Google CDR Security

Google's Cloud Platform and Workspace provide a comprehensive suite of products, settings, and user guides for achieving the CDR accreditation.

The Consumer Data Right (CDR) is hyped as the railway lines or core infrastructure for the future of Australia's tech industry. Open Banking is the industry moving first - requiring the banks to make consumer data available and free to use by third-party services. This is subject to consumer consent and accreditation of the third-party services to verify they meet the security requirements of the CDR.

Accreditation requires an independent audit and assurance report by a qualified provider, like AssuranceLab & A-LIGN. This assurance requirement is one of the major barriers to participating in the CDR, with high costs and effort involved.  It's been criticised for causing slow onboarding of Accredited Data Recipients (ADRs), with only a handful of accreditations nine months after the CDR went live in July 2020.

Like all standards, the path to compliance gets faster, easier and cost-effective over time. The ecosystem of service providers and knowledge grows to provide better solutions and clarity of the requirements. The CDR clearly describes the "what" (is required), but not the "how". This article explains the "how" for aspiring data recipients using Google's Cloud Platform and Workspace product suites.

What are the security requirements?

For the purposes of implementing and auditing the required security practices, we split them into four types or levels that these practices are implemented and managed:

1. Infrastructure: the Google Cloud Platform suite of products.
2. Application: Your own software product(s) and any other third-party software directly supporting the CDR Environment.
3. Endpoint Devices: mobiles, laptops and external media devices used by your people that support or interact with the CDR Environment.
4. Organisational: governance level practices that apply broadly across the underlying systems, processes and people.

How to implement CDR with Google products

There are four high-level steps to implement your environment and security practices to meet the CDR requirements with Google products:

1. Cloud Identity: Implement the identity and access management solution to simplify and manage the access control practices for your organisation and cloud environments.
2. Cloud Platform (GCP): Navigate to each of the Google Cloud knowledge base links below to implement the related security configurations, licenses and products that solve the infrastructure level CDR requirements.
3. Endpoint Management: Set up advanced endpoint management and follow each of the links below to set up the required security practices that apply to end user devices.
4. AssuranceLab Knowledge base: Navigate to the AssuranceLab Knowledge base for a comprehensive suite of examples, how-to-guides, tips and links to solutions for the organisational practices that support the CDR requirements.

To get started, download our white-paper with the full list of CDR requirements mapped to Google and AssuranceLab knowledge base content.