It is game on in the burgeoning Federal government cloud services market as public cloud “gorillas” Microsoft and AWS move to score data security credentials that have been held by just four local cloud players.
Driven by ‘cloud first’ prodding from the Turnbull government, agencies have increased their appetite for cloud of late, further prompted by the government’s desire for Federal IT to be a whole lot more nimble in the way it rolls out services.
Microsoft on Tuesday switched on two public cloud regions in Canberra to service the potentially huge government market. The two new regions are based in Canberra Data Centres’ Fyshwick and Hume centres, and were announced last year.
While the jury is still out on the effectiveness of the Digital Transformation Office and its successor the Digital Transformation Agency, federal agencies have been sucking up cloud services with increased relish of late.
“We have seen an inflexion point in the last nine to twelve months,” says Macquarie Telecom’s industry and policy senior manager David Forman.
“There’s a lot more depth of understanding and they (agencies) are getting their heads around it and starting to match their particular needs against the offerings in the marketplace
“It’s not all AWS and Azure, although as you would expect, they are the gorillas,” says Mr Forman.
The Federal cloud market splits somewhat around security credentials.
There are just four cloud vendors, all locals, with the gold standard, Australian Signals Directorate verified Protected classification level under the ASD Certified Cloud Services List (CCSL).
The four vendors who have protected status are Dimension Data, Macquarie Government, Sliced Tech and Vault Systems.
There are ten cloud vendors with the lower ASD verified security status of Unclassified Dissemination Limiting Markers (DLM). In addition to the four with Protected status these are Microsoft, AWS, ServiceNow, Salesforce, IBM and Education Services Australia.
Unclassified DLM data includes sensitive personal data that aligns with the definition of sensitive information in the Privacy Act 1988 and For Official Use Only data.
The ASD verifies Protected status for more sensitive data than Unclassified DLM. According to the ASD website, “highly sensitive data is defined as data classified as Protected.”
It is understood the process to get ASD verified Protected status can take years, but a vendor can tout for Protected agency data business after obtaining an independent assessment of its security chops through the Information Security Registered Assessors Program (IRAP). Vendors pay for their IRAP assessment.
This is what AWS has done. This week the big US public cloud vendor said it had completed an IRAP assessment “allowing Australian government agencies and departments to store and run highly sensitive data at the Protected security classification level in the AWS Asia Pacific (Sydney) Region.”
ASD has written a to-do list for agencies seeking to follow best security practice called the Information Security Manual (ISM) and an IRAP assessor writes its opinion on a vendors security capability based on the ISM.
But it’s another level of comfort again for agencies if ASD has verified a cloud player against the ISM.
At the end of the day, it’s up to the agencies on risk management and how much security certification they require.
AWS is still trying to get itself on the ASD’s CCSL Protected list, but does not know when that process will finish.
Andrew Phillips, ANZ Public Sector Country Manager at AWS says the question of when AWS crosses that hurdle is up to the ASD.
“It sits with them and we continue to work with them on that. We also recognise that they are a small agency in a fast changing industry and a lot of providers are all trying to get our reports through,” says Mr Phillips.
“Some agencies may just look at ASD certification and decide that’s what they want to do but its been our experience over the last five years that still want to go through control by control and have a look at the IRAP report,” Mr Phillips says.
“The big difference that happened – and it was only several weeks ago – is that the DTA’s policy on secure cloud allows agencies to self-certify and to use that stage two IRAP report themselves for services that were on or not yet on the (ASD) CCSL.”
Mr Phillips says this means agencies don’t have to wait for ASD to certify services at Protected level before considering them for use.
He also says that AWS’s IRAP assessment opens up the Unclassified DLM market for AWS in that the IRAP assessment provides an extra level of comfort for agencies considering AWS for their Unclassified DLM data needs.
Meanwhile, it is rumoured that Microsoft will announce on Tuesday that it has scored ASD Protected CCSL status. Microsoft has Azure global CTO Mark Russinovich in town for a customer and media chinwag on Tuesday and the security status nugget could be his news or, Microsoft may make a similar announcement to AWS in that they have IRAP assessment at Protected level.
If Microsoft has ASD Protected verification it will put Azure a step ahead of AWS in the agency cloud security stakes. If it’s a similar IRAP announcement to the AWS one this week they will be level pegging, if Microsoft has nothing to show on the security credential front on Tuesday, AWS is on the front foot.
For its part, MacTel is unfussed by the “gorillas” upping their security credentials.
“There’s plenty of market here for everyone,” says Mr Forman. “This market is emerging very quickly and there’ a whole lot of opportunity.
“The more educated government buyers are becoming the more its becoming clear that the big US gorillas are not the answer to everything.
The people who are smart have got us in their environment, they’ve got the gorillas in their environment and they’ve got other people in their environment
“They’ve got at least three and they are seeing the benefit of having local people who can sell them something that’s not made in Seattle. That’s proving to be a big differentiator as this market grows.”