Aussie AWS partners are a step closer to being able to boost the public sector work they can undertake involving highly sensitive and classified Government data, with the cloud vendor completing the independent assessment needed for such clearance.
AWS revealed on 28 March it had finalised its assessment through the Information Security Registered Assessors Program (IRAP), which is a prerequisite for inclusion on the Australian Signals Directorate’s (ASD) Certified Cloud Services List (CCSL) under the “protected” classification level.
The assessment specifically relates to services delivered via AWS’ Asia Pacific (Sydney) Region.
The CCSL, which is overseen by the ASD -- an intelligence agency that sits within the Department of Defence -- gives cloud services providers and certain resellers partnering with those providers the ability to vie for public sector work requiring an IRAP security assessment, along with other security checks and balances.
Just four suppliers have been granted the ASD’s “protected” classification status for their services: Dimension Data, Macquarie Government, Sliced Tech and Vault Systems.
Although the official inclusion of AWS on the Government’s list as a supplier of “protected” cloud services remains up to the ASD, the successful completion of the IRAP assessment means that Australian federal, state and local government agencies and departments can store and run “protected”-level, mission-critical workloads on the AWS Cloud.
According to AWS, there are now 46 of the cloud vendor’s services offered for government agencies and departments to leverage on AWS Sydney Region at the “protected” level.
However, because AWS has not yet been officially invited to join the ASD’s CCSL ranking as a provider of “protected” services, Government agencies and departments wanting to tap into AWS for workloads involving highly sensitive data will have to manage their own risk assessment, and self-accredit “protected-level” workloads to run on AWS Cloud.
Regardless, the completion of the IRAP assessment process to achieve the “protected” classification is a substantial development for AWS and its partners, given the broad penetration of the vendor’s services in the local market.
“This milestone will enable customers to run secure workloads at the ‘protected’ level on AWS Cloud, with the assurance that citizen data is highly secure,” AWS worldwide public sector A/NZ country manager, Andrew Phillips, said. “This IRAP assessment applies to AWS Sydney Region, so our public sector customers can take advantage of the latest innovations, including the most recent security features and services, as soon as they become available.
“Additionally, government agencies and departments can leverage the highest availability and fault tolerance in running their mission-critical workloads, through the three Availability Zones (AZs) offered in AWS’ Sydney Region,” he said.
Meanwhile, AWS continues to work with the ASD for inclusion of the AWS Protected government cloud package on the CCSL.
“However, customers can now immediately make use of the IRAP assessment to perform self-accreditations, working under the DTA’s Secure Cloud Strategy,” the company said.
AWS has long maintained the “unclassified DLM [Dissemination Limiting Markers]” status by the government intelligence agency for a number of services, including EBS, EC2, S3 and VPC. Microsoft, Salesforce and IBM are among the other cloud services providers with this classification.
With the ASD formally certifying dozens of additional Microsoft cloud services across Azure and Office 365 as “unclassified DLM”, the company now claims around 50 cloud services included approved by the certification scheme.