Cloud security specialists in Office 365, Azure, AWS and broker technologies.

CANDA's expert cloud security team help with design, configuration assurance and C&A and governance concerns. Our team are specialists in Office 365, Azure and AWS, and can provide experienced advice on how to mitigate potential risk in your agency.
Read about cloud security requirements and our services below.

Cloud security specialists in Office 365, Azure and AWS and broker technologies.

CANDA's expert cloud security team help with design, configuration management and C&A of your cloud services adoption. Specialists in Office 365, Azure and AWS.
We can provide experienced advice on how to mitigate potential risk in Cloud Services consumption for your agency or business.

Read about cloud security requirements and our services below.

What is AWS, Azure, and 365?

 

AWS – Amazon Web Services, a cloud computing platform provided by Amazon. It provides a mix of infrastructure as a service (IaaS), platform as a service (PaaS) and packaged software as a service (SaaS) offerings.

Microsoft Azure – A cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through Microsoft-managed data centres.

Office 365 – Online versions of Microsoft Word, PowerPoint, Excel, and OneNote.

Other examples include:

IaaS – Elastic Cloud Compute (EC2), Google Compute Engine and Rackspace Compute.

PaaS – Google App Engine, Microsoft Windows Azure, and Oracle Database Cloud.

SaaS – Microsoft Office 365, Google Apps, and Oracle Applications Cloud.

What is cloud security and how does it apply to New Zealand agencies?

When we refer to ‘The Cloud’, we’re essentially talking about an off-site data centre accessed through the Internet. However, the location of the individual data centre is of great importance when considering security implications for New Zealand agencies.

Cloud services hosted offshore introduce jurisdictional, sovereignty and privacy risks, and although foreign-owned cloud service providers in New Zealand are subject to NZ legislation and regulation, they may also be subject to a foreign government’s privacy, lawful access and data intercept legislation.

Some cloud services hosted within New Zealand may be supported by foreign-based technical staff. This characteristic introduces a further risk element to the use of foreign-owned cloud service providers, as it creates further potential vulnerability in the data centre’s storage security.

For Government agencies there are also a number of Cabinet mandated requirements to be aware of when using services hosted ‘offshore’ see here.

Security certification requirements for cloud services in New Zealand

Security certification documents for some public cloud services are now available. This will significantly reduce the time and effort to complete security certification for these services.

These documents typically include a generic risk assessment, independent audit report of security controls, and a security certificate. Security certificates summarise the security position, residual risks and any risk remediation plans.

NZISM provides a number of standards that agencies need to assess and consider in the use of cloud services:

  • Agencies using cloud services hosted offshore must ensure jurisdictional, sovereignty and privacy risks are fully considered and formally accepted by the Agency Head or Chief Executive and the agency’s Accreditation Authority.
  • Agencies using cloud services hosted offshore must ensure that the agency retains ownership of its information in any contract with the cloud service provider.
  • Agencies using cloud services hosted offshore and connected to All-of-Government systems must ensure they have conducted a risk assessment, accepted any residual risks, and followed the endorsement procedure required by the Government Chief Information Officer (GCIO).

NZISM also provides that agencies should not use cloud services hosted offshore unless:

  • privacy, information sensitivity and information value has been fully assessed by the agency;
  • a comprehensive risk assessment is undertaken by the agency;
  • controls to manage identified risks have been specified by the agency; and
  • the cloud service provider is able to provide adequate assurance that these controls have been properly implemented before the agency uses the cloud service.

Depending on the type of cloud service being used, a relative security assessment will be required to identify and address any potential security concerns within an agency’s systems.

The experienced team at CANDA are experts are conducted full risk assessments for any business or agency in New Zealand, and can advise on appropriate cloud security measures to ensure all controls are implemented in the effort to mitigate risk.

Contact CANDA today to ensure your cloud services are secure

Our experienced team at CANDA are experts in everything ICT-Security & Risk related, and can provide a range of services to ensure your agency meets NZISM requirements, including the adoption of cloud services, or even a discussion on the options and things to be aware of from a security perspective, in the adoption of cloud services.

As New Zealand’s trusted and impartial experts call us to see if we can help in resolving your Cloud Services security and risk concerns.

Contact CANDA today to speak to one of our team and learn more about how we can help.

CONTACT CANDA