QLD government cloud audit reveals major security concerns

Queensland government departments are not paying enough attention to security when implementing and adopting cloud computing, according to a recent report by the Queensland Audit Office.

The audit reportsaid that departments using cloud computing have not implemented sufficient controls over user access to administer cloud services, increasing the risk of unauthorised access.

“None of the departments obtained and reviewed the formal lists of control activities available from cloud service providers. Therefore, the departments have not analysed whether the service provider has implemented sufficient controls,” the report said.

The Queensland Audit Office also found that departments do not monitor user-initiated cloud computing to prevent unauthorised data disclosure, meaning they cannot detect if sensitive information gets transferred to organisations outside their departments.

“This increases risks of security breaches,” the report pointed out.

“Only 20 per cent of the departments reported that they have started to purchase or pilot tools to identify user-initiated cloud computing.”

None of the departments have updated their security incident management plans to include the complexities that come with depending on third parties for cloud services, the audit found.

“As a result, the departments may not gain sufficient access to technical systems and logs within the cloud service provider to investigate a suspected security breach within a reasonable period. Therefore, the departments may not be able to determine who committed the security breach.”

Allowing business units inside the Department of Education and Training (DET) to make large ICT purchases without engaging ICT teams also presents a risk, the audit found.

“As most cloud solutions cost considerably less than $100 000, this practice is problematic because business users are not always aware of the ICT policies and practices.

“Consequently, the solutions they procure may not have sufficient security, backup, recovery, or reporting capabilities. In addition, the solutions may not integrate with existing ICT architecture.”

Standardisation issues

The audit also found that departments are implementing cloud commodity technology in a similar fashion to traditional ICT – using department-specific architectures and operating in silos.

“Without standardising implementations wherever possible, departments are not setting up ICT architectures so that they can easily consolidate services in the event of major changes, such as machinery of government changes.

“In addition, inconsistent set ups may result in non-transferable staff skills across departments.”

The Queensland Audit Office gave an example of Microsoft Office 356 email being implemented differently across agencies. The Department of Science, Information Technology and Innovation transitioned all its business units onto this platform, while the Department of Education and Training (DET), and the Department of Housing and Public Works (DHPW) only rolled it out to parts of their business units.

“As a result, DET and DHPW are managing a hybrid of on-premise and cloud solutions for emails. This increases the complexities in the transitional state, requiring different skill sets and resources to manage multiple modes of delivering the same service [email].”