The growth of the public sector cloud market is likely to escalate following Amazon Web Services (AWS) new PROTECTED level classification on the Australian Signals Directorate’s (ASD) Certified Cloud Services List (CCSL).
AWS has become the second hyperscaler to be certified to run PROTECTED level workloads after Microsoft’s Azure and Office 365 platforms were similarly approved last year.
This decision opens doors for AWS, especially in agencies working with sensitive data. The company has been targeting such agencies oversees. For example, AWS is a frontrunner in the race for a USD $10 billion contract for the United States Department of Defense Joint Enterprise Defense Infrastructure (JEDI) cloud system, where it aims to provide services for information rated as Unclassified up to Top Secret for the US government cloud.
AWS already has a presence at the Australian Department of Defence. Defence is the second largest buyer of AWS by total contract value, with $8.86 million across 42 contracts since 2015-2016 according to Intermedium’s Analyse IT. This includes a $0.91 million contract with ASD for “technical services”. This figure does not include contracts in which AWS partnered with another supplier who acted as the prime.
The federal government cloud market was worth at least $123.3 million in 2017-2018, according to a keyword search of Intermedium’s contracts data using cloud-related terms. $85.3 million of this total value was procured by Defence. This is, however, likely to be an understatement as cloud-specific contract data is notoriously hard to obtain, given that cloud services are often bundled with larger IT services offerings.
AWS received IRAP PROTECTED certification in January last year, with the documents becoming available in March to allow government agencies to self-assess and build cloud solutions utilising AWS infrastructure. IRAP certification is obtained from a third party assessor and is a necessary prerequisite for inclusion on the CCSL.
The Digital Transformation Agency (DTA) was an early adopter of AWS services in the creation of its cloud.gov.au website, according to DTA CEO Randall Brugeaud in a media release obtained by Intermedium.
AWS’ ascension to the CCSL mirrors the path of competitor Microsoft, which has greatly expanded its number of cloud services certified for both Unclassified DLM and PROTECTED since June 2017.
As with Microsoft’s offerings, AWS PROTECTED certification must be configured by agencies “in line with the guidance in the ACSC Certification Report and Consumer Guide”.
This condition appears to have arisen from Australian Cyber Security Centre (ASCS) head Alastair MacGibbon’s fight against “a prevailing tick box compliance culture” within the APS. The certification of 42 AWS services at PROTECTED level allows agencies to follow a “robust risk-management framework”, according to MacGibbon in AWS’ press release.
This risk-based approach appears to be taking hold, permeating other digitally-advanced jurisdictions such as NSW.