Service providers see boost from govt's secure cloud list

The creation earlier this year of the Certified Cloud Services List has had an already begun having an impact on government adoption of cloud according to the Australian vendors who have been added to the CCSL.

The CCSL is maintained by the Australian Signals Directorate, which unveiled the initial list in April alongside the newest edition of the government's Information Security Manual.

The refresh of the ISM and the CCSL's launch followed the 2014 release of an updated government cloud policy under which agencies must adopt cloud where it is "fit for purpose, provides adequate protection of data and delivers value for money" when obtaining new ICT services or replacing existing services.

The list is intended to make it easier for government departments and agencies to securely adopt cloud services.

"Assessments are performed by members of ASD's Information Security Registered Assessors Program," a spokesperson for the Department of Defence said.

"A vendor itself is not assessed, rather a specific cloud service that the vendor provides. If a service meets ASD's certification requirements, it will be awarded certification and added to the published CCSL."

The first tranche of services to join the list were Microsoft's Azure cloud computing service and Office 365 and Amazon Web Services' EBS, EC2, S3 and Virtual Private Cloud services.

Macquarie Telecom in May became the first Australian company to be added, with its GovZone cloud service becoming part of the CCSL.

Then in September the ASD added another two Australian cloud providers, with services from Canberra-based Sliced Tech and Sydney-headquartered Vault Systems joining the CCSL.

IRAP assessors are currently undertaking more than 20 assessments of cloud services for government use, according to Defence.

Anecdotal feedback on the initiative from government agencies has been "overwhelmingly positive," according to the spokesperson for the department.

"Smaller federal and state/territory government agencies in particular rely on the list to inform cloud adoption projects."

"The CCSL is a strong example of how government can work with industry to save time and resources," the spokesperson added.

"The CCSL provides an authoritative list of services to inform the accreditation decision by an agency, as detailed in the Australian government Information Security Manual."

"The reality is government is inherently risk averse and we expect them to be prudent custodians of the country's assets," said Macquarie Telecom co-founder and managing director Aidan Tudehope.

"So they do look for guidance when adopting new technology. And the reality is, most agencies aren't experts when it comes to technology – they're experts in their domain.

"When they have another department that takes the effort to understand the dynamics of new technology and put out some guiding frameworks, they absolutely leverage that framework."

"From an Australian government and public point of view, in addition to streamlining procurement processes, the initiative allows government departments to leverage the benefits of the cloud while reducing the likelihood the exposure of sensitive government data," said the CEO of Vault Systems, Rupert Taylor-Price.

The assessment process undertaken by Vault Systems covered a range of OpenStack-based services the vendor offers, including compute, object and block storage, networking, and secure Internet gateway.

"The list is extremely useful as it provides certainty for government customers that a minimum level of security compliance has been attained," said Sliced Tech's CEO, Jason McClure.

"It also enables agencies to feel more enabled to progress cloud and other 'IT-as-a-service initiatives whilst still meeting their obligations for compliance."

"We actually had a number of existing and new customers asking when we were going to be on the list since April," McClure said.

“Being added to the list has provided validation by ASD of the information Sliced Tech provided to those customers. Government agencies now feel more enabled to utilise us as a result of us demonstrating our compliance, especially when we achieve higher compliance than themselves or other providers."

Taylor-Price said there has been an "overwhelming amount of interest" in Vault's services after it was added to the CCSL.

"It would appear that cloud solutions offer opportunities to solve a lot of the challenges that agencies have with tight project timelines," the company's CEO said.

Prior to creation of the CCSL, Sliced Tech had already on its own initiative submitted to government audit reports of its clouds at the Protected ISM classification, McClure said.

The creation of the list validated Sliced Tech's decision to invest in the process, the Sliced Tech CEO said.

"We are currently one of two providers that hold both ASD certifications (gateway and cloud), which provides significant differentiation in the assurance that we provide a range of compliant services," he said.

Tudehope said that Macquarie Telecom was “absolutely” seeing an impact of being on the list.

That's classified

Currently the cloud services on the CCSL are only ratified by the ASD for use with so-called 'Unclassified DLM' data — information that is unclassified but sensitive.

The government's categories for information requiring security classifications are Protected, Confidential, Secret and Top Secret.

All the vendors Computerworld spoke to were seeking to have their services ratified by the ASD for use with more stringently protected levels of information.

Vault's Taylor-Price said the company had never officially applied for Unclassified DLM ratification; its application had been split by the ASD because of the length of time the ratification process would take for the Protected level.

Vault is due to receive ratification for its Protected certification this quarter but is hoping to receive it within a month.

Taylor-Price said Vault had built its service to the Top Secret standard although does not expect the government to ever outsource services that require that level of protection.

Being able to have a mix of Unclassified and Protected data in the same cloud environment is likely to hold significant appeal for government agencies, the CEO said.

"We have a number of our services that are in the process of being certified at both the Unclassified (DLM) and Protected classification," said Sliced Tech's McClure.

"We are engaged with ASD to progress these certifications in the near future."

Macquarie Telecom is also seeking to have its services ratified with more stringently classified data, Tudehope said.

All three CEOs had praise for the list and the ASD's work.

"Given the resources available to ASD to develop and maintain this list and supporting processes, the process has been efficient," McClure said.

"The challenge for ASD is that this is a very fast changing world of cyber security," Tudehope said.

"They have defined resources and therefore just as they achieve a certain milestone, the goalposts move and they need to reinvest in new initiatives – that's the challenge. And that's a challenge not just for ASD but for everyone in the industry...

"The reality is you can't do it on your own unless that is actually your business – you're going to lose against the cyber attackers who in many cases do to it for a business."

Follow Rohan on Twitter: @rohan_p


Copyright © 2015 IDG Communications, Inc.

How to supercharge Slack with ‘action’ apps