Security Market Segment LS
Friday, 08 June 2018 11:17

No Protected cloud for you: ASD knocks back Aussie firm, but not Microsoft Featured


The Australian Signals Directorate appears to be bending the rulebook when it comes to the granting of Protected cloud status, favouring multinational American companies and knocking back smaller Australian outfits that meet the desired criteria.

This is the only conclusion that can be drawn from the fact that a fortnight before the ASD awarded Microsoft the coveted Protected cloud status — which means the US company can now host top-secret Australian Government data — the agency knocked back an Australian company, Secure Collaboration, that was seeking the same status.

The main reason, apparently, was that "unfortunately the demand from wider government is not there", which Secure Collaboration interpreted to mean "you are too small".

And this, despite the fact that Secure Collaboration was already providing secure cloud services to seven Federal Government agencies since 2014, including Defence, Finance, ASIC and DFAT.

The IT systems that the Sydney-based platform-as-a-service provider uses are secured inside data centres managed by Macquarie Telecom, whose service is already certified by the ASD.

(Five companies have Protected cloud status: Dimension Data, Sliced Tech, Macquarie Government, Vault Systems and Microsoft.)

Secure Collaboration has detailed what it went through to try and obtain the certification. It spent two years and about $80,000. The story was first reported by InnovationAus.

Managing director Jeremy Sadler told iTWire that no company could totally satisfy the requirements of the Information Security Manual (the specifications laid down for aspirants to Protected cloud status). He said it had been "a punch in the guts" when he heard of Microsoft being given the certification and the fiats that accompanied it.

In every case, it was a question of mitigating risk, he said, adding that Secure Collaboration had been perfectly willing to follow the ASD's advice on the six items which were identified as needing mitigation.

When it was announced that the ASD would accept applications for Protected cloud status, Secure Collaboration decided to do so and engaged a certified IRAP (Information Security Registered Assessor Program) assessor to carry out the required tests.

In June 2016, the assessor delivered the report to the ASD, recommending that Secure Collaboration be granted Protected cloud status.

But there was no acknowledgement of this from the ASD and when the company made an email inquiry it was ignored. By March 2017, when Secure Collaboration finally managed to make contact with the ASD, it found that the report had not even been looked at.

Secure Collaboration was then told to do another assessment as per the new ISM standard for 2016. The cost for the new assessment was triple the cost of the first and Secure Collaboration went through the entire process: "multiple emails, conference calls ending in Secure Collaboration flying to Canberra to meet the ASD face-to-face".

The company wrote: "After an intense two-hour meeting and a physical inspection of the installation, the verbal response was positive and by early August 2017, the second report was officially submitted. Once again, the IRAP Assessor recommended that Secure should get Protected level certification."

But then the ASD ignored the report for six months. When it finally looked at the report, the agency said there were only a few minor items that needed clarification.

"There were no showstoppers (so they said)," Secure Collaboration said. "(We) escalated to ASD management and assurances were given that the ASD wanted to support small business and, 'you’re in the final stage'."

Another face-to-face grilling took place in Sydney to review the installation. The company had to pay for a consultant to be flown in from Japan and face four hours of grilling on every item on the assessment report.

"Were they being very thorough, or were they just trying to find a problem? Once again the verbal indication was positive, just a few residual risks that (we) would need to clarify or remedy, but still no 'show-stoppers',” the company said.

But a fortnight later, an email to Secure Collaboration said: "…. regrettably ASD are unable to award Secure Collaboration ASD Certification…. apologies for the length of time it has taken". This was three months ago.

The Microsoft certification came with a number of fiats, with the ASD issuing a consumer guide in which it said: "Residual risks …… can be reduced through agency implementation of additional configuration and security controls”. It also said the ASD was “working with Microsoft to ensure general compensating security control blueprints are made available".

The Redmond-based outfit was allowed to have staff from outside the country administer systems on which Protected data would be stored – even though other companies with the same status are not allowed to do so.

Sadler said he had been told that Secure Collaboration would have to wait for a year before it tried again to obtain Protected cloud status. In the interim, he said he had decided to go public and fight it out.

Asked whether he had had any interaction with Alastair MacGibbon, the head of the Australian Cyber Security Institute and ASD deputy director-general, who has been quoted numerous times as saying he is fully satisfied with granting Protected status to Microsoft, Sadler said he had not met MacGibbon.

iTWire has contacted the ASD for comment.

Subscribe to ITWIRE UPDATE Newsletter here


It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News