” he said.
The hearing follows a report from Australia’s now-retired Independent National Security Legislation Monitor (INSLM) who earlier this month made a handful of recommendations, mostly centred on the creation of an independent body to oversee the approval of warrants.
Atlassian agrees with many of the recommendations made by the INSLM, with Zhang saying the company was encouraged by them.
“Access, especially given the amount of data that is potentially made available under the TAN/TCN framework should be governed by a separate authorisation that is independent and apart from the agency that is seeking that information,” Zhang added.
He said independent oversight would also help with the “troubling” definitions the Bill contains.
“The current definitions are troubling in that they are open to a broad range of interpretations,” he continued.
“Especially without independent oversight, it appears to me that it would be difficult to understand the authority, who is authorising the notice, what definition that they’re using, what definition that they’re applying — I think there is a lot of ambiguity of that exercise of power.”
He said the introduction of an avenue for industry to take part in the process — that is, to participate in an appeals process on any decisions — would also be a welcome idea.
HERE’S MORE More

The Federal Bureau of Investigation sent an alert last week warning about the discovery of new network protocols that have been abused to launch large-scale distributed denial of service (DDoS) attacks.
The alert lists three network protocols and a web application as newly discovered DDoS attack vectors.
The list includes CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), ARMS (Apple Remote Management Service), and the Jenkins web-based automation software.
Three of the four (CoAP, WS-DD, ARMS) have already been abused in the real-world to launch massive DDoS attacks, the FBI said based on ZDNet’s previous reporting.
CoAP
In December 2018, cyber actors started abusing the multicast and command transmission features of the Constrained Application Protocol (CoAP) to conduct DDoS reflection and amplification attacks, resulting in an amplification factor of 34, according to open source reporting. As of January 2019, the vast majority of Internet-accessible CoAP devices were located in China and used mobile peer-to-peer networks.
WS-DD

In May and August 2019, cyber actors exploited the Web Services Dynamic Discovery (WS-DD) protocol to launch more than 130 DDoS attacks, with some reaching sizes of more than 350 Gigabits per second (Gbps), in two separate waves of attack, according to open source reporting. Later the same year, several security researchers reported an increase in cyber actors’ use of non-standard protocols and misconfigured IoT devices to amplify DDoS attacks, according to separate open source reporting. IoT devices are attractive targets because they use the WS-DD protocol to automatically detect new Internet-connected devices nearby. In addition, WS-DD operates using UDP, which allows actors to spoof a victim’s IP address and results in the victim’s being flooded with data from nearby IoT devices. As of August 2019, there were 630,000 Internetaccessible IoT devices with the WS-DD protocol enabled.
ARMS
In October 2019, cyber actors exploited the Apple Remote Management Service (ARMS), a part of the Apple Remote Desktop (ARD) feature, to conduct DDoS amplification attacks, according to open source reporting. With ARD enabled, the ARMS service started listening on port 3283 for incoming commands to remote Apple devices, which attackers used to launch DDoS amplification attacks with a 35.5:1 amplification factor. ARD is used primarily to manage large fleets of Apple Macs by universities and enterprises.
Jenkins
In February 2020, UK security researchers identified a vulnerability in the built-in network discovery protocols of Jenkins servers-free, open source, automation servers used to support the software development process that cyber actors could exploit to conduct DDoS amplification attacks – according to open source reporting. Researchers estimated cyber actors could use vulnerable Jenkins servers to amplify DDoS attack traffic 100 times against the online infrastructure of targeted victims across sectors.
FBI officials believe that these new DDoS threats will continue to be exploited further to cause downtime and damages for the foreseeable future.
The purpose of the alert is to warn US companies about the imminent danger, so they can invest in DDoS mitigation systems and create partnerships with their internet service providers to quickly respond to any attacks leveraging these new vectors.
The FBI says that because these newly discovered DDoS vectors are network protocols that are essential to the devices they’re being used in (IoT devices, smartphones, Macs), device makers are unlikely to remove or disable the protocols in their products, hence the threat of a new wave of DDoS attacks looms going forward.
“In the near term, cyber actors likely will exploit the growing number of devices with built-in network protocols enabled by default to create large-scale botnets capable of facilitating devastating DDoS attacks,” the FBI said referring to the new DDoS vectors.
As of now, these four new DDoS attack vectors have been used sporadically, but industry experts expect them to become widely abused by DDoS-for-hire services. More

Service providers are increasingly using ingress filtering to block access to vulnerable protocols on customers’ devices or for blocking badly-routed data packets.
In June, for example, Telstra started rolling out Resource Public Key Infrastructure (RPKI) Route Origin Authorisations (ROAs) to certify the truth of routing messages transmitted by the Border Gateway Protocol (BGP).
The telco has since completed that deployment across all IP addresses in Autonomous System Number AS1221, and work is underway on AS4637.
“This basically means we have now deployed RPKI Origin Validation into Telstra’s domestic network … dropping invalids [incorrectly routed packets] from our upstream, peer and customer networks,” a Telstra spokesperson told ZDNet.
“Deployment activities continue in our International networks,” they said.

