AWS heralds new Protected status
Peter Moore: The Protected classification will allow more agencies to start the AWS journey
It has been a long time coming, but global cloud giant Amazon Web Services has been granted ‘Protected’ certification by the Australian Cyber Security Centre, making it easier for government departments and agencies to store and process sensitive data in the AWS public cloud.
The certification covers the AWS Asia Pacific (Sydney) Region of the company’s public cloud infrastructure, and includes 42 different AWS services, including AWS services including compute, storage, network, database, security, analytics, application integration, management and governance.
An additional four AWS services were certified to store and process Unclassified DLM data loads.
AWS is now the sixth company added to the Protected level of the Australian Signals Directorate’s Certified Cloud Services List (CCSL), and just the second after Microsoft of the multinational cloud providers to join the list. Australian companies Macquarie Government, Dimension Data, Sliced Tech and Vault Systems are also certified to Protected level.
The CCSL has not been without controversy in the past year, with local cloud providers complaining when the Microsoft Azure and Office365 services were certified to Protected level that Microsoft’s services did not meet the same stringent requirements as had been imposed on the Australian companies.
Most notably, the local companies complained that contrary to the government’s own Information Security Manual (ISM), the Azure and Office365 services would enable Microsoft staff who were not Australian citizens and who did not hold Australian Government security credentials to potentially access government Protected data from offshore, among other complaints.
The same complaint has been made about the AWS public cloud, although with a new version of the ISM just published a month ago that incorporates a heavier emphasis on risk management practices than mandated compliance measures, this is a degree less sharp.
It is worth noting that that like Microsoft, Amazon Web Services were certified to Protected level with caveats. That is, the ACSC produced a Compliance Report that details residual risks, and where the AWS services are incompatible with ISM mitigations.
Only the Australian cloud service providers have been accredited to ‘Protected’ level without caveats and with additional risk management guidance – effectively creating a kind of two-tiered credential at Protected level.
The ACSC offered additional guidance for Australian government organisations considering using AWS services, although strangely it directs organisations seeking a copy of its compliance report to request it from AWS.
Although AWS had successfully completed independent IRAP assessment as a part of the process more than a year ago, the ACSC’s imprimatur should make a huge difference in its ability to sell into government.
“The accreditation awarded to the AWS Sydney Region to run and store PROTECTED security classification workloads in Australia is a major milestone for our existing customers and paves the way for others who may have been waiting for this certification in order to begin their cloud journey on AWS,” according to AWS’ Singapore-based Asia Pacific regional managing director for public sector Peter Moore.
“This accreditation also generates new opportunities for our AWS Partner Network to build value-added services and solutions to serve AWS customers in the region and will inspire even more startups to build their businesses on AWS,” Mr Moore said.
AWS has a significant customer base inside the Australian government including the Australian Taxation Office and its MyTax portal, and the Australian Electoral Commission, which used AWS to scale its website on election night for the last federal poll in 2016. The Australian Bureau of Statistics also used AWS for the marriage survey last year.
There remains of queue of cloud giants seeking Protected-level certification for their services, most notably IBM Bluemix, Google Cloud, Dell Virustream and Salesforce.
Salesforce has not built its own infrastructure in Australia and has been running its very significant government clients – particularly the NSW state government – via the AWS public cloud, long before AWS pressed ahead with its Protected CCSL accreditation process.