AWS’ pursuit of Protected status
Peter Moore: AWS growing momentum in public sector cloud even without CCSL
Amazon Web Services will not build dedicated facilities in Canberra to host sensitive government data, and is instead seeking Australian Signals Directorate sign-off to host citizen data to Protected-level classification within its commercial public cloud infrastructure.
While AWS has not yet been added to the government’s gold-standard Certified Cloud Services List for Protected data, the company’s Singapore-based regional managing director for public service Peter Moore says the ASD had indicated last January to departments and agencies that they could host Protected workloads on AWS upon doing their own assessment.
Mr Moore says it has 46 different AWS services currently undergoing ASD assessment.
Unlike Microsoft, which has invested substantial millions in building two Canberra-based Azure regions that connect directly to the Federal Government ICON secure fibre network, AWS has sought certification to host Protected workloads on its Sydney Region public cloud facilities.
Microsoft was subsequently added to the ASD’s Certified Cloud Services List (CCSL) for Protected, albeit with caveats in the form of special additional security notes – and not without controversy, as for the first time government data would be accessible from offshore by non-Australian employees of Microsoft who did had have relevant Australian Government security credentials.
Acknowledging that Microsoft had built a dedicated set of infrastructure in Canberra, Mr Moore said: “We’re not doing that. We’re having our commercial cloud in Sydney, which is identical to the cloud regions that we have in every other country.”
“That’s what we’re having assessed and we believe that once it gets published [by ASD] our customers will be able to take advantage of the full set of services. We’ve in fact got 46 services being assessed, which is a significantly larger number than anyone else has had assessed,” Mr Moore told InnovationAus.com.
“So while it is taking some time – and that is something we wish were not the case – the reality is that at the end of the process, Australian government customers are going to have the opportunity to leverage this assessment and run Protected workloads with a broad range of AWS services available,” he said.
“[This means] they can take advantage of the abilities of the cloud, rather than a restricted set or a specific set of infrastructure. And that’s important.”
The assessment by the ASD did not somehow improve the security of the AWS service, said Mr Moore, AWS’ most senior executive for the public sector in the region.
“I want to be very clear that the assessment and the completion of the assessment has nothing to do with our capabilities,” he said.
“The last reason you should be reluctant to move to the cloud is security, because on any day the security in the cloud is better than the premises environment. And that is the message I am seeing across the world now – in Singapore, in the US and now in Australia.
“The message is that our scale, and with the length of time we have been in this business that we are able to deliver capabilities that just can’t be delivered by an individual government agency of any size.”
Mr Moore said AWS would not be building a separate cloud air-gapped infrastructure for the Federal Government – as it has done in the US for specific government customers.
“[The US government-focused service] is an air-gapped region, because that was a requirement of the customer. But the infrastructure and the services are identical to what we have in our public cloud regions.”
He said “concepts like virtual private cloud, which provides you with virtual isolation … I think our customers globally are coming to terms with this. You don’t get guaranteed improvements in security posture by having airgap.”
“There has been a tendency historically by customers that physical separation improves security, but I can assure you we are not looking at that for Australia for Protected workloads,” Mr Moore said.
The looming entry of hyper-scale cloud providers to mainstream government processes has caused great controversy in Canberra. Local cloud providers have complained that the multinational providers are having to meet less stringent benchmarks for security.
In particular, they say the multinational providers do not meet the requirements set out in the government’s Information Security Manual (ISM), particularly around the security credentials of staff and on citizen data being accessible to non-citizen administrators located offshore.
While agencies are free to use the AWS services based on its IRAP assessment (Information Security Assessment Program) even though the service is not on the CCSL list, it is worth noting that the IRAP assessor is engaged by and paid for by the cloud provider.
Mr Moore said Australian government customers were already running very significant workloads on AWS, including the Australian Taxation Office and its MyTax portal, and the Australian Electoral Commission used AWS to scale its website on election night for the last Federal election in 2016.
The Australian Bureau of Statistics had used AWS for the marriage survey last year.
“We can talk about issues around Protected and all of these kinds of things, but the reality is that we do have very significant momentum with our government agencies in running mission critical workloads on AWS today,” Mr Moore said.
“We have demonstrated globally that whatever the security requirements are, whatever the privacy requirements are, we have somewhat over-engineered our capability to meet any of those expectations and will continue to do that.”