Telstra has also been working on its Cleaner Pipes initiative, which uses DNS filtering to block malware communications across its network.
Such active cyber defence programs have been gaining increasing support in Australia.
All of this is a good thing, according to Neil Campbell, Rapid7’s vice president for APJ.
“That’s a tricky thing to do because some customers say don’t block anything because it’s up to me what I operate and don’t operate, and what I see and don’t see,” he told ZDNet.
“But if you start doing ingress filtering, well, you can help to reduce the amount of traffic running around with spoofed source addresses, which can help to reduce the impact of distributed denial of service attacks, amplification attacks, etc.”
Data from the Rapid7’s National / Industry / Cloud Exposure Report 2020 (NICER) shows that in Australia there’s still plenty of vulnerable protocols exposed on the internet, although there have been some improvements.
When the scans were done in April and May, some 38,994 Australian IP addresses were exposing the Remote Desktop Protocol (RDP), 4,770 with VNC, and 3,033 with Citrix ADC or NetScaler.
Some 3,230 addresses were exposing SMB file sharing, down from a little over 5,000 last year. Unencrypted FTP file sharing was seen on 142,485 addresses, unencrypted Telnet on 15,695.
Campbell says a lot of these numbers are caused by cloud service providers supplying a base Linux image that includes an FTP server, for example. The same sort of thing happens with SMB.
“What might seem like small decisions on behalf of the cloud provider plays out into very large, very scaled situations,” he said.
“It’s an opportunity to do secure by default deployments and to lead with best practice.”
Many SMBs are over-confident in their cybersecurity
Small and medium businesses (SMBs), which in Australia are defined as those with 1-19 and 20-199 employees, respectively, are particularly vulnerable, according to the Australian Cyber Security Centre (ACSC).
The ACSC Small Business Survey Report revealed that almost half of SMBs rated their cybersecurity understanding as “average” or “below average” and had poor cybersecurity practices.
The ACSC said that nearly one in 10 SMBs were unable to explain cyber threat terminology such as “malware”, “phishing”, “ransomware”, or “insider threats”.
“One in five small businesses that use Windows have an operating system that stopped receiving security updates in January 2020,” they said.
“Nearly one in five Mac users were unaware of what operating system their business was using.”
Larger businesses were more likely to outsource their IT security, but the ACSC data suggests that those who did outsource “might believe that they are better protected than they really are”.
Nearly half of the SMB respondents said they were unable or unwilling to spend more than AU$500 on IT security annually.
Campbell says that while SMBs understand that cybersecurity is a risk, it’s generally not their biggest risk.
“The biggest risk will relate to cash flow and profitability. I think it’s important to keep that context in mind when you’re looking at security across large groups [of surveyed businesses],” he said.
“Risk management isn’t risk elimination … sometimes the risk you’ve introduced by ‘overspending’ on an area outweighs the benefit.”
Australian organisations rate compliance over protecting customer data
While the figures don’t relate solely to SMBs, Australian organisations seem to be lagging when it comes to prioritising the protection of customer data.
According to the 2020 Australia Encryption Trends Study conducted by the Ponemon Institute for nCipher Security, only 29% of Australian respondents rated protecting customer personal information as their number one data protection priority.
That’s the lowest rate globally, 25% lower than the global average.
Some 57% of Australian organisations said regulatory compliance is the top driver, 10% higher than the global average, and up from 47% two years ago.
For the third straight year, Australia chose the driver of “[complying] with internal policies” more than any other region (43% versus the global average of 23%).
That’s not surprising, says James Cook, nCipher’s regional sales director for Australia.
“There has been a raft of new regulations and regulatory changes impacting this market over the past couple of years, such as Consumer Data Right, and a critical focus on the financial sector in particular,” he said.
“It is only natural for respondents to have a keen focus on compliance.”
Related Coverage
Ransomware is now your biggest online security nightmare. And it’s about to get worse
Criminals understand our weaknesses and how to exploit them. That means ransomware isn’t going away.
Asian SMBs recognise need to innovate, but struggle to know how
Small and midsize businesses in the region point to innovation as a key barrier to a quick post-pandemic recovery, with just 39% armed with an employee or team dedicated to driving such efforts in their organisation.
Cash payments plummet thanks to pandemic
Reserve Bank of Australia has said cheques are on their death bed. The only question surrounding the long-term decline of cash is whether recent cliff drops are temporary or permanent.
Support grows for an Australian active cyber defence program
It’s a proven model supported by industry, analysts, and the Labor opposition. It’s even been given token funding. But can the government deliver?
Labor asks for the whereabouts of Australia’s overdue cybersecurity strategy
Shadow Assistant Minister for Cyber Security Tim Watts hopes the new strategy shows the ‘substance and imagination that our national cyber-resilience deserves’ and that it’s accompanied by an accountable minister. More

