ATO looks to IBM cloud to carry protected data

The Australian Taxation Office has become one of the first federal government agencies to certify an IBM cloud service for protected-level workloads. 

iTnews can reveal the national revenue collection agency recently wrapped up its risk assessment of IBM’s infrastructure-as-a-service. 

It means the specific IBM offering can be used to carry protected security classification workloads from the agency for the first time. 

An ATO spokesperson said the self-assessment was conducted against the “IBM IaaS Commercial Cloud (SCC) Protected IRAP assessment report provided by IBM".

The agency spokesperson was unable to define SCC; however, it could refer to security context constraints, a construct used in containerised environments hosted on IBM cloud.

“This service is now certified only for the ATO’s use at protected,” the spokesperson said. 

“It does not mean it is certified for any government agency, as each agency should undertake an assessment of the risks involved before certifying any service for use.

“This assessment reflects the ATO’s own risk position and is not intended as an endorsement.” 

The certification comes as the government prepares to cease the cloud services certification program to remove bottlenecks and confusion around accreditation. 

The program will end at the end of this month after a review recommended that the government create new co-designed cloud security guidelines with industry. 

The change will see cloud providers on the certified cloud services list lose their protected and unclassified data lifecycle management (DLM) stamp of approval. 

IBM had no cloud services certified to the protected level on the list. Its Bluemix offering was certified to an unclassified DLM level back in 2017. 

While the IBM cloud service has only been certified for the ATO, other agencies will be able use the agency’s documentation and guidance for their own reviews as required. 

This approach falls in line with changes to the cloud services certification program, with individual agencies now expected to self-assess cloud services. 

“Documentation and guidance was developed should other agencies wish to use components of the ATO’s assessment in their own reviews,” the spokesperson said.