Amazon Web Services has been certified to store and process federal government data classified as Protected, across 42 of its cloud services.
AWS announced it had received the nod from the Australian Cyber Security Centre (ACSC) to handle Protected data in its Asia Pacific (Sydney) Region data centres.
Compute, storage, network, database, security, analytics, application integration, management and governance services are among those approved. Four additional services have been approved by the ACSC to handle unclassified but sensitive (Unclassified DLM) government data.
“This provides Australian government agencies assurance that these services meet stringent Australian government security requirements,” said ACSC chief Alastair MacGibbon in a statement today.
“The government provides a robust risk-management framework to assess cyber security risks. The ACSC recommends customers review the certification documentation and make sound risk based decisions when choosing a cloud service.”
The certification marks the end of a long approvals process for the cloud provider. Any services added to the government’s Certified Cloud Services List (CCSL) are first assessed by the Information Security Registered Assessors Program (IRAP), which is overseen by the Australian Signals Directorate.
IRAP allows ICT products services to be assessed for their compliance with the controls outlined in the government’s Protective Security Policy Framework and the Information Security Manual. AWS announced it had undergone an IRAP assessment in March 2018. To be added to the CCSL requires the IRAP assessment to be accepted by the ASD.
Although AWS was one of the first cloud providers to join the the CSCL, it is a relative late-comer to the small cohort of companies offering Protected level services.
Sliced Tech and Vault Systems had services certified for use with Protected data added to the CCSL in March 2017, later joined by Macquarie Government and Dimension Data.
Microsoft was given the greenlight by government in April last year, when 25 of the company’s Azure services and 10 services within Office 365 were awarded Protected certification.
Microsoft Australia’s Azure engineering lead, James Kavanagh said at the time it made “Microsoft the first, the only, global cloud provider to have been awarded Protected certification”.
Peter Moore, AWS’s Asia Pacific regional managing director, worldwide public sector, called today's announcement a “major milestone” for the company and its customers, which “paves the way for others who may have been waiting”.
“This accreditation also generates new opportunities for our AWS Partner Network to build value-added services and solutions to serve AWS customers in the region and will inspire even more startups to build their businesses on AWS,” he said.
AWS said it now even better positioned to support the government’s Secure Cloud Strategy, developed by the Digital Transformation Agency (DTA) and launched last year.
The strategy essentially advocates for Commonwealth departments and agencies to employ public cloud services whenever possible and, in general, use as much cloud as they can.
“The Digital Transformation Agency is already using AWS to deliver cloud.gov.au, a secure cloud-based platform for hosting website applications that helps government agencies build digital services quickly,” said Randall Brugeaud, CEO of the DTA.
“Cloud is a critical part of the DTA’s whole of government transformation agenda. The Protected certification of AWS makes it easier for agencies to leverage cloud services,” he added.