The government is planning to introduce a system to certify the safety of online “cloud” data storage services, according to sources. Government institutions would only be able to use certified services.
Demanding that companies in charge of important infrastructure, such as electricity and railway networks, find secure cloud services, the government wants to strengthen defenses against cyber-attacks from China and other nations, the sources said.
The government plans to draw up security standards and start trial runs this year, with the aim of introducing the full system in 2020.
An increasing number of companies are adopting cloud storage services as an efficient means of data management that saves the time and effort that in-house information systems require.
The government is also working out a policy to encourage government-linked institutions to use cloud services, in principle, including for information systems that store the public’s data, such as on taxes.
However, unsecured cloud systems are vulnerable to data leaks from cyber-attacks. Therefore, the government decided to create a framework to screen the security of cloud service providers and prioritize services that fulfill certain security standards.
There are to be three security grades. The highest — level three — would require the establishment of a defense mechanism for data centers and the confirmation of the safety of telecommunications equipment.
Institutions that handle highly confidential data, such as on national security, would only be allowed to use cloud services from providers that fulfill these standards.
To ensure security standards are being met, the auditing body that the government authorizes would regularly inspect these operators.
A list of approved providers would be created. Government institutions would invite providers on the list to bid for government contracts.
On the other hand, legal regulations demand that specified secrets and highly classified documents be kept in storage mediums that are not connected to the internet. Thus cloud storage would not be used for these types of data.
The United States, Britain and Australia already have similar certification systems. The Japanese government is considering a mutual recognition system in which different countries would approve each other’s security standards.
It is said that the United States is moving to exclude Chinese companies from supplying telecommunications equipment that government institutions use, and applying strict security standards to cloud services would further freeze out Chinese firms.
The Japanese government is also planning to essentially ban Huawei Technologies Co. and ZTE Corp. — major Chinese communications equipment manufacturers — from supplying government institutions with telecommunications equipment.
The government is gradually transferring data management and administrative systems operations from in-house servers to private cloud services.
The government believes it is safer and more efficient to leave the defense of increasingly sophisticated cyber-attacks up to the specialized technology of the private sector.
However, the government lacks uniform standards on cloud security. The United States, Britain and other nations have voiced concerns over sharing information with Japan due to possible “back doors” in its security systems.
Establishing detailed security standards for cloud storage in a new certification system this time is seen as a response to these concerns.