The Australian Cyber Security Centre (ACSC) has released a new document for procuring cloud services.
The Cloud Security Guidance aims to guide organisations including government, cloud service providers, and Information Security Registered Assessors Program (IRAP) assessors on how to perform a “comprehensive assessment of a cloud service provider and its cloud services so a risk-informed decision can be made about its suitability to handle an organisation’s data”.
The Cloud Security Guidance is supported by forthcoming updates to the Australian government Information Security Manual (ISM), the Attorney-General’s Protective Security Policy Framework (PSPF), and the Digital Transformation Agency’s Secure Cloud Strategy.
The new guidance follows the Australian Signals Directorate (ASD) announcing in March it would be shuttering the current form of its cloud certification program after an independent review recommended for the system be reworked.
ASD Cloud Services Certification Program certifications, and consequently all services listed on the Certified Cloud Services List (CCSL), are now all void. As of July 27, the vendors and their certifications are removed from the ISM. The IRAP, meanwhile, will continue to “grow” and be “enhanced”.

“The new guidance will guide organisations, cloud service providers, and assessors on how to perform a comprehensive assessment of a cloud service provider and its cloud services so a risk-informed decision can be made about its suitability to handle an organisation’s data,” a spokesperson for the ASD told ZDNet.
Commonwealth entities will continue to self-assess their cloud solutions in accordance with the guidance, and the ASD spokesperson said they would also continue to be responsible for their own assurance and risk management activities.
See also: Cybersecurity the responsibility of agencies, not us, AGD and ASD say
While the CCSL is no longer, it is expected the IRAP will support government in maintaining their assurance and risk management activities.
Agencies will assess and self-certify their own solutions moving forward by using IRAP reports and the ISM control framework, as well as the guidance package that contains The Anatomy of a Cloud Assessment and Authorisation documentation, a Cloud Security Assessment Report Template for agencies to use alongside their own “in-house” procedures for certification, as well as a Cloud Security Controls Matrix, and an FAQ page.
Before the CCSL was shuttered, there were 13 vendors on it; four of which are Australian companies. Amazon Web Services (AWS), NTT, Macquarie Government, Microsoft, Sliced Tech, and Vault Systems were all certified at a protected level.
See also: Home Affairs denies Microsoft in breach of Signals Directorate conditions
Local vendors, Sliced Tech and Vault Systems, were the first to receive protected status and were shortly followed by Macquarie Government — part of the Macquarie Telecom Group.
Macquarie Government managing director Aidan Tudehope said he was disappointed by the decision to discontinue the CCSL certification regime.
“This is about more than simply the physical geographic location where data is stored. Data sovereignty is about the legal authority that can be asserted over data because it resides in a particular jurisdiction, or is controlled by a cloud service provider over which another jurisdiction extends,” he said.
“Data hosted in globalised cloud environments may be subject to multiple overlapping or concurrent jurisdictions as the debate about the reach of the US CLOUD Act demonstrates. As the ACSC points out, globalised clouds are also maintained by personnel from outside Australia, adding another layer of risk.”
He believes the only way to guarantee Australian sovereignty is ensuring data is hosted in an Australian cloud, in an accredited Australian data centre, and is accessible only by Australian-based staff with appropriate government security clearances.
“Taken alongside Minister Robert’s planned sovereign data policy, this guide opens new opportunities for Australian cloud service providers,” he said.
Minister for Government Services Stuart Robert earlier this month said the federal government was examining the sovereignty requirements that should apply to certain data sets held by government.
“In addition to the existing protective security policy framework, this will include considering whether certain data sets of concerns the public should be declared a sovereign data set and should only be hosted in Australia in an accredited Australian data centre across Australian networks and only accessed by the Australian government and our Australian service providers,” Robert said, addressing the National Press Club.
“We need to ensure that Australians can trust that government will appropriately manage the information they provide to us whether it’s from tracing apps or through to the Census.”
See also: Australian 2021 digital Census to be built on AWS
AWS, meanwhile, said it welcomed the changes and is using them as an opportunity to tout “innovation”.
“The changes to the Cloud Services Certification Program creates an opportunity for Australian government agencies to strengthen their secure cloud skills, knowledge, and resources to foster ongoing innovation,” AWS worldwide public sector country director for Australia and New Zealand Iain Rouse said.
“To help Australian government agencies plan, architect, and self-assess systems built on AWS, we have released extensive education materials including IRAP ‘protected’ documentation and a series of informative webinars.”
Under the ISM framework, AWS had 92 services assessed as protected.
Minister for Defence Linda Reynolds said the new guidance would boost Australia’s cybersecurity resilience.
“The release of the new guidance coincides with today’s cessation of the CCSL which will open up the Australian cloud market, allowing more homegrown Australian providers to operate and deliver their services,” she said in a statement Monday. “This will provide opportunities for Commonwealth, state, and territory agencies to tap into a greater range of secure and cost-effective cloud services.”
Meanwhile, analyst firm Gartner is expecting the public cloud services market in Australia to grow 12.3% to reach AU$8.9 billion this year and 16.8% to AU$10.4 billion in 2021.
HERE’S MORE AUSTRALIAN CYBER More