Azure • AWS • GCP

Cloud Security Assessment

Secure your cloud journey with architecture reviews, configuration audits, and compliance assessments aligned to the ISM and Cloud Assessment and Authorisation Framework. Delivered by an endorsed IRAP Assessor with deep hands-on cloud expertise.

Request a Cloud Assessment Our Approach

The Cloud Security Landscape in Australia

Australia's cloud security landscape is shaped by government cloud-first policies, an evolving threat environment, and a growing body of regulatory requirements. Moving to the cloud does not transfer your security obligations — it transforms them.

Government Cloud-First

The Australian Government's Digital Transformation Strategy encourages agencies to adopt cloud services. Combined with the Hosting Strategy requiring government data to be hosted in certified or assessed environments, this has driven significant migration. However, "cloud-first" does not mean "cloud-without-diligence."

Evolving Threat Environment

Misconfiguration, identity and access failures, supply chain risks, data sovereignty concerns, and insider threats create a distinct cloud threat profile. Default settings, overly permissive IAM policies, and publicly accessible storage remain among the leading causes of cloud security incidents.

Regulatory Requirements

Multiple frameworks impose cloud-specific obligations: ISM cloud security controls, PSPF, SOCI Act risk management requirements, Privacy Act cross-border data flow restrictions, and various state-level regulations for government data handling.

ISM Cloud Security Controls

The ISM includes a dedicated chapter on cloud security, with controls addressing the full lifecycle of cloud service adoption and operation.

Cloud Service Assessment

  • Assess cloud service against ISM requirements for the intended security tier
  • Identify shared responsibility boundaries
  • Evaluate provider certifications, audit reports, and IRAP status
  • Understand data residency, jurisdiction, and personnel clearance arrangements

Configuration & Hardening

  • Configure per published hardening guidance and provider best practices
  • Monitor for configuration drift and unauthorised changes
  • IAM aligned to least-privilege principles
  • Network security controls appropriate to the security tier

Encryption

  • Encryption at rest using approved algorithms (AES-256)
  • Encryption in transit using TLS 1.2+ with approved cipher suites
  • Customer-managed keys (CMKs) for higher security tiers
  • Appropriate key custody arrangements

Monitoring & Logging

  • Comprehensive logging of admin actions, access events, and security events
  • Centralised log collection and SIEM analysis
  • Alerting for anomalous activity and policy violations
  • Log retention aligned with ISM requirements

Exit Strategy

  • Data extraction and migration planning
  • Secure deletion from provider infrastructure
  • Contract provisions for service conclusion obligations
  • Continuity of operations during transitions

Cloud Assessment & Authorisation Framework

The Cloud Assessment and Authorisation Framework replaced the former Certified Cloud Services List (CCSL) as the primary mechanism for evaluating cloud services for government use.

Risk-Based Approach

Rather than a centralised list of "approved" services, each agency conducts its own risk assessment informed by available IRAP assessments and other assurance evidence.

Shared Responsibility

The framework explicitly recognises the shared responsibility model, requiring agencies to understand which controls are the provider's responsibility and which remain with the agency.

Continuous Assessment

Cloud services evolve rapidly. The framework encourages continuous assessment rather than point-in-time certification, recognising that a service's security posture can change between formal assessment cycles.

Leveraging Existing Assessments

Agencies can leverage IRAP assessments conducted by cloud providers while conducting their own assessment of the specific configuration and usage within their environment.

For Cloud Service Providers

  • An IRAP assessment remains the most effective way to demonstrate security to government customers
  • Publish assessment reports and security documentation for agency risk assessments
  • Maintain currency — assessments against older ISM versions carry diminishing value

For Government Agencies

  • You cannot simply select a listed service and assume compliance — assess your specific configuration
  • You remain responsible for the security of your data in the cloud
  • Expertise is required to conduct or interpret cloud security assessments

The Shared Responsibility Model

The shared responsibility model defines the boundary between what the cloud provider secures and what the customer must secure. Misunderstanding this boundary is a primary cause of cloud security failures.

