ACSC adds Google Cloud Platform to CCSL
The Australian Cyber Security Centre (ACSC) has added Google Cloud Platform to the Certified Cloud Services List (CCSL) for unclassified workloads, increasing the options available to Australian Government agencies.
Google Cloud Platform joins 12 existing providers in the CCSL that meet stringent Australian Government security requirements for managing information storage at the minimum Australian Government security standard, known as ‘Unclassified’.
‘Protecting Australians from cyber threats is one of our greatest national security challenges. It’s important that we have rigorous standards for the management of our information,’ said Head of the ACSC, Alastair MacGibbon.
The CCSL certification process is based on government principles and policies defined in Australia’s Protective Security Policy Framework (PSPF) and Information Security Manual (ISM). The ACSC applied its rigorous assessment process to the Platform’s ability to meet the Australian Government’s expected security standards in a number of categories.
The ACSC concluded that the Google Cloud Platform met the necessary requirements and is suitable to host Australian Government workloads to Unclassified DLM in specified regions.
‘Google sought entry into the certification program for hosting data classified up to Unclassified DLM. Because of this Google was only assessed for this purpose,’ Mr MacGibbon said.
‘If an agency’s security and risk needs can be met with a cloud certified to Unclassified DLM, this increases their choices in meeting their business objectives.’
The ACSC’s decision, which is detailed in the ACSC Certification Report for Google Cloud Platform, certifies 16 GCP services and a physical data centre located in Sydney in categories including:
- Compute (Compute Engine, App Engine and Kubernetes Engine)
- Storage (Cloud Storage and Persistent Disk)
- Networking (Virtual Private Cloud, Cloud Load Balancing and Cloud DNS)
- Security (Cloud Key Management Service and Cloud IAM)
- Management (Stackdriver)
- Data Analytics (Cloud Dataflow, Cloud Dataproc and Cloud Datalab)
- Databases (Cloud SQL and Cloud Datastore)
No automatic certification
It’s important to remember that third-party solutions built on ACSC Certified Cloud Services do not automatically inherit ACSC certification, but must be listed separately on the CCSL.
‘Beware of media reports suggesting otherwise, as we’ve seen and called out recently,’ Mr MacGibbon said.’
‘The ACSC does not assess third-party solutions and therefore cannot confirm if their security meets Australian Government standards.’
The ACSC recommends that organisations considering third-party solutions built on ACSC certified cloud services perform their own independent security assessment, certification and accreditation activities to determine if the solution or service meets their business and security needs.
The ACSC Certification Report for Google Cloud Platform details the residual risks, non-compliance with the ISM, mitigations, and guidance for Australian organisations considering using the Google Cloud Platform. This report is available from Google upon request by government agencies.
More information about Certified Cloud Services can be found here