The first services certified for use with government information classified at the PROTECTED level have been added to the Australian Signals Directorate-maintained secure cloud list.
Australian providers Sliced Tech and Vault Systems have both had services added to the Certified Cloud Services List (CCSL) that are suitable for use with PROTECTED data.
Cloud services from the companies were originally added to the CCSL in September 2015. Until now, however, services on the list have only been certified for use with Unclassified - Dissemination Limiting Markers (DLM) information (data that is not classified but may be sensitive and is not intended for public release).
The government's categories for information requiring security classification are PROTECTED, CONFIDENTIAL, SECRET and TOP SECRET.
Being added to the list requires an Information Security Registered Assessors Program (IRAP) assessment of a cloud service. The list is designed to make it easier for government agencies to securely adopt cloud services without needing to conduct their own IRAP assessment. However, the process doesn't include an assessment of legal, financial and privacy risks associated
with particular services, according to the ASD.
Many of the cloud providers on the CCSL have previously said they intended to seek certification for more restricted classification levels.
The Department of Defence indicated in June last year that it expected the first services certified for use with PROTECTED data to be added to the CCSL before the end of 2016.
“Certification of cloud services is a complex process requiring high levels of interaction with providers — consequently, it is difficult to predict the precise duration of the activity,” a Defence spokesperson told Computerworld.
“ASD undertakes a stringent process to assess a cloud service’s suitability for certification at the UNCLASSIFIED dissemination limiting marker and PROTECTED levels, working with each cloud service provider to increase the overall security of the company and its services,” the spokesperson added.
“The assessment is conducted in line with the security requirements of the Australian Government Information Security Manual and includes physical security and personnel security checks.”