Two Australian companies were yesterday revealed to be the first cloud providers to have been certified by an Australian Signals Directorate-backed program for use with classified government information.
Vault Systems and Sliced Tech have had services certified for use at the PROTECTED level added to the government’s Certified Cloud Services List (CCSL), which is maintained by the ASD and is based on IRAP (Information Security Registered Assessors Program) assessments.
Previously, CCSL-listed services from the two companies were only approved for use with Unclassified information. A service doesn’t need to be on the CCSL for it to be used by a government agency to store or process information (including classified information) but being listed makes it easier for agencies to be assured of a service’s security controls.
The chief executives of Vault Systems and Sliced Tech told Computerworld that their services are already prepared to handle information at higher classification levels. However, until the services are added to the CCSL, government agencies are obliged to conduct their own security assessments.
Vault Systems is a government-only cloud provider — all of its customers are government or government contractors, the company’s CEO, Rupert Taylor-Price, told Computerworld.
The company has separate physical infrastructure for PROTECTED and Unclassified services. Its cloud services are based on OpenStack and the company has a 100-gigabit network that connects to multiple tiers of storage (pure NVMe Ceph-based block storage; SSD; spinning disk; and OpenStack’s object store Swift).
Taylor-Price said Vault Systems’ OpenStack-based services include Cinder, Nova, the Horizon dashboard, and identity service Keystone.
“All of those related services have all been certified, so it’s quite a major piece of work,” the CEO said. “It’s been around six years for us to get that certified through government but it’s going to change the kinds of services government can deliver to citizens.”
The company has put together its own distribution of OpenStack with a number of security changes built into the core components.
“When we did that, it was more cost effective for us to essentially bake-in TOP SECRET security controls across all deployments,” Taylor-Price said. “Whether we’re deploying a TOP SECRET, a SECRET, a PROTECTED or an Unclassified cloud, all of the security controls around TOP SECRET have been embedded across what we’re doing.”
“The question will be whether government is ready to consume services at that level,” he added. The company has had a number of conversations with Defence and intelligence agencies, the CEO said.
“I think SECRET and TOP SECRET are probably something that will happen — I’m hoping — in 2017. But there’s still a significant cultural and comfort level that the government needs to get to before they will consume services of that security rating from an outsourced provider.”
Similarly, Sliced Tech CEO Jason McClure said the company was able to offer services at higher classification levels than PROTECTED.
The company’s cloud offerings that have been certified by the ASD program for use with PROTECTED information cover infrastructure as a service, platform as a service, software as a service and supporting managed services (such as platform management of virtual services), the CEO told Computerworld.
“From the services that are certified by ASD we are able to enable entire organisations’ IT environments from our Government Community Cloud,” the CEO said. “Sliced Tech can provide a range of services, from security as a service, to file-sharing, through to cloud-delivered IT environments to enable customers.”
The company has customers that do not own any infrastructure and instead consume entirely as a service their IT infrastructure (including on-premise infrastructure), service desk and managed services.
“As a local company, we are proud of our ability to compete with large (international) providers and to regularly deliver services that provide more flexibility, agility and security than some of the more recognised brands,” McClure said in a statement.
“Our local 24x7 onshore support, and range and quality of services is a major differentiator, with all of our staff having Australian government clearances.”
The cloud provider has contracts with federal and state agencies as well as large private sector organisations.