Why the auditor red-flagged a government agency’s cloud computing risk management practices

Here is a textbook example of how your cyber clients should not be managing their risks, according to Alberta’ auditor general.

The province’s auditor red-flagged the example of Travel Alberta Corporation, a provincial agency that moved most of its software applications and information technology infrastructure to the cloud by 2016. Earlier this year, staff with the Office of the Auditor General asked Travel Alberta for its contracts with five of Travel Alberta’s cloud computing providers. The auditor wanted to see if business requirements like data residency were covered in the contracts.

“Management could not provide a master service agreement for its key cloud service provider,” Alberta Auditor General Doug Wylie wrote in a report released to the legislature Dec. 4.

Travel Alberta’s cloud applications include human resources, payroll and proprietary information on business partners. The agency did not classify the data that it migrated to the cloud to identify the data’s sensitivity, wrote Wylie. He added that management at Travel Alberta did not provide regular reporting of cloud specific risks to its board of directors.

That said, management did start to provide this reporting to the board after the Office of the Auditor General finished its audit this past September, Wylie noted.

Wylie recommended that Travel Alberta implement contract management processes for contracts with cloud service providers and develop a risk management process for cloud computing.

“The key risk related to cloud computing is that an organization’s data is stored and managed by a third-party cloud service provider on servers that could be located anywhere in the world,” Wylie wrote. “To protect and control its data and ensure compliance with applicable privacy laws, organizations need to understand what data they have, how it is being used and by whom, and where it is stored. If the data is hosted outside of Canada, organizations will most likely be subject to the laws of that country or jurisdiction.”

If you are using a cloud service provider, you need to ensure the contract includes specific service level requirements, especially when it comes to availability – or uptime – of the services, Wylie noted. This is because business interruption is a key risk of cloud computing. A cloud computing contract should also have language requiring security and privacy.

The Alberta government has a data classification policy  that applies to government agencies. “We found that Travel Alberta was unaware of this policy,” Wylie wrote.

Managers at Travel Alberta did create a draft data classification policy in February 2019 to classify its information. But that policy does not specify the type of data that can reside in the cloud, any geographic restrictions, or security controls that the vendor must implement to protect the data, wrote Wylie.

Travel Alberta does not identify laws that apply to its information hosted outside of Canada, wrote Wylie. He contends that Travel Alberta needs to do a better job of monitoring contracts with its cloud service providers to ensure contract terms address identified risks, and that the provider’s performance is aligned with expected level of service quality.

Auditor general staff found that Travel Alberta’s confidential information is hosted in the United States and may be processed by its vendor’s affiliates in third countries.

“Because cloud computing services are becoming prevalent in our society due to cost savings, scalability and ease of use benefits, many organizations may overlook the risks associated with using cloud services before signing up,” Wylie wrote. “If risks are not identified and managed at the start of cloud use and, over time, as cloud services evolve, it may be very expensive for organizations to recover all their data stored in the cloud if using cloud services becomes no longer viable.”