ASX-listed infrastructure-as-a-service provider AUCloud is the first organisation “Authorised” to provide PROTECTED level services.
The cloud services provider secured Phase 2 “Authority to Operate” under the Australian Cyber Security Centre (ACSC) Cloud Assessment and Authorisation Framework (CAAF).
The Digital Transformation Agency (DTA) and the Australian Electoral Commission (AEC) have both confirmed that AUCloud’s services meet PROTECTED level requirements.
The CAAF, mandated in July 2020, requires detailed information on ownership and overseas operational access for all data types, including metadata, support and analytics data.
“Focused on data – including the risks of transmission to support centres across the globe and access by unknown or unvetted personnel – the CAAF now ensures that Australia has as diligent as any cloud risk assessment and accreditation process as I have experienced in delivering to governments across the world,” AUCloud managing director Phil Dawson said.
“The CAAF is already delivering on its objectives, not only to maintain best practice security standards and related controls but to accelerate uptake of cloud services across government by leveraging the work undertaken by early adopter agencies and to expand market access for authorised SaaS services.
The company had to pass through two assessment stages to attain the authorisation.
The first, Phase 1, involves assessment by an IRAP assessor, which provides Cloud Security Fundamentals and Cloud Services Assessment artefacts that enable a cloud consumer’s (typically a Government Agency) risk assessment.
Phase 2 is the agency specific risk assessment stage, requiring the Authorising Officer within the government agency to issue an “Authority to Operate” for the specific cloud services. This phase ensures the CSP funded IRAP assessment meets the risk profile of the cloud services adopted by individual agencies.
“With close involvement from the Australian Cyber Security Centre (ASCS), DTA and AEC, we are delighted to prove the framework and share the authorisation, artefacts and learnings across government as agencies expand their use of cloud services,” AUCloud chief information security officer Peter Farrelly commented.
“Combined with a refresh of the IRAP program and adoption of more cloud-based controls in the ISM, AUCloud is pleased to see the desired benefits of the ACSC’s Cloud Security Guidance beginning to emerge to the benefit of both government consumers and service providers.“