Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Overview
South Korea’s Cloud Security Assurance Program (CSAP) is a certification program that grants security certification to cloud services that meet Korea’s stringent regulatory standards. It is conducted to enhance and ensure the security level of cloud services provided by cloud service providers. CSAP was established to provide validated, secure, and reliable private cloud services to government and public institutions and to address users' security concerns through an objective and fair cloud service security certification.
Government agencies and public institutions are fundamentally required to use cloud services that have obtained CSAP certification. To acquire this certification, cloud service providers must meet the administrative, technical, and physical security measures, as well as additional security controls required for public sector use, as stipulated in the "Notification on Cloud Computing Service Security Certification." This process involves a rigorous assessment conducted by an evaluation body and a review by the certification committee.
CSAP provides three types of cloud service security certification types depending on the service: IaaS (Infrastructure as a Service), SaaS (Software as a Service), and DaaS (Desktop as a Service). Additionally, CSAP cloud service security certification levels follow a tiered system based on the level of information security, classified into High, Medium, and Low tiers reflecting varying levels of data sensitivity and security requirements.
On November 20, 2024, Microsoft became the first global cloud service provider (CSP) to obtain CSAP certification for IaaS. This Low-tier certification for Azure services involved a comprehensive security evaluation covering 64 controls in 14 sections, including administrative, technical, physical, and additional security measures required for public institutions. The certification is valid for five years, and a cloud service provider must pass a follow-up assessment conducted by the certifying body to maintain it.
Azure and CSAP
After undergoing a strict evaluation by the Korea Internet & Security Agency (KISA), Microsoft became the first cloud service provider among the three global cloud service to obtain CSAP certification for Azure services (Low, Group C).
This certification applies to the data center infrastructure in the Korea region (Central and South) and covers Azure services currently in operation. Azure OpenAI has been included, considering the growing demand for generative AI adoption to drive innovation in government and public institutions’ operation. As a result, Microsoft can now provide secure and trusted cloud services proactively to government institutions.
Services Covered by the Certification
For a list of Microsoft cloud services in audit scope, see the Azure CSAP certificate or Cloud services in audit scope:
• Azure
Certificate
The Azure CSAP certification covers 64 controls in 14 sections for information security It is effective for five years from the certification date with an annual reassessment by KISA, the certifying body. The certificate can be found in the issuance status of cloud security assurance program under status of cloud security assurance program under KISA's Information Security and Personal Information Protection Management System certification (KR only)
FAQ
1. What is the Cloud Security Assurance Program (CSAP)?
- The Cloud Security Assurance Program (CSAP) is a certification program under which the Korea Internet & Security Agency (KISA) grants security certification to cloud services that meet its stringent regulatory standards. It is conducted in accordance with the Republic of Korea’s Article 23-2 (Security Certification of Cloud Computing Services) of the Act on the Development of Cloud Computing and Protection of Its Users to enhance and ensure the level of information security.
- Obtaining CSAP certification means that the cloud service complies withKISA’s security certification standards (hereinafter referred to as security certification criteria), which include administrative, physical, and technical security measures for cloud service information.
- If a cloud service provider intends to offer cloud services to government and public institutions, they must meet additional security standards beyond the basic administrative, physical, and technical security measures to obtain CSAP certification (refer to Article 15 of the Notification on Security Certification of Cloud Computing Services).
2. Why did Microsoft obtain CSAP certification?
- As government and public institutions are required by policy to use CSAP-certified cloud services Microsoft obtained CSAP certification to enable these institutions to utilize its cloud services.
3. Was Microsoft the first cloud service provider among the three global cloud service providers to obtain CSAP certification?
- Yes, Microsoft was the first cloud service provider among the three global cloud service providers to obtain CSAP certification. Microsoft has continuously worked to validate the security and reliability of Microsoft cloud services to assist innovation in public sector operations. This achievement is the result of Microsoft's long-term efforts and recognition of the importance of CSAP.