Responsibility IaaS PaaS SaaS
Physical Infrastructure Provider Provider Provider
Operating Systems Customer Provider Provider
Applications Customer Customer Provider
Identity & Access Management Customer Customer Customer
Data Classification & Protection Customer Customer Customer
Encryption Configuration Customer Customer Customer

Key takeaway: Even in a SaaS model, the customer retains significant security responsibilities including data classification, access control, user management, and monitoring. An IRAP assessment of a SaaS provider does not absolve the consuming agency of its security responsibilities.

Multi-Cloud Assessment

Australian Government and enterprise environments increasingly operate across multiple cloud providers. Tech Blaze provides security assessments across all three major platforms.

Amazon Web Services

Sydney region — IRAP assessed at the Comprehensive level

  • IAM: Policies, roles, SCPs, MFA enforcement
  • VPC: Segmentation, security groups, NACLs, flow logs
  • S3: Bucket policies, public access blocks, encryption
  • CloudTrail, CloudWatch, GuardDuty, Security Hub
  • KMS: Key management, rotation, CMK usage
  • AWS Config: Compliance and drift detection
  • EKS/ECS: Container security and image scanning
Certified Architect

Microsoft Azure

Australian regions — IRAP assessed at the Comprehensive level

As a certified Azure Security Architect, Tech Blaze brings particular depth to Azure assessments.

  • Entra ID: Conditional access, PIM, MFA, guest controls
  • Network: NSGs, Azure Firewall, WAF, Private Endpoints
  • Azure Monitor and Sentinel: SIEM, analytics, SOAR
  • Key Vault: Key management, HSM-backed keys
  • Azure Policy and Blueprints: Governance enforcement
  • Defender for Cloud: Posture management, threat protection
  • Microsoft 365 security integration

Google Cloud Platform

Sydney region — IRAP assessed

  • IAM: Roles, service accounts, org policies, MFA
  • VPC: Firewall rules, shared VPCs, Private Access
  • Cloud Storage: Permissions, encryption, retention
  • Cloud Audit Logs: Admin, data access, system events
  • Cloud KMS: Key management, CMEK, HSM-backed keys
  • Security Command Center: Inventory, vulnerabilities
  • Organisation Policy constraints: Preventive governance

Cross-Cloud Considerations

Consistent identity management — unified authentication and authorisation across providers

Unified monitoring — aggregate logs and events from multiple providers into a single SIEM

Consistent policy enforcement — equivalent controls across different native tooling

Data flow mapping — understand how data moves between providers with all paths secured

Skills and tooling — each provider has its own security services, APIs, and paradigms

IRAP for Cloud Services

An IRAP assessment for a cloud service evaluates the combined security posture of the cloud provider's infrastructure and the customer's configuration and usage.

Provider-Level Assessment

  • Physical and environmental security of data centres
  • Hypervisor and infrastructure security
  • Network architecture and isolation mechanisms
  • Operational security practices
  • Personnel security (clearances, background checks)
  • Data sovereignty arrangements
  • Incident response capabilities

Customer-Level Assessment

  • Configuration against ISM requirements
  • Identity and access management implementation
  • Network security architecture
  • Data encryption (at rest and in transit)
  • Logging and monitoring configuration
  • Backup, recovery, and change management
  • Operational procedures and documentation

Assessment Outcome

An IRAP assessment for a cloud service produces a comprehensive report documenting:

Security tier assessed — Standard or Comprehensive, with controls assessed and their effectiveness
Residual risks — recommended mitigations, conditions or constraints on the system's use
Recommendations — guidance for ongoing security management, informing the authorising officer's decision

FedRAMP vs IRAP Comparison

Organisations operating across the United States and Australia frequently encounter both FedRAMP and IRAP. Understanding their similarities and differences helps plan compliance strategy efficiently.

Aspect FedRAMP (US) IRAP (Australia)
Governing Body GSA / FedRAMP PMO / CISA The Australian Government's cybersecurity authority
Standard NIST SP 800-53 ISM
Security Levels Low, Moderate, High Government security tiers
Assessor Model Third-Party Assessment Organisation (3PAO) Endorsed IRAP Assessor
Centralised Listing FedRAMP Marketplace Formerly CCSL; now agency-level authorisation
Continuous Monitoring Required (ConMon) — highly prescriptive Expected (annual reassessment)
Data Sovereignty US data residency for government data Australian data residency for government data
Personnel Requirements US person requirements for some levels Australian citizenship and clearance requirements

Guidance for Multinational Organisations

Leverage existing evidence — many controls overlap, documentation and test results can be reused with mapping
Gap analysis first — identify the delta between your existing authorisation and the target framework
Plan for data sovereignty — typically the most significant gap, may require dedicated Australian infrastructure
Engage early — Tech Blaze can advise on the most efficient pathway to both FedRAMP and IRAP compliance

Our 5-Phase Cloud Security Assessment

Our approach combines automated tooling with expert analysis to provide comprehensive, actionable results.

1

Discovery & Architecture Review

We map your cloud environment's architecture including:

Cloud accounts, subscriptions, and projects Network topology and segmentation Data flows (internal, cross-cloud, external) Identity providers and access architecture Encryption architecture and secrets management Monitoring and logging architecture
2

Automated Assessment

We deploy automated security assessment tools to identify:

Configuration deviations from ISM and best practices Publicly accessible resources and APIs Overly permissive IAM policies and unused credentials Encryption gaps and weak TLS configurations Logging and monitoring gaps Vulnerability exposure across workloads
3

Expert Analysis

Automated tools find configuration issues. Expert analysis finds architectural and design issues:

Network architecture segmentation by classification Consistent least-privilege IAM patterns Encryption architecture appropriateness Monitoring and alerting sufficiency Shared responsibility alignment with ISM Exit and continuity strategy adequacy
4

Reporting & Remediation Guidance

We deliver a comprehensive report including:

Executive summary with risk dashboard Detailed findings by ISM control domain Risk ratings (Critical, High, Medium, Low) Cloud-native remediation guidance Architecture recommendations Prioritised remediation roadmap
5

Remediation Support (Optional)

Hands-on support to address identified findings:

Infrastructure-as-Code security templates IAM policy refactoring Network security architecture redesign Logging and monitoring enhancement Encryption configuration implementation Security automation and policy-as-code

Frequently Asked Questions

Does our cloud provider's IRAP assessment cover us?

Partially. The cloud provider's IRAP assessment covers their infrastructure and managed services. Your configuration, usage, and data remain your responsibility. You need an assessment of your specific environment within the cloud provider's platform.

Which cloud providers have been IRAP assessed?

AWS (Sydney region), Microsoft Azure (Australian regions), and Google Cloud Platform (Sydney region) have all undergone IRAP assessments at the Comprehensive level for their core infrastructure services. Other cloud and SaaS providers have varying levels of coverage. Tech Blaze can advise on the assessment status of specific services.

Can we use multiple cloud providers for government workloads?

Yes, but each provider and each environment must be assessed independently. Multi-cloud environments introduce additional complexity around consistent security controls, unified monitoring, and data flow management that must be addressed.

How long does a cloud security assessment take?

A typical cloud security assessment takes 3-6 weeks depending on the number of cloud accounts, complexity of the architecture, and the security tier. Full IRAP assessments for cloud services follow the timelines outlined on our IRAP Assessments page.

What about serverless and container environments?

Our assessments cover modern cloud-native architectures including serverless (Lambda, Azure Functions, Cloud Functions), containers (EKS, AKS, GKE), and managed Kubernetes environments. These architectures introduce specific security considerations around image security, runtime protection, secrets management, and network policy.

Do we need to provide administrative access to our cloud environment?

We require read-only access to your cloud environment for automated assessment, typically provisioned through a dedicated IAM role with audit/read-only permissions. We do not require or request write access. All access arrangements are documented and agreed before the assessment begins.

Secure Your Cloud with Confidence

Whether you are preparing for an IRAP assessment of your cloud environment, conducting a security health check, or building a cloud security strategy from the ground up, Tech Blaze provides the specialist expertise you need.

Discuss Your Cloud Security Explore All Services

No-obligation initial consultation to understand your environment and provide a tailored proposal.