Google has joined other hyperscale cloud providers in having its cloud platform and ‘workspace’ services assessed to carry protected Australian government data.
Employees of Google Australia’s federal government and cloud teams revealed the protected level assessment under the federal information security registered assessors program (IRAP).
IRAP assessors rate the compliance of cloud services, gateways, information systems and the like to Australian government security standards.
An assessment is not an accreditation, certification or endorsement of the system’s security, with prospective customers ultimately needing to still do their own due diligence.
However, an assessment is still viewed as a step towards lowering barriers to entry for key government projects.
“An independent third-party assessor evaluated Google Cloud Platform and Google Workspace against ‘official’ and ‘protected’ ISM [information security manual] controls, and found both to be strongly aligned with ‘protected’ level control requirements,” Google said in updated IRAP guidance.
“These requirements include guidelines for cyber security roles, detecting and managing cyber security incidents, physical and personnel security, system hardening, networking, and cryptography.
“The evaluation was performed based on the ACSC’s updated IRAP framework, outlined in the cloud security guidance package.”
Google added: “IRAP certification not only provides a path for our customers to work with the Australian government, it also opens the door for Australian federal, state, and local government agencies to store data and run workloads on GCP and Google Workspace.”
Workspace is the relatively nascent rebrand of Google’s G-Suite productivity and collaboration tools.
Google has been able to host government data in its cloud services since late 2018, though not previously to the protected level.
The federal government has six possible classifications it can apply to its data, ranging from “unofficial” to “top secret”.
Protected ranks 4th out of the six; such data could cause “damage to the national interest, organisations or individuals” if it was ever compromised, according to government cyber security advice.
Some IBM and Oracle cloud apps and services are also assessed for protected-level workloads.