Administrative Notice for Cloud Security Certification 3-Tier System... Implementation Starting from the Lowest Grade

[Asia Economy Reporter Oh Su-yeon] The Ministry of Science and ICT announced on the 29th that it will hold an administrative notice until January 18th for the revision of the "Notice on Security Certification for Cloud Computing Services" to introduce the Cloud Security Authentication Grading System (CSAP).

This is a detailed implementation plan for the cloud security certification grading system decided at the issue inspection meeting on August 18th last year. The Ministry of Science and ICT has been consulting and coordinating with related ministries on grading classification criteria and detailed evaluation standards, collecting industry opinions, and continuously discussing with the Digital Platform Government Committee.

To open the public sector, where the use of private cloud was restricted, activate the overall cloud market, and innovate public services, the previously uniformly operated security certification system will be improved and a three-tier grading system of high, medium, and low levels will be introduced.

Specifically, cloud security certification for low-grade systems will be implemented after the notice is promulgated, and high and medium-grade systems will be implemented within 2023 after joint demonstration and verification with the Digital Platform Government Committee and related ministries, considering safety and usability, and supplementing detailed evaluation criteria.

National and public institutions wishing to use private cloud will classify their systems into high, medium, or low grades according to system importance classification criteria and procedures.

Low grade refers to systems operating public data that does not include personal information, medium grade refers to systems that include or operate non-public business data, and high grade refers to systems that include sensitive information or are administrative internal business operation systems. However, to create new cloud markets and improve the quality of public services, administrative internal business operation systems may also be classified as medium grade depending on system importance.

Security certification evaluation criteria for cloud providers will be differentiated by grade. The high-grade evaluation criteria will be supplemented and strengthened based on existing evaluation items, medium-grade criteria will be maintained at the current level, and low-grade criteria will be reasonably relaxed.

In particular, for low-grade systems, domestic Software as a Service (SaaS) providers will be allowed to newly enter the public market by relaxing the existing 'physical separation' requirement between private and public sectors to permit 'logical separation.' However, evaluation items to verify the requirement that the physical location of cloud systems and data be limited to domestic locations will be added.

Logical separation means separating networks using virtual space, as opposed to physical separation. Until now, the domestic cloud industry has been reluctant to allow logical separation due to concerns about the expanding influence of global providers such as Amazon Web Services (AWS) and Microsoft (MS). However, this revision opens the door for global providers to enter the domestic public market.

Since administrative internal business operation systems can also be classified as medium grade depending on importance, network access with guaranteed security will be allowed, and detailed evaluation criteria will be supplemented through demonstration and verification of internal and external network access and utilization.

For existing types (IaaS, standard SaaS, simple SaaS), unnecessary evaluation items such as reward and penalty regulations have been consolidated and deleted reflecting industry difficulties. Considering the multi-tenant characteristics of cloud (multi-user usage), regulations have been rationally simplified by relaxing table separation criteria for each user institution.

The Ministry of Science and ICT will hold meetings with industry and related organizations during the administrative notice period to collect opinions from various sectors and reflect the results in the final revision of the notice, which will be promulgated in January. The full text of the revision can be found on the Ministry of Science and ICT website.

An official from the Ministry of Science and ICT said, "For the successful implementation of the Digital Platform Government, both the innovation of public services using private cloud services and the strengthening of the competitiveness of the domestic cloud industry must be considered together," adding, "For low-grade systems, we will consider creating a global competitive environment and security, and for high and medium-grade systems, we will strive to create new markets and promote the overall growth of the domestic cloud industry."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.