The Cloud Security Assurance Program (CSAP) is changing from a single authentication system to a leveled system (high, mid, low) based on the importance of the system. In particular, with them partially allowing ‘Logical Network Separation’, which Korean companies were against, it is projected that competition will be fierce between Korean companies and foreign companies over the public market.
On the 29th, the Ministry of Science and ICT announced the amendment to the ‘Public Notice on Cloud Computing Service Security Authentication’.
The core of the amendment is the adoption of a high, mid, and low leveled system. National and public institutions that wish to use private cloud systems will self-classify the system by ‘high, mid, low’ levels according to system importance classification standards and procedures. Above all, the ‘low’ level allows logical network separation, opening the way for overseas cloud companies, such as ones in the US or China, to enter the public market.
Low level systems refer to systems that operate with open public data without including personal information, while mid-level systems refer to systems that include or operates with non-public business data. High level systems include sensitive information or are classified as administrative internal business operation systems.
As evaluation standards, high level evaluation standards will be supplemented and strengthened, while mid-level evaluation standards will be maintained at the current level. Low level evaluation standards will be relaxed.
The low level systems will relax conditions on ‘physical separation’ between private and public sectors, and allow ‘logical separation’. It paved the way for Korean Service-as-a-Service (SaaS) operators that use global cloud services to enter the public market. However, they will add evaluation criteria to verify the requirements for limiting cloud systems and physical location of data to Korea.
Global cloud companies with regions in Korea are now able to enter the public market with just logical separation without the need for physical separation between private and public sectors.
As administrative internal business operation systems can now be classified as mid-level based on importance, mid-level systems are set to allow network access guaranteeing security and supplement detailed evaluation criteria through verification and authentication on accessing and using internal and external networks.
For existing types, such as standard SaaS and simple SaaS, reward and punishment regulations and unnecessary evaluation criteria were merged or removed. They simplified regulations rationally, with measures such as relaxing table separation standards for each institution.
The Ministry of Science and ICT will hold a discussion with participation from related industries and institutions during the administrative notice period (~January 18) and collect opinions from all walks of life.
Cloud security authentication for low level systems will be implemented after the public announcement, and high and mid-level systems will be implemented in the new year.
An official of the Ministry of Science and ICT said that, “For the successful implementation of the digital platform government, public service innovation utilizing private cloud services and the aspect of strengthening the competitiveness of the Korean cloud industry must both be considered,” and said, “We must consider the creation of a globally competitive environment and the security aspect for low level systems, and we will create a new market for high and mid-level systems for the overall growth of the Korean cloud industry.”
Reporter Hyemi Kwon hyeming@etnews.com