Credits: straits times
The Japanese government is planning to introduce a system to certify the safety of online “cloud” data storage services, according to sources. Government institutions would be able to use only certified services.
Demanding that companies in charge of important infrastructure, such as electricity and railway networks, find secure cloud services, the government wants to strengthen defences against cyber attacks from China and other nations, the sources said.
The government plans to draw up security standards and start trial runs this year, with the aim of introducing the full system in 2020.
An increasing number of companies are adopting cloud storage services as an efficient means of data management that saves the time and effort that in-house information systems require.
The government is also working out a policy to encourage government-linked institutions to use cloud services, in principle, including for information systems that store the public’s data, such as on taxes.
However, unsecured cloud systems are vulnerable to data leaks from cyber attacks. Therefore, the government decided to create a framework to screen the security of cloud service providers and prioritise services that fulfil certain security standards.
There are to be three security grades. The highest – level three – would require the establishment of a defence mechanism for data centres and the confirmation of the safety of telecommunications equipment.
Institutions that handle highly confidential data, such as on national security, would be allowed to use cloud services only from providers that fulfil these standards.
To ensure security standards are being met, the auditing body that the government authorises would regularly inspect these operators.
A list of approved providers would be created. Government institutions would invite providers on the list to bid for government contracts.
On the other hand, legal regulations demand that specified secrets and highly classified documents be kept in storage mediums that are not connected to the Internet. Thus, cloud storage would not be used for these types of data.
The United States, Britain and Australia already have similar certification systems. The Japanese government is considering a mutual recognition system in which different countries would approve one another’s security standards.
It is said that the US is moving to exclude Chinese companies from supplying telecommunications equipment that government institutions use, and applying strict security standards to cloud services would further freeze out Chinese firms.
The Japanese government is also planning to essentially ban Huawei Technologies and ZTE Corp – major Chinese communications equipment manufacturers – from supplying government institutions with telecommunications equipment.
The government is gradually transferring data management and administrative systems operations from in-house servers to private cloud services.
The government believes it is safer and more efficient to leave the defence of increasingly sophisticated cyber attacks up to the specialised technology of the private sector.
However, the government lacks uniform standards on cloud security. The US, Britain and other nations have voiced concerns over sharing information with Japan due to possible “back doors” in its security systems.
Establishing detailed security standards for cloud storage in a new certification system this time is seen as a response to these concerns.