No difference between regular AWS and Australian government protected level services

If you have a service you want to run on protected level certification, just deploy it to ap-southeast-2.
Written by Chris Duckett, Contributor

Earlier this year, the Australian government certified Amazon Web Services (AWS) to run highly sensitive government workloads out of its Sydney region, made up of the three ap-southeast-2 availability zones.

Since that time, AWS senior manager of solutions architecture Herman Coomans told the AWS Summit in Sydney on Wednesday that one of the questions he gets routinely asked is how non-government entities can access those certificated services.

"The answer is there is no difference. These are no special editions of the services, there is not a checkbox that you check, there is not a different price, it's the same service," he said.

Coomans said when AWS gets a customer with specialist security requirements, it looks to implement those requirements everywhere.

"The technical controls and the technology that we implement in our regions around the world are the same everywhere and one of the ways that we achieve scale is through automation," he said.

"We are not going to do different in the Sydney region to how it operates somewhere else. So every time we have a new requirement, we add it everywhere."

In total, 42 AWS services gained the tick of approval from the Australian Cyber Security Centre (ACSC), including services at the time that were not in production, such as GuardDuty.

"GuardDuty is an intelligent threat detection service, it actually hadn't been released yet at the point where we first started the protected certification process, the ASD actually asked us to include GuardDuty because they liked the functionality so much, and it is actually a must control," Coomans said.

According to Coomans, the significance of AWS gaining certification is that it validates the virtualisation technology to keep workloads separate and allows protected and non-protected workloads to live and run side-by-side.

"If you go back a couple of years, it was widely believed that the only way to achieve this level of security was by having systems that were dedicated," he said. "Systems that have their own dedicated hardware, have their own dedicated network, were possibly in their own dedicated cage in a [data centre].

"The Australian Signals Directorate and ACSC are OK with the virtualisation technology that separates that instance from its neighbour, which is from a different customer, not even the same classification, it would be from any other customer running on the same hardware."

By certifying a cloud service, Coomans said it allows government to consume software-as-a-service more easily, while also making it easier for developers to reach government. He added that government customers are looking towards outsourced and managed services, but they often cannot consume them because of security regulations.

While some may hand-wring over a cloud service handling government data, it is worth pointing out that in 2017 AWS was used to handle tax returns.

The new certification has also sparked interest from the private sector, since the government requirements are regarded as a "really tough standard".

"It's 800+ controls, it's a really big task," Coomans said.

Related Coverage

AWS Snowball Edge gets block storage service

Addition touted as making it easier to deploy applications in disconnected areas.

AWS bets on services portfolio amidst increasing APAC cloud competition

With cloud market players Alibaba and Google ramping up their regional data centre footprint, Amazon Web Services is relying on the "breadth and depth" of its service offerings and platform maturity to maintain its competitive edge.

How Amazon Web Services runs security at a global scale

AWS CISO told ZDNet that security is job zero for the cloud behemoth.

Amazon Web Services enters the Hong Kong cloud market

Amazon says the new cloud service entry has been prompted by demand by enterprises and government organizations.

Amazon tops Q1 earnings expectations as AWS keeps up brisk growth

Once again, Amazon Web Services accounted for a large portion of Amazon's operating income, though the cloud business brings in a relatively small fraction of sales.

Amazon Web Services: A cheat sheet (TechRepublic)

This comprehensive guide about AWS covers the expansive cloud services offered by Amazon, common use cases and technical limitations, and what to know when adopting this technology.

Editorial standards