Government security tick validates TechnologyOne’s secure-cloud culture

It may have taken a year to complete, but TechnologyOne is confident that government security certification for a software as a service (SaaS) platform will prove enticing for agencies that are increasingly enlisting outside help to ensure the security of their mandatory digital transformation efforts.

The certification process – which saw the company’s cloud-based platform certified to the federal government’s IRAP (Information Security Registered Assessors Program) standards – will see TechnologyOne’s SaaS environment join the ASD Certified Cloud Services List (CCSL) as an approved platform for secure cloud services.

That list, which has so far been dominated by unclassified-level platforms like Microsoft Azure, Amazon Web Services (AWS) EC2 and protected-level gateway and cloud tools from service providers Sliced Tech and Vault Systems, is expanding as IRAP certifications are completed.

For TechnologyOne, group director of cloud, research and development Iain Rouse, the certification reflects not only the company’s ascension into the ranks of secure cloud providers but the culmination of an extensive effort to review internal quality and security controls – which had already been certified to standards including ISAE 3402 SOC 1, AT 101 SOC 2, ISO27001:2015, ISO27017, and ISO27018.

“We made decisions that we should do privacy and security by design and not treat them as add-ons to the process,” Rouse told CSO Australia. “People in that government phase are looking for some lighthouse to guide them through transformation. We found IRAP really allowed us to improve our security posture as a company in delivering the SaaS solution to all of our customers – and we can roll out the same security controls in Ireland as we do in Sydney.”

TechnologyOne currently delivers its application to UK and European customers through cloud availability zones in Ireland and ANZ customers from a cloud zone in Sydney. But with the solution highly modularised and scalable, Rouse says, the design means that the company can securely commission its services to a new part of the world in 72 hours.

Rapid growth has become a hallmark of government-focused cloud services, which are rapidly gaining currency as the go-to platform for government agencies that are – whether through internal transformation or external mandate – increasingly committed to the cloud.

‘Cloud-first’ policies have become ubiquitous at Commonwealth and state government levels thanks to initiatives such as the National Cloud Computing Strategy launched back in 2013. These initiatives presaged even a recent order by US president Donald Trump that will push the US government towards cloud services in an effort to “centralise risk” and foster the use of shared services.

Such flexibility has emerged thanks to a commitment to the cloud that has driven the company’s internal goal of moving all of its operations to the cloud by next year. And, having completed the IRAP certification, the layered security process that emerged from that process has made the company “mature enough to really manage a complex framework like ISM for the government”, Rouse says.

That maturity includes a commitment to managing the platform’s security environment as an ongoing concern rather than a one-off exercise – a practice that has proven problematic in companies that often struggle to reach security compliance and struggle to maintain it, as was found during a Verizon audit that concluded just 28.6 percent of PCI DSS-certified companies remained compliant a year after their certification.

IRAP involves a host of pre-qualifying criteria and two stages of intensive audit, with recertification every 2 years. However, Rouse said a core part of the company’s commitment is that IRAP – and security in general – has become “a constant conversation”.

“It’s just part of openness and transparency,” he said. “If we’re going to design controls and show evidence that we are secure, we will make those continuous investments. This is not a one-off; it’s about a deep-seated commitment to real security that will help customers know that we’re really committed – and let their boards know whether to trust the cloud.”

Although much of the IRAP compliance has been enabled through refinement of processes and controls, a growing element of the security protections will come from increasing use of automation to maintain consistency with security best practice.

“SaaS 2.0 providers have to be building highly automated systems,” Rouse explained. “The moment you put a human in there who has to make a decision, you’re flipping a coin. It’s human nature – and the same decision around security as to whether you should gun it at the amber light. Whenever we can run infrastructure of code at scale and have that be defensive and take care of things, we lose that human pause – and that opportunity for intervention.”