AWS Public Sector Blog

5 things public sector managers should know about cloud security accreditation programs

Accreditation programs and the organizational models that support them are priority considerations for public sector managers who are modernizing their IT. But, PwC’s 2021 Cloud Business Survey reveals that managers often consider risk and compliance issues too late in the planning stage, creating delays before the benefits of cloud migration are fully realized.

Here are some key principles that can prevent accreditation-related issues from becoming a roadblock to cloud adoption.

1. Understand the Shared Responsibility Model

An organization’s accreditation program consists of a set of international standards, certifications, and accreditations to determine whether a cloud service provider (CSP) meets the organization’s security standard. The CSP and the customer have responsibilities for different aspects of the cloud system in the context of risk management. Therefore, both parties are responsible for implementing the security practices for their respective environments. Learn about the Amazon Web Services (AWS) Shared Responsibility Model.

2. Recognize and accept international certifications

Internationally recognized certifications and attestations such as ISO 27001, SOC, and PCI, offer approximately 80 percent overlap in their security objectives and domain area coverage. To maximize trustworthiness, consistency, and repeatability, a cloud accreditation program should use international standards as much as possible. Public sector managers can use their time more effectively by focusing only on the small number of country or sector requirements that are different from international standards.

3. Establish reciprocity

Using widely accepted accreditations tested and updated by other governments is an efficient way to scale reliably. If a cloud service is accredited through a widely accepted standard, this allows other organizations to accept previous certifications or re-use assessments, adding only their unique mission requirements. For example, New Zealand uses the AWS Asia Pacific (Sydney) Region and recognizes Australia’s Information Security Registered Assessors Program (IRAP) accreditations.

4. Leverage third-party auditor assessments

Using an accredited third-party auditor reduces redundancy, and allows a program to scale. A qualified third-party assessor can perform a security assessment and attest that the cloud service meets security standards. The accreditation programs of the US and Singapore both accept third-party auditor assessments.

5. Develop an organizational model tailored to your organization’s risk structure

Along with determining an accreditation program, public sector managers need to develop an organizational model with institutional and bureaucratic structures to support it. By using internationally accepted accreditations and an organizational model tailored for its own environment, a government can balance ease of adoption with its own security, risk management, and compliance requirements.

Organizational models differ according to who is empowered to make decisions about risk and how much standardization of security criteria is acceptable across an organization.

A decentralized model delegates risk ownership to each entity. Departments and agencies have the flexibility to choose international accreditations based on their priorities and specific organizational objectives. Generally, decentralized models facilitate the speed of adoption; however, the added flexibility may increase overhead by requiring specialized IT expertise in different agencies. (See the United Kingdom model.)

In a centralized model, risk decisions are largely determined in a central office according to an agreed upon set of criteria. They are often designed to incorporate the requirements of a variety of departments and agencies at the highest level of security. Although, this model may add time to initial accreditation, it can also achieve efficiency gains in the long term as agencies can use accredited services with minimal effort. However, agencies with narrowly tailored missions may find it unnecessarily burdensome to adhere to broad set of requirements usually found in a centralized model. (See the Singapore model.)

A hybrid model integrates attributes from both centralized and decentralized models. In a hybrid approach, a government can offer a choice between two pathways to accreditation: an agency-specific accreditation, or a broader government-wide accreditation. The hybrid model provides flexibility according to the needs of the organization but risks requiring additional time to achieve consensus among multiple decision makers. (See the United States model.)

Regardless of the organizational model used, the best practices described above are broadly applicable to help minimize risk, avoid redundancy, and keep costs down while maintaining the benefits of security gained by cloud adoption.

Learn more by reading Accreditation Models for Secure Cloud Adoption, and discover how to innovate securely with the AWS Institute.

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.