4. What does it mean that Microsoft has obtained Cloud Security Assurance Program (CSAP) Grade Low (for Group C) for Azure services?
- Microsoft Azure achieved certification in the Low tier, allowing it to support public sector systems that do not handle highly sensitive or classified data. It means that Microsoft can provide Azure services to: (1) Administrative and public institutions classified under the Group C’, (2) Operating systems categorized as ‘Low’, and (3) assist these public institutions and system with Microsoft Azure services that meet the required standards
5. What is CSAP (Grade Low) certification?
- The CSAP certification tiers are classified into High, Medium, and Low based on the level of information security, and these are determined according to the importance of the systems used by public institutions. Among these, the Low-tier applies to systems that do not process personal information but include or operate publicly available government data.
| Tier | Details | Description | Separation |
|---|---|---|---|
| High | Impact | A security breach in the relevant information system can have severe harmful consequences on the operating institution, assets, and individuals. | Physical Separation |
| Classification | Systems handling matters of national significance interests (security, national defence, unification, diplomacy, etc.), sensitive information including investigation and trials, and internal administrative operations | ||
| Medium | Impact | A security breach in the relevant information system can have a significant impact on the operating institution, assets, and individuals. | Physical Separation |
| Classification | System handling non-disclosure business documents or operation | ||
| Low | Impact | A security breach in the relevant information system may have a limited impact on the operating institution, assets, and individuals. | Physical separation or Logical separation |
| Classification | System managing or operating public data that does not include personal information |
*For internal administrative tasks, the tier can be adjusted based on system importance
<Source: National Intelligence Service (NIS), National Cloud Computing Security Guidelines>
6. Which public institutions fall under ‘Group C’?
- The National Intelligence Service (NIS) verifies whether IT security products introduced in public institutions comply with relevant security measures. To do this, it categorizes institutions into three groups (A, B, and C) based on their level of importance and applies different adoption standards accordingly. According to the NIS's : New Security Conformance Verification Framework, institutions that fall under the ‘Group C’ category are as below. • Committees under central administrative agencies • Basic local governments • Agencies affiliated with basic local governments and local public corporations • Schools at various levels (national and public elementary, middle, and high schools)
7. What are the legal grounds for CSAP?
- It is based on the Republic of Korea’s Article 23-2 (Security Certification of Cloud Computing Services) of the Act on the Development of Cloud Computing and Protection of Its Users.
8. Which institution is responsible for conducting the CSAP certification assessment?
- In accordance with the Republic of Korea’s Article 23-2 (Security Certification of Cloud Computing Services) of the Act on the Development of Cloud Computing and Protection of Its Users, the Korea Internet & Security Agency (KISA) or an assessment body appointed by the Minister of Science and ICT conducts the certification assessment.
9. What services are subject to CSAP certification?
- Cloud services provided by cloud service providers (such as IaaS, PaaS, and SaaS) are subject to CSAP certification.
10. What are the benefits of obtaining CSAP certification?
- CSAP is a certification obtained by cloud service providers aiming to offer cloud services for government and public institutions. This certification allows public institutions to use cloud services that have been validated for security and reliability. Additionally, public institutions can establish a continuous and comprehensive information security management system, enabling them to take prompt action against security incidents such as hacking and DDoS attacks and minimizing potential damages and losses.
11. Where can I check the list of companies that have been issued a CSAP certification?
- The Korea Internet & Security Agency (KISA) provides a list of companies that have obtained CSAP certification through its official website here.
12. Which regions are included in Microsoft's CSAP certification?
- The Korea region, including Korea Central and Korea South.
13. Which Azure services are included in the scope of CSAP certification?
- Please refer to the list of Azure services included in CSAP certification, which covers [Azure products available in the Korea] (https://azure.microsoft.com/en-us/explore/global-infrastructure/products-by-region/table). For more details about these services or any other inquiries, please contact Microsoft.