Amazon Web Services (AWS) has announced completing an assessment through the Australian Information Security Registered Assessors Program (IRAP), an initiative from the Australian Signals Directorate (ASD).
The IRAP certification does not immediately promote AWS to be certified to the highest standard by the federal government itself; rather, the company has been certified to the highest standard under the IRAP criteria.
It does, however, allow the AWS cloud to be used by Australian government agencies and departments to store and run highly sensitive data at the protected security classification level in the AWS Asia Pacific (Sydney) Region.
IRAP certification comprises of two stages of audit, based on a risk assessment model. The first identifies security deficiencies that the system owner rectifies or mitigates, and the second audit assesses the residual compliance.
There are now 46 AWS services offered for government agencies and departments to leverage on AWS Sydney Region at the protected level.
Pointing to the Digital Transformation Agency's (DTA) recent Secure Cloud Strategy, Andrew Phillips, public sector country manager for AWS in Australia and New Zealand, said the company welcomes it as a "positive step" in empowering government agencies and departments to assess risk as part of their IT transformation projects.
"This IRAP assessment applies to AWS Sydney Region, so our public sector customers can take advantage of the latest innovations, including the most recent security features and services, as soon as they become available," Phillips said.
"Additionally, government agencies and departments can leverage the highest availability and fault tolerance in running their mission-critical workloads through the three Availability Zones (AZs) offered in AWS' Sydney Region."
AWS is additionally making documentation available for customers to evaluate AWS services at the protected-level classification, which the company said will allow government agencies and departments to manage their own risk assessment, and self-accredit protected-level workloads to run on AWS Cloud.
TechnlogyOne, one of the first Australian customers of AWS, also received the IRAP tick of approval in May, announcing that its enterprise software-as-a-service (SaaS) solution had been certified to the highest standard by the federal government.
In February, global IT firm Dimension Data received ASD accreditation, allowing it to store highly classified government information up to "protected" level on its Protected Government Cloud platform.
Protected-level certification for cloud services is currently the highest security level approved by the ASD on its Certified Cloud Services List (CCSL), and the NTT-owned company is the only foreign vendor extended the honour.
ASD handed out protected-level classification to Sliced Tech and Vault Systems in March last year, with the local duo the first allowed to store highly classified government information in their respective cloud platforms.
Macquarie Government, part of the Macquarie Telecom Group, received its protected-level accreditation in September.
AWS said it is continuing to work with the ASD for inclusion of the AWS protected government cloud package on the CCSL.
In the meantime, customers can still make use of the IRAP assessment to perform self-accreditations, working under the DTA's Secure Cloud Strategy.