Amazon Web Services has overcome a major hurdle to being used by government agencies to store classified data.
The cloud giant announced it has successfully undergone an IRAP assessment of its Sydney region for the storage and processing of government data classified at the Protected level.
The Information Security Registered Assessors Program is an Australian Signals Directorate initiative that allows ICT products services to be assessed for their compliance with the controls outlined in the government’s Protective Security Policy Framework and the Information Security Manual.
“This IRAP assessment applies to AWS Sydney Region, so our public sector customers can take advantage of the latest innovations, including the most recent security features and services, as soon as they become available,” said Andrew Phillips, who oversees AWS’s public sector push in Australia and New Zealand.
The IRAP assessment is potentially a step towards being added to the ASD’s Certified Cloud Services List. Services on the CCSL have been subject to an IRAP assessment and certified by the ASD to comply with government standards for use with data at a particular classification level.
The CCSL launched in 2015 with a range of services from AWS and Microsoft certified for use with unclassified but sensitive government data. Since then the list has expanded to include Dimension Data, Macquarie Telecom’s government services arm, IBM, Education Services Australia, Salesforce, ServiceNow, Sliced Tech and Vault systems.
Australian cloud services providers Vault Systems and Sliced Tech last year became the first companies on the list to be certified for use with Protected data. Services from Macquarie Government and Dimension Data have since been given the green light to use with Protected data. Microsoft has previously indicated it is working towards being included on the list of cloud providers certified at Protected level.
AWS said that it was continuing to work with the ASD “for inclusion of the AWS Protected government cloud package on the Certified Cloud Services List (CCSL)”. The company added: “However, customers can now immediately make use of the IRAP assessment to perform self-accreditations, working under the [Digital Transformation Agency’s] Secure Cloud Strategy.”
The Digital Transformation Agency-developed Secure Cloud Strategy was launched in February. The strategy, which advocates for a significant boost to cloud adoption across federal government, noted that there were limitations to the ASD’s capacity to certify cloud services.
The strategy endorses the creation of a layered cloud certification model. ICT services used by an agency are generally subject to an IRAP assessment and then passed through a certification authority. That certification authority is usually within the agency.When it comes to cloud services, the Australian Signals Directorate has been the certification authority.
“However, ASD do not have the capacity to undertake certification against every cloud service an agency may wish to use,” the strategy states. “Continuing with the current approach with existing resources will not achieve the government’s objectives to accelerate the use of cloud.”
The document states that extending the ASD certification model “to enable agency assessments to also become baselines for re-use will increase the capacity of government to undertake assessments”.