Security Market Segment LS
Thursday, 12 April 2018 11:57

'Cloud' over Microsoft accreditation for top tier of govt service Featured


Microsoft's certification as a Protected provider of its Azure Cloud and Office 365 services to the Australian Government has literally come under a cloud, with the Australian Signals Directorate issuing a consumer guide containing a number of fiats about the service.

But the disquiet is not limited to the ASD, with a highly-placed source in the IT industry, who has intimate knowledge of the procedures involved in gaining such certification, claiming to iTWire that the certification had been granted despite the company allegedly not meeting all the needed criteria.

The Protected status, which was publicised by Microsoft on 3 April, means it can now handle government data with the highest security clearance.

Microsoft became the fifth provider to be certified to offer such services, with the others being Dimension Data, Vault Systems, Sliced Tech and Macquarie Government.

The source, who requested anonymity because of the sensitivity of the subject matter involved, said: "It's... understood that they (meaning Microsoft) have not been required to have things cleared in the way that others have." The others referred to are the four other companies that have obtained Protected status.

The source pointed out that anyone who was handling data that resided within services offered by these organisations would have to be Australian nationals who were resident within the country and had obtained security clearance from the Defence authorities.

But, the source said, these requirements appeared to have been put temporarily on hold for Microsoft, adding that there were some indications that it might be not enforced at all.

"The effect is that national security stands compromised," the source said, adding that this devalued the entire accreditation system which had been set up to give confidence to government agencies and not require them to have to carry out any additional procedures before using the services of a provider that had gained Protected status.

The time taken for Microsoft to gain Protected certification was also cited by the source, with the company taking six months to obtain the certification which the source said would normally take at least two years.

When iTWire asked Microsoft whether any special dispensation had been granted to the company so that employees from outside Australia who did not have Australian Government clearance could attend to Australian data stored by the company, a company spokesperson responded: "Microsoft has not been granted a special dispensation around personnel, our personnel security practices and policies are compliant with the Australian Government’s personnel security requirements under the Protective Security Policy Framework."

The ASD consumer guide adds some fiats which appear to indicate that Microsoft's service is not up to the mark.

In its consumer guide, the ASD says: "Residual risks attached to this delivery model can be reduced through agency implementation of additional configuration and security controls to be developed by Microsoft in conjunction with the ACSC (the Australian Cyber Security Centre).

"This will provide agencies with a pragmatic level of assurance and confidence in Microsoft’s public cloud offering to the Australian Government. More technical detail will also be provided in the ACSC’s finalised certification report of the services on offer."

In its announcement last week, Microsoft made no mention of any additional security measures that needed to be taken to make its Azure Cloud and Office 365 services suitable for use by government agencies.

The IT industry source attributed the ASD's issuing of the consumer guide as a reaction to the fact there "huge gaps in Microsoft's meeting the accreditation norms".

However, the source, termed the issuing of the consumer guide a cowardly act as it came well after Microsoft trumpeted its being issued Protected status and "was issued at take-out-the-trash-time on a Friday".

But Microsoft contested the fact that the consumer guide had cast any doubts over its Protected status, with a spokesperson telling iTWire: "As part of the recently awarded ASD Protected certification for Azure and Office 365, ASD published a consumer guide along with the listing on the Certified Cloud Services List.

"The consumer guide stated that residual risks 'can be reduced through agency implementation of additional configuration and security controls to be developed by Microsoft in conjunction with the ACSC'. In the interests of clarity, ASD has not asked Microsoft to develop additional security controls into the Azure and Office 365 services. There are no engineering level changes required by Microsoft associated with the award of the Protected certification. The development here refers to configuration guides and blueprints for controls that Microsoft has already built into the services but that need to be turned on and configured by the Government customers.

"Under the Microsoft shared responsibility model, there are controls that Microsoft handles for all customers, controls where responsibility is shared (i.e Microsoft implements a control in the Service but the customer controls its activation and configuration) and controls that are solely the responsibility of the customer. The focus of the guides is the latter two categories."

The spokesperson added: "Whilst Microsoft’s services on the CCSL are the only ones ASD has produced a Consumer Guide for, consumer guides are not new. The ASD Evaluated Products List includes a consumer guide with many of the evaluation outcomes. A specific example is the use of Apple iOS devices by government at the Protected level. To operate those devices at Protected, Australian Government agencies need to configure them in accordance with the hardening guide issued by ASD. That does not mean the Apple iOS devices need to have new controls developed, this is the same for Microsoft’s Azure and Office 365."

iTWire contacted the ASD on Wednesday, asking why the consumer guide had been issued, pointing out that the other four companies which had gained the Protected certification had had no such fiats issued. A response was sought by close of business yesterday.

When the ASD was contacted this morning, iTWire was told that a response was being worked on and would be available as soon as possible. Any response will be added here as soon as it is received.

iTWire also sought comment from the four vendors who have gained Protected certification – Macquarie Government, Dimension Data, Vault Systems and Sliced Tech. A Dimension Data spokesperson responded, saying: "Thank you for your inquiry but Dimension Data does not comment on other companies and their products or services."

Update, 5pm: Following publication of this article, a Microsoft spokesperson added the following comments: "Firstly, Microsoft’s certification was awarded 14 months after we first lodged our IRAP Assessment recommending Protected with ASD – not six months. Additionally, the Microsoft service complies with all requirements for certification, including personnel security requirements. No policy has been changed." (IRAP stands for Infosec Registered Assessor Program)

"The government’s position under the Protective Security Policy Framework on personnel security as it relates to outsourced services and functions is clearly outlined in the Attorney-General’s 2015 publication: Australian Government protective security governance guidelines – Security of outsourced services and functions

"It should be noted that under the government’s information security manual, certification is followed by a process of accreditation, which is an agency responsibility and it must undertake its own due diligence and accept any risks before using any cloud service regardless of the cloud services certification.

"When comparing security of different services, it’s important that you’re comparing like for like. A simple infrastructure as a service (IaaS) offering in a private cloud is far less complex than a hyperscale cloud platform like Azure or a software as a service (SaaS) offering like Office 365.

"In IaaS, the cloud provider simply provisions the infrastructure and then the agency has to implement everything on top of that — authentication, encryption and applications — in a way that complies with the Information Security Manual.

"Microsoft’s cloud services operate further up the stack and offer a diverse range of configurable services at the Protected level (Over 35 services across Azure and Office365 have been certified to Protected), so an agency implementing our service does require some guidance about how to configure the service in a way that complies with their security requirements."

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous