Dear National Disability Insurance Agency,

Please provide the documented assurance or proof that Salesforce provides PROTECTED level data security for Australian citizens in accordance with Government cloud services guidelines. That is, specific evidence (by means of assessment or certification) that all information and data created, managed, stored and accessed by the NDIS through all Salesforce products and services are at least PROTECTED with no data leaving Australia or is accessible from overseas.

This includes all data related to Independent Assessments (IA), past, present and future.

Context

It has been reported that the NDIS is moving to the cloud and away from the current Department of Human Services (now Services Australia) SAP CRM system [9], noting:

“The NDIA said that as the data being hosted on the cloud platform will include personal information, it requires data to stay within the country and NOT be transferred or accessed outside of Australia. The successful provider is required to have federal government clearance, via the Australian Signals Directorate (ASD) Certified Cloud Services List (CCSL)” [10].

These guarantees were further stated in the tender conditions, stating that “the Tenderer’s proposed Cloud Platform must be on The Australian Signals Directorate (ASD) Certified Cloud Services List at the closing time” [11]. However, it appears that Salesforce (one of many suitors) only achieved a classification level of “Unclassified” [12] , as did Google at the time [14]. Whereas, Amazon Web Services “meet stringent Australian Government security requirements for hosting PROTECTED data” [13]. This classification status is extremely important to the Commonwealth government. So much so, The Australian Cyber Security Centre states “for Commonwealth entities, sensitive data is defined as OFFICIAL: Sensitive. Highly sensitive data is defined as data classified as PROTECTED” [15]. Irrespective of these legacy ratings and certifications, the ASD Cloud Services Certification Program (CSCP) ceased on 2 Mar 2020 in addition to ceasing the Certified Cloud Services list (CCSL) on 27 Jul 20, rendering all past ASD cloud service certifications and recertification letters void [16]. Subsequently, CCSL has been superseded by the new Information Security Registered Assessor Program (IRAP) [17]. As of 11 Jun 21, there are only 7 ASD Certified Gateways IRAP assessed and certified by ASD to a PROTECTED level for government agencies [18]. They are:

1. Emantra
2. Macquarie Government
3. NTT Security (Australia)
4. Optus Business
5. Sliced Tech
6. Telstra
7. Verizon [9]

ACSC and ASD have been very clear in stating that “Commonwealth entities continue to be responsible for their own assurance and risk management of cloud services”[16], including the assertion that “often storing your information in Australia is a straight-forward and reliable choice” [20] citing ‘data sovereignty’; explained as “referring to the country in which data is stored and the issues that can flow from that. Data stored in non-Australian jurisdictions will be subject to the laws of the other country. Offshore storage may limit the ability of the Australian authorities to help if there are issues” [21]. Seemingly a key risk the NDIA sought to mitigate with their specified declaration in the tender that “it requires data to stay within the country and NOT be transferred or accessed outside of Australia” [10].

Noting the Attorney-General’s Department guidance that “each entity must have in place a security plan approved by the accountable authority to manage the entity’s security risks” [22], inclusive of the conduct of security threat, risk and vulnerability assessments that “impact the protection of an entity’s people, information and assets” [23]. Following on from this pre-tender and provider evaluation process, the NDIA is no doubt acutely aware of a number of Salesforce’s significant disruption events, such as:

a. Salesforce cloud services go down worldwide [24]
b. Salesforce fell over so hard today, it took out its own server status page [25]
c. Major’ Salesforce outage whacks firms marketing automation customers [26]
d. US consumers respond to Salesforce data breach [27]
e. Faulty database scripts brings Salesforce to its knees: faulty production script gave users access to all their company’s Salesforce data [28]
f. Hanna Andersson customers sue Salesforce for Data Breach [29]
g. Oracle and Salesforce hit with GDPR (Global Data Protection Regulation) class action lawsuits over cookie tracking consent [30]
h. Salesforce cloud data breach leaded thousands of customers’ information [31]
i. Salesforce Security Alert: API error exposed marketing data {32]

As a result, Australian citizens, especially participants of the NDIS would take great solace in knowing for sure their data and the distribution of billions of dollars of public money annually is adequately protected. This of course would extend to all Salesforce owned companies and entities, such as Mulesoft [33].

Prior public submissions by Salesforce have fallen short of clear, specific assurances. For example, in a submission to the LSIC Inquiry into the Victorian Government’s COVID-19 Contact Tracing System and Testing Regime [34], Salesforce asserts that “the system collects data which is stored security in Australia” [35] but failed to provide specific proof, reference or guarantees; vaguely referencing international standards and the APEC Privacy Recognition for Processes (PRP) in lieu of ACSC/ASD IRAP certification [17] or similar Australia specific credentialing for government cloud and data services. Paradoxically, the APEC RPP specifically states that “ the Privacy Recognition For Processors System does NOT displace or change an Economy’s domestic laws and regulations…and is intended to provide a MINIMUM level of protection” [36]. Perhaps not surprisingly, the Inquiry Committee expressed frustration in section 9.9.3 of the final report, stating “the Committee found it difficult to obtain information on how long data is stored in the Salesforce Rapid Trace CRM” [37], including noting that “response for people with disability are generally at greater risk of more serious illness if infected by COVID-19” [38], specifically citing close collaboration between the Victorian Government and the National Disability Insurance Agency through the Disability COVID taskforce set up in NDIA on 5 March 2020 [39]. Presumably via Salesforce. The issue of sovereign data was also introduced.

Dr Alan Finkel has commented “…… what level of security and comfort should we have, or what level of comfort should we have, in the integrity and reliability of a system that is built on a cloud-based platform from an American company and actually using an interface and database platform from another American company. Well, Amazon Web Services, Salesforce—the word ‘ubiquitous’ is probably too strong, but they are everywhere. Big companies and governments are using them” [40] in response to Mr Michael Bonaddio from Salesforce’s submission that “ the data is held securely in Amazon Web Services cloud infrastructure in Australia, so that is all onshore. Amazon Web Services is a trusted partner of Salesforce, and they provide services to a range of other federal and state governments in Australia” [41]. Assurance and documented evidence would seem logical to resolve the prevailing confusion in this instance.

In contrast, Microsoft, in a submission for consideration for the pending Bill 2020 (Protecting Critical Infrastructure and Systems of National Significance), stated that “ even when services maintain data a rest within one nation’s borders, such as Microsoft’s services hosted in Australia, these services may be hosted across multiple data centre sites with different operators to ensure redundancy and resiliency of the service. In turn, these services will be maintained through a connected set of global processes and operations. Similarly, the risk profile of data centres and cloud services are related but distinct” [42]. Whereas Salesforce recommended that “Australia not pursue compliance-orientated mechanisms” [43], instead proposing that industry players select the best solutions for their systems [44], such as more generic, global standards. Again, specific assurance and evidence confirming both PROTECTED data classification and Australia-based data appear unsubstantiated to date.

The NDIA has spent over $30 million with Salesforce (SFDC Australia Pty Ltd [1]) during the calendar year of 2020 (January to December) [2]. The Department of Finance specifies that “you must complete a RPAT (Risk Potential Assessment Tool) for each New Policy Proposal with an estimated financial implication of $30 million or more” [3]. Noting that “the RPAT template contains twenty-one mandatory questions - seven relating to Strategic Context and fourteen relating to Implementation Complexity” [4]. The Risk Potential Assessment Tool goes on to state that “ The RPAT assists entities to determine and communicate the potential risk of a proposal to ministers before seeking Cabinet’s agreement. The risk rating of a proposal can also inform whether additional assurance processes should be applied. Risk Ratings are a consolidation of the individual question ratings. This template will give ministers confidence that their entities are considering risk and mitigation strategies at the earliest possible stage of policy development” [5]. The Department of Finance further stipulates, as reinforced by auditors that:

“relevant entities must establish processes to identify, analyse, allocated and treat risk when conducting a procurement. The effort directed to risk assessment and management should be commensurate with the scale, scope and risk of the procurement. Relevant entities should consider and management their procurement security risk, including relation to cyber security risk, in accordance with The Australian Government’s Protective Security Policy Framework (PSPF)…processes of risk assessment, seeking, evaluation alternate solutions, and the awarding of a contract” [6]

It is therefore reasonable to assume the NDIA has clear, documented assurance that Salesforce as a platform is assuredly protected and data remains within Australian borders. Furthermore, specific to ICT transition projects, the ANAO noted, “major ICT replacement projects require a thorough understanding of business requirements, current functionality and current system shortfalls to plan for scope of the system replacement” [7], including “evidenced and risk-based ICT investment decisions for major ICT systems require and understanding of system operating costs, system shortfalls and future system design” [8]. Again, these factors and evidentiary artefacts present as routine, mandatory compliance, security and risk management documentation for personal information within a Government administered cloud-dependent system.

Thank you for your assistance.

Yours faithfully,

Shirley

References:

1. Dun & Bradstreet (2021) SFDC Australia Pty Ltd (Salesforce). Available at: <https://www.dnb.com/business-directory/c...>. Accessed [10 Jun 21]
2. NDIS (2020) Sentate Order 13: 2020 Calendar Year, National Disability Insurance Agency, Australian Government, Available at: < Senate Order for Entity Contracts Listing Relating to the period 1 January 2020 to 30 December 2020 (PDF 1MB)>. Accessed [10 Jun 21]
3. Department of Finance (2020) Risk Potential Assessment Tool General Guidance (RMG 107), Australian Government. Available at: < https://www.finance.gov.au/publications/...> . Accessed [10 Jun 21]
4. Ibid
5. Department of Finance (2019) Risk Potential Assessment Tool: Entity, Australian Government, dated 29 Oct 2019. Available at: < https://www.finance.gov.au/sites/default...>. Accessed [11 Jun 21]
6. Audit Office of New South Wales (2019) Internal Control Framework, New South Wales Government. Available at: < https://www.audit.nsw.gov.au/sites/defau... >. Accessed [6 Jun 21]
7. ANAO (2020) System Redevelopment - Managing Risks While Planning Transition, The Auditor-General, Auditor General Report No.10 2020-21 Performance Audit, paragraph 19 and sections 2.5-2.30. Australian Government. Available at: < https://www.anao.gov.au/work/performance...>. Accessed [5 Jun 21]
8. Ibid
9. Barbaschow, A. (2019) Australia’s NDIS is moving to the cloud: Nationwide scheme to move off the SAP CRM system hosted by the Department of Human Services, data 1 Dec 2019. Available at: <https://www.zdnet.com/article/australias...>. Accessed [11 Jun 21]
10. Ibid
11. AusTender (2019) Cloud Platform: RFT 1000702105, Australian Government, dated 29 Nov 19. Available at: < https://www.tenders.gov.au/Atm/ShowClose...> . Accessed [11 Jun 21]
12. Australian Signals Directorate (2018) ASD Certified Cloud Services, Department of Defence, Australian Government, data Feb 2018. Available at: < https://web.archive.org/web/201803310501...>. Accessed [11 Jun 21]
13. Australian Cyber Security Centre (2019) Australian Cyber Security Centre (ACSC) certifies Amazon Web Services to host protected data, Australian Signals Directorate, Australian Government, dated 24 Jan 21. Available at: <https://www.cyber.gov.au/acsc/view-all-c...>. Accessed [11 Jun 21]
14. Australian Cyber Security Centre (2018) ACSC adds Goole Cloud Platform to CCSL, Australian Signals Directorate, Australian Government, data 13 Dec 2018. Available at: < https://www.cyber.gov.au/acsc/view-all-c...>. Accessed [11 Jun 21]
15. Australian Cyber Security Centre (2014) Cloud Computing Security for Cloud Service Providers, Australian Signals Directorate, Australian Government, first published 18 Dec 14 and updated 27 Jul 20. Available at: < https://www.cyber.gov.au/acsc/view-all-c...>. Accessed [11 Jun 21]
16. Australian Cyber Security Centre (2020) Cloud Services, Australian Signals Directorate, Australian Government, dated 27 Jul 20. Available at: < https://www.cyber.gov.au/acsc/view-all-c...>. Accessed [11 Jun 20]
17. Australian Cyber Security Centre (2020) Information Security Registered Assessor Program (IRAP), Australian Signals Directorate, Australian Government, dated 20 Dec 2020. Available at: < https://www.cyber.gov.au/acsc/view-all-c...>. Accessed [11 Jun 21]
18. Australian Cyber Security Centre (2020) ASD Certified Gateways, Australian Signals Directorate, Australian Government, dated 15 Dec 20. Available at: <https://www.cyber.gov.au/acsc/view-all-c...>. Accessed [11 Jun 21]
19. Ibid
20. Australian Cyber Security Centre (2018) Cloud Computing Security, Australian Signals Directorate, Australian Government, dated 1 Jul 2018. Available at:< https://www.cyber.gov.au/advice/cloud-co...>. Accessed [11 Jun 21]
21. Ibid
22. Attorney-General’s Department (2021) Protective Security Policy Framework: Security Planning and Risk Management, Australian Government. Available at: < https://www.protectivesecurity.gov.au/go...>. Accessed [11 Jun 21]
23. Ibid
24. Saarien, J. (2021) Salesforce cloud services go down worldwide, ITnews, dated 12 May 21. Available at: < https://www.itnews.com.au/news/salesforc...>. Accessed [11 Jun 21]
25. Williams, C. (2021) Salesforce fell over so hard today, it took out its own server status page, The Register, dated 12 May 21. Available at: < https://www.theregister.com/2021/05/12/s...>. Accessed [11 Jun 21]
26. Novinson, M. (2019) ‘Major’ Salesforce outage whacks firms marketing automation customers, CRN, dated 17 May 19. Available at: < https://www.crn.com/news/security/-major...>. Accessed [11 Jun 20]
27. PrivSec Report (2020) US consumers respond to Salesforce data breach, GRC World Forums, dated 29 Feb 2020. Available at: < https://www.grcworldforums.com/privacy-a...>. Accessed [11 Jun 21]
28. Cimpanu, C. (2019) Faulty database scripts brings Salesforce to its knees: faulty production script gave users access to all their company’s Salesforce data, ZDNet, dated 17 May 2019. Available at: < https://www.zdnet.com/article/faulty-dat...>. Accessed [11 Jun 21]
29. Lancaster, A. (2020) Hanna Andersson customers sue Salesforce for Data Breach, law.com, dated 4 Feb 2020, Available at: < https://www.law.com/therecorder/2020/02/...> . Accessed [ 11 Jun 21]
30. Lomas, N. (2020) Oracle and Salesforce hit with GDPR (Global Data Protection Regulation) class action lawsuits over cookie tracking consent, TechCrunch, dated 14 Aug 20. Available at: < https://techcrunch.com/2020/08/14/oracle...>. Accessed [11 Jun 21]
31. Errick, K. (2020) Salesforce cloud data breach leaded thousands of customers’ information, Law Street Media, dated 5 Feb 2020. Available at:< https://lawstreetmedia.com/tech/salesfor...>. Accessed [11 Jun 21]
32. Schwartz, M. (2018) Salesforce Security Alert: API error exposed marketing data, Bank info Security, dated 3 Aug 2018. Available at: < https://www.bankinfosecurity.com/salesfo...>. Accessed [11 Jun 21]
33. Forum of incident response and security teams (2013) Salesforce CSIRT. Available at: < https://www.first.org/members/teams/sale... >. Accessed [11 Jun 21]
34. Salesforce (2020) Submission 8: Victorian Government’s COVID-19 Contact Tracing System and Testing Regime Inqury, dated 13 Nov 2020. Available at: < https://www.parliament.vic.gov.au/images...>. Accessed [11 Jun 21]
35. Ibid
36. Asia Pacific Economic Cooperation (2015) APEC Privacy Recognition for Processor System, Page 9. Available at: < https://www.apec.org/~/media/Files/Group...>. Accessed [11 Jun 21]
37. Legislative Council: Legal and Social Issues Committee (2020) Inquiry into the Victorian Government’s COVID-19 contact tracing system and testing regime, Parliament of Victoria, Page 134. Dated Dec 2020. Available at: , https://www.parliament.vic.gov.au/file_u...>. Accessed [11 Jun 21]
38. Ibid
39. Ibid. Page 15
40. Ibid. Page 134
41. Ibid
42. Microsoft (2020) Submission 111: Microsoft submission to Protective Critical Infrastructure and Systems of National Significance discussion paper. Available at: < https://www.homeaffairs.gov.au/reports-a...>. Accessed [11 Jun 21]
43. Salesforce (2020) Submission 056: Protecting Critical Infrastructure and Systems of National Significance, dated 16 Sep 2020. Available at: < https://www.homeaffairs.gov.au/reports-a...>. Accessed [11 Jun 21]
44. Ibid

Dear foi,

I agree with the 30 day extension request.

Yours sincerely,

Shirley