Helping the Australian Government innovate securely in the world’s most secure cloud
The rapid acceleration of digital transformation has raised expectations for efficient and effective engagement with service providers. Many expect the same engagement with government agencies as they do from consumer services such as video-on-demand, ecommerce, and online food delivery. In Australia, the government is prioritising delivering services through technology in a fast and secure way.
To help, the Australian Cyber Security Centre (ACSC) under the Australian Signals Directorate (ASD) introduced the Cloud Services Certification Program (CSCP), to assess cloud services on the ability to secure data across government departments. Using this program, government agencies were able to develop their risk management procedures by implementing cloud services that complied with the Australian Government’s Information Security Manual (ISM).
The CSCP was closed in March 2020 and the ISM was updated to remove the requirement to select services from the Certified Cloud Services List (CCSL). However, the discontinuation of the CSCP does not alter Amazon Web Services (AWS) commitment to help Australian Government agencies innovate rapidly and securely.
Understanding what the changes mean for Australian Government agencies
Under the ISM framework, AWS had 92 services assessed as PROTECTED, the highest data security standard available in Australia for cloud services. The range of PROTECTED AWS services is broad and includes Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), Amazon Polly, and Amazon SageMaker. These services act as secure building blocks from which a range of highly effective and efficient services can be constructed, fast-tracking both the development and assessment process for the deployment of innovative new government services.
Agencies will assess and self-certify their solutions. As the ACSC is no longer the certification authority for cloud services, agencies won’t have to wait for services to be certified by the ACSC for inclusion on the CCSL. Instead, they can directly use the stage two Information Security Registered Assessors Program (IRAP) reports, which are available on AWS Artifact, our central resource for compliance-related information, to understand the compliance of AWS services to ISM controls. Organisations will then assess and authorise their workloads running in the cloud against the ISM control framework, using their standard agency security processes, which may include engaging the services of an IRAP assessor.
Resources and support available for accreditation
AWS supports the goal of the ACSC to give the government access to a greater range of secure and cost-effective cloud services. Agencies will continue to be responsible for the end-to-end accreditation and certification process according to their specific operating context and risk profile.
To highlight how moving to a more decentralised model will help facilitate speed of adoption and how the best practice of leveraging third-party auditor assessments enables an organisation to scale their program and keep pace with new cloud services and features, AWS released the paper, “Accreditation Models for Secure Cloud Adoption.”
The paper explains how security is our top priority. Our services are designed to meet the security requirements of the most security-conscious customers. In Australia, we are assisting agencies in their assessment with the release of our IRAP PROTECTED documentation. This helps agencies to plan, architect, and self-assess systems built on AWS and provides a mapping of AWS controls for securing PROTECTED data.
Having access to the broadest and deepest set of services allows customers to maintain their security posture and protect themselves from cyber threats. To help our customers move quickly and securely, we have built a Quick Start automated reference deployment that can deploy an example PROTECTED Reference Architecture proof of concept on AWS. It is for customers who want to create cloud-based workloads that use AWS controls to meet the ACSC’s ISM requirements for sensitive government data handling at the PROTECTED classification level.
Ongoing compliance is important, and the Quick Start includes a guide to services such as AWS Key Management Service (AWS KMS), which is a managed service that makes it easy for customers to create cryptographic keys and control their use across a wide range of AWS services. By building and supporting encryption tools that work both on and off the cloud, AWS helps customers to secure their data and remain compliant across the entire environment. Services like Amazon GuardDuty, which is a threat detection service that continuously monitors for malicious activity and unauthorised behaviour, can help protect your AWS accounts and workloads.
How Australian customers are innovating secure solutions
We continue to see Australian Government agencies rise to the challenge of meeting the fast-changing needs of citizens. The 2019 Deloitte Access Economics report, commissioned by AWS, “Harnessing Public Cloud Opportunities in the Australian Government Sector,” revealed that government decision makers saw numerous benefits in cloud – from improved agility, where operations can be scaled to meet times of peak demand; to improved productivity through time savings in analysing data or in streamlining processes; and improved services, reliability, and data security. The report also highlighted that from 2014-2019, the Australian Government sector has seen cumulative productivity benefits estimated at over $2 billion AUD by migrating to cloud, further demonstrating the economic benefits of accelerating adoption.
We are inspired by the innovation of these agencies and their use of technology to respond quickly and securely. With the help of our partner community in the AWS Partner Network (APN), we’re seeing the development of innovative solutions for government agencies.
For example, Australian owned health-tech startup MediRecords, worked with AWS to build a bespoke call centre management solution for HealthDirect Australia enabling them to set up the National Coronavirus Helpline, an integral part of the Australian Government’s response to the Coronavirus (COVID-19) pandemic. By using Amazon Connect to provide a cloud-based telephony system and contact routing, Healthdirect Australia was able to quickly add hundreds more virtual staff to the helpline, tapping call centre providers from around the country to meet demand within a matter of days instead of building a new telehealth service that would have taken months.
Another example is Arq Group, who collaborated with AWS to develop the Fires Near Me app for the NSW Rural Fire Services. In the 2019/20 bushfire season, the team ramped up its Hyper Care Team, which was dedicated to escalating customer needs during the demanding fires. The app received over 1.3 million devices registered with 50 per cent of these registrations occurring during the fire season.
We look forward to creating a future where adaptability, scalability, reliability, security, and speed are in the forefront of citizen service delivery. The discontinuation of the CSCP does not alter AWS’ commitment to help Australian Government agencies innovate rapidly and securely, and we welcome the opportunity to speak with any agency about how our cloud services can quickly deliver secure solution innovation.
Learn more about AWS public sector in Australia.