Government Unifies Public Cloud Verification Process... "Certification Period Expected to Be Shortened"

The security verification procedures required for private companies to enter the public cloud sector will be streamlined. The government plans to unify the dual security certification process into a single procedure to ease the burden on companies.

원본보기 아이콘

On April 20, the Ministry of Science and ICT (MSIT) and the National Intelligence Service (NIS) announced that the verification procedures necessary for entering the public cloud market will be unified under a single NIS verification system. Until now, cloud service providers seeking to enter the public market were required to first obtain the Cloud Security Assurance Program (CSAP) certification from the MSIT, and then undergo a separate security verification process by the NIS. At a press briefing on April 17, NIS Deputy Director Kim Changseop explained, "With this policy, we aim to address the difficulties faced by companies due to dual regulations and focus on enhancing the security level of public cloud services."

This institutional reform is aimed at reducing the administrative burden for cloud service providers. For products that have already obtained CSAP certification prior to the implementation of the unified verification system, the validity period of these certifications will be maintained. Additionally, the government plans to improve verification criteria to better reflect the characteristics of cloud technology, thereby strengthening the security level of public cloud services while easing the burden on companies.

To ensure smooth implementation of the new verification system, a "Public-Private Verification Review Committee" will be formed, consisting of experts from relevant agencies and academia, as well as representatives recommended by the MSIT. This committee will evaluate the fairness and validity of verification results. The government also plans to establish and publicly release guidelines for cloud security verification operations and manuals for cloud verification criteria. Furthermore, existing CSAP evaluation agencies will be utilized as evaluation agencies for the new verification system, ensuring both expertise and administrative continuity.

The unified verification system will be implemented in earnest starting in the second half of next year, following a grace period. The government plans to revise the "National Cloud Computing Security Guidelines" within the first half of this year to include these changes, with a one-year grace period before full enforcement. The NIS also plans to establish operating guidelines and explanatory manuals for the verification system, and to update the cloud security guidelines by the first half of next year. An NIS official stated, "There is a possibility that the procedures for cloud service providers to enter the public cloud market could be further streamlined in the first half of next year," adding, "This institutional reform will result in shorter certification periods."

Procedures for entering the private cloud market will also be integrated. In the private sector, the information security management system (ISMS) for companies will be unified with voluntary security certification for cloud services. Through this system transition, similar security standards among certifications will be integrated into a single standard, maximizing administrative efficiency.

Ryu Jemyeong, Second Vice Minister of the MSIT, stated, "By collaborating with the NIS, we have boldly broken down the barriers between ministries," and added, "We will support our companies so they can more easily and quickly clear security hurdles." NIS Deputy Director Kim Changseop emphasized, "We will continue to communicate with the industry to ensure the system settles in a way that relieves the burden on businesses."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.