Rackspace added to government cloud list

Rackspace’s Dedicated Hosting Environment (DHE) has been certified for use with government data, the Australian Cyber Security Centre has announced.

The ACSC revealed today that Rackspace DHE had been added to the Certified Cloud Services List (CCSL).

The Rackspace IaaS and PaaS services, which include compute, storage, networking and databases, have been certified for use with unclassified but sensitive data (‘Unclassified DLM’).

“We applied our rigorous assessment process to check Rackspace DHE’s ability to meet the expected security standards,” the ACSC’s acting head, Lynn Moore said in a statement.

“The Rackspace DHE environment in Australia consists of three data halls in Sydney. Data hall 140 meets the required physical security for hosting Unclassified DLM data and is the recommended data hall for Commonwealth entities to use.”

The ACSC said Rackspace did not seek a higher level of certification, which potentially would have greenlit the storage and processing of classified data using the company’s services.

“As one of only 13 companies to achieve this certification, this is a great achievement for the Australian Rackspace team and will open up many exciting new opportunities in 2019,” Rackspace Australia’s general manager, Darryn McCoskery, said in a statement.

“We’re thrilled to be working with the Government towards achieving their commitment to a cloud first policy that supports the digital transformation of the public sector.”

“Joining the Certified Cloud Services List for unclassified workloads is a testament to the extensive capabilities of our Dedicated Hosting Environment and demonstrates the trust our customers have in our ability to securely and efficiently manage their cloud workloads,” McCoskery said.

In December, the ACSC revealed that Google Cloud Platform had been added to the CCSL (the ACSC maintains the CCSL thanks to its relationship with the Australian Signals Directorate). Sixteen of Google’s cloud services have been certified for use with Unclassified DLM data.

The CCSL launched in 2015 with just two providers: Microsoft and Amazon. Now, with the addition of Rackpace, it has grown to 13.

The list includes a number of providers that have successfully had services certified for use with classified government data: Dimension Data, Macquarie Government, Microsoft, Sliced Tech and Vault Systems.

Amazon Web Services has indicated it is keen to have its services certified at the classified level. In March last year the cloud provider said that it successfully undergone an IRAP assessment of its Sydney region for the storage and processing of data classified at the Protected level. However, that assessment has yet to be formally accepted by the ACSC.

The certification process is based on the government’s Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).

“If an agency’s security and risk needs can be met with a cloud certified to Unclassified DLM, this increases their choices in meeting their business objectives,” Moore said in relation to today’s announcement.

In December, an update to the ISM was released. The new edition included a number of new security controls relating to cloud services (such as an explicit prohibition on using “outsourced cloud services for highly classified information”).

In February 2018, the government published a Secure Cloud Policy calling for agencies to “consider public cloud first and in preference to any other cloud deployment model” as long as the level of security available was appropriate given the data being handled.