What is the announcement?
The Australian Cyber Security Centre (ACSC) awarded PROTECTED certification to AWS for 42 cloud services in the AWS Asia-Pacific (Sydney) Region. This is the highest data security certification available in Australia for cloud, and AWS has the most PROTECTED services of any public cloud service provider.
Why does this matter?
This is a clear example of the Australian Government’s “cloud-first” strategy as a catalyst to help reduce risk within government IT systems. By certifying the most number of services from the world’s leading cloud technology platform at the highest security level for cloud, the government is removing barriers to cloud adoption within agencies. This is independent validation of what AWS has been saying for years, that “security will always be our top priority”, with formal certification to the most rigorous security standard in Australia.
Why does this matter… to a government agency?
Australian Government agencies can use AWS’s PROTECTED services to innovate faster while they manage risk and compliance in a more efficient and cost effective way. The PROTECTED certification is for a wide set of 42 AWS services. Government agencies and organizations that service government agencies can now use the same technology building blocks that are used by the most innovative organizations around the world, including Netflix, Atlassian, National Australia Bank (NAB), Airbnb and Qantas. Some Australian Government agencies, such as the Australian Tax Office (ATO), have been using AWS for Unclassified DLM data for the past few years. All Australian Government organizations now have the ability to use AWS at the higher PROTECTED classification level for many more services.
Why does this matter … to a commercial enterprise?
AWS’s PROTECTED certification validates what the world’s most security conscious organizations already know, which is that AWS offers a greater level of agility, security and resiliency than traditional data centers. The ACSC’s review concluded that AWS provides security that is suitable for highly sensitive data and applications. This is based on the 42 services that were certified at PROTECTED, the hundreds of security certifications that AWS holds, the thousands of security controls in AWS’s compliance reports, and the millions of active customers that consume AWS’s secure services globally. Everyone can rely on the validation of the Australian Government that AWS is secure. In addition, many commercial enterprises in Australia interact with the government and are required to certify their systems to PROTECTED status, for example a law firm holding government data or a private healthcare provider integrating with a health or human services agency. Those enterprises directly benefit from the ability to build PROTECTED services on AWS.
Why does this matter … to a partner or service provider?
Partners are an important part of the AWS ecosystem, and service providers are an important part of how IT is delivered to government. Partners immediately benefit from having a cost effective, scalable platform on top of which to build applications that store and process highly sensitive government data. Previously these partners may have used expensive, private facilities that are limited in their scale because they only focus on one part of government, inside which the pace of technology evolution is slow. Now, these same partners can build and host applications in the AWS Sydney Region that benefit from AWS’s fast rate of product innovation, including cutting edge analytics, security and serverless compute services. This allows them to align the way they deploy services to the Australian Government to the same way they deploy services to organizations around the world.
What types of services are certified?
AWS’s PROTECTED certification covers the widest range of public cloud services available to the Australian Government. These services include compute, storage, network, database, security, analytics, application integration, content delivery, desktop, mobile, management and governance services. The ACSC certification lists 42 AWS services, but counts Amazon Relational Database Service (RDS) as one service even though it includes all variants including PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server – all of which have been certified at PROTECTED. There are a number of firsts on the list of AWS PROTECTED services:
- This is the first time the ACSC certified serverless and analytics services at PROTECTED in the public cloud, including AWS Lambda, Amazon Elastic Container Service, AWS Step Functions, Amazon EMR and Amazon Kinesis – all of which are key building blocks of advanced cloud applications.
- This is the first time the ACSC certified a content delivery network at PROTECTED, including Amazon CloudFront, AWS Lambda Edge and Amazon Web Application Firewall.
- This is the first time the ACSC included additional cloud services into the PROTECTED scope, more than were originally submitted by the IRAP assessor, including security services such as Amazon GuardDuty and AWS Organizations.
What can I build with these?
Of all of the benefits from AWS’s PROTECTED certification, the widest range of public cloud services is the most tangible benefit to Australian Government agencies. Using these services, agencies and organizations can build:
- Secure ERP systems for national agencies
- Shared government data hubs and data lakes containing nationally significant data
- Automated workflows and service delivery management platforms
- Secure DevOps and application development frameworks to build and deploy highly sensitive applications
- Archive and compliance services for highly sensitive and nationally significant data
- Data analytics services processing PROTECTED government data
- Secure communications and contact center services
- Security-as-a-Service platforms, including secure PROTECTED gateway services
- Globally distributed content delivery applications
Retiring risky technology debt and legacy operational platforms currently operating at PROTECTED
Where can I use these services?
AWS’s PROTECTED certification covers use of these 42 services in the AWS Sydney Region. This includes all three geographically isolated AWS Availability Zones located in different parts of New South Wales, each of which are composed of multiple physical facilities. This is the same AWS Region that provides scalable cloud services to Australia for the last 6 years, and is the same AWS Region that major Australian organizations like banks, airlines, telcos, and government agencies use for their important applications. In addition to these 42 services that were certified at PROTECTED, the ACSC has also expanded the Unclassified DLM certification for 46 AWS services in all AWS Regions around the world.
Can I use AWS’s global footprint for Australian Government data?
Yes, the ACSC certified 46 AWS services in all global AWS Regions as suitable for running sensitive government workloads that handle Unclassified DLM data. AWS has the most Unclassified DLM public cloud services available, and AWS has the most services that the ACSC have certified outside of the borders of Australia. This is a direct benefit for Australian Government agencies that have a global footprint, for example agencies involved with defense, home affairs and foreign affairs that need to manage sensitive data and systems outside of Australian borders. The ACSC has a sensible caveat that says “Commonwealth entities should prefer locations in Australia and consider the risks with using AWS locations outside of Australia”, but this certification allows agencies to use a global footprint when and where it makes sense.
How much does it cost?
There is no extra charge for PROTECTED services, which is consistent with AWS’s approach that it will not charge a premium for security. The ACSC certified 42 AWS services in the AWS Sydney Region at PROTECTED. These are the same services that any organization around the world can use. These services follow AWS’s transparent pricing model which is listed on the public pricing page for each service. Organizations that use the AWS PROTECTED services can take advantage of AWS’s history of price reductions, with 69 price reductions on cloud services since 2006.
How do I learn more and start using these services?
To use these PROTECTED services simply log into the AWS console, select the Asia-Pacific (Sydney) Region, and start to configure and consume these cloud services the same way you would any AWS service. AWS provides the detailed “ACSC Consumer Guide” and “AWS IRAP PROTECTED Reference Architecture” on AWS Artifact (https://aws.amazon.com/artifact/), available for free to any AWS customer. AWS Artifact also has the “IRAP Certification Report”, the “ACSC Certification Report” and the “ACSC Certification Letter”. This is the complete package you need to understand the scope of what was accredited, and how to use it to build PROTECTED applications on AWS.