Google’s cloud gets greenlight for hosting government data

Google Cloud Platform has been added to the Certified Cloud Services List (CCSL) maintained by the Australian Cyber Security Centre (ACSC).

The platform has been certified for use with unclassified but potentially sensitive government data.

“Google sought entry into the certification program for hosting data classified up to Unclassified DLM [Dissemination Limiting Marker],” said ACSC head Alastair MacGibbon.  “Because of this Google was only assessed for this purpose.”

“If an agency’s security and risk needs can be met with a cloud certified to Unclassified DLM, this increases their choices in meeting their business objectives,” MacGibbon said.

The certification applies to 16 of Google’s services delivered from its Sydney data centre.

Those services cover compute (Compute Engine, App Engine and Kubernetes Engine); storage (Cloud Storage and Persistent Disk); networking (Virtual Private Cloud, Cloud Load Balancing and Cloud DNS); security (Cloud Key Management Service and Cloud IAM); management (Stackdriver); data analytics (Cloud Dataflow, Cloud Dataproc and Cloud Datalab); and databases (Cloud SQL and Cloud Datastore).

MacGibbon said that third-party solutions built on top of a certified cloud services don’t automatically inherit the certification.

“Inclusion on the list opens the door for Australian federal, state, and local government agencies to store data and run workloads on GCP,” Google ANZ head of customer engineering Angelo Joseph wrote in a blog entry.

“IRAP certification also provides a path for GCP customers to work with the Australian government, and provides validation for private sector organizations that their data will be protected and handled in accordance with the Australian Cyber Security Center’s rigorous standards.”

The ACSC took custodianship of the CCSL as part of a wide-ranging transformation of the Australian Signals Directorate.

The CCSL is intended to make it easier for government agencies to leverage services from cloud providers. Including Google, a dozen providers have services included on the list, which was launched in 2015 with just two providers — Microsoft and Amazon Web Services.

Dell Technologies’ Virtustream joined the list in May this year.

Five providers have services certified for use with classified data: Dimension Data, Macquarie Government, Microsoft, Sliced Tech and Vault Systems.

The other providers on the list are Amazon Web Services, Education Services Australia, IBM, Salesforce, and ServiceNow.

SAP has previously indicated it intended to join the CCSL.

Earlier this year, Amazon Web Services said it undergone an IRAP assessment of its Sydney region for the storage and processing of government data classified at the Protected level. However, that assessment will need to be accepted by the ACSC before AWS can have services listed one the CCSL as suitable for use with classified data.

In February, the government’s Digital Transformation Agency released a new cloud strategy. The Secure Strategy is a successor to a 2014 strategy.

The strategy says that government agencies “should consider public cloud first and in preference to any other cloud deployment model” although it warns that they need to ensure that a service “has the appropriate security implementation for the information being handled.”