Security Market Segment LS
Friday, 08 June 2018 11:17

No Protected cloud for you: ASD knocks back Aussie firm, but not Microsoft Featured


The Australian Signals Directorate appears to be bending the rulebook when it comes to the granting of Protected cloud status, favouring multinational American companies and knocking back smaller Australian outfits that meet the desired criteria.

This is the only conclusion that can be drawn from the fact that a fortnight before the ASD awarded Microsoft the coveted Protected cloud status — which means the US company can now host top-secret Australian Government data — the agency knocked back an Australian company, Secure Collaboration, that was seeking the same status.

The main reason, apparently, was that "unfortunately the demand from wider government is not there", which Secure Collaboration interpreted to mean "you are too small".

And this, despite the fact that Secure Collaboration was already providing secure cloud services to seven Federal Government agencies since 2014, including Defence, Finance, ASIC and DFAT.

The IT systems that the Sydney-based platform-as-a-service provider uses are secured inside data centres managed by Macquarie Telecom, whose service is already certified by the ASD.

(Five companies have Protected cloud status: Dimension Data, Sliced Tech, Macquarie Government, Vault Systems and Microsoft.)

Secure Collaboration has detailed what it went through to try and obtain the certification. It spent two years and about $80,000. The story was first reported by InnovationAus.

Managing director Jeremy Sadler told iTWire that no company could totally satisfy the requirements of the Information Security Manual (the specifications laid down for aspirants to Protected cloud status). He said it had been "a punch in the guts" when he heard of Microsoft being given the certification and the fiats that accompanied it.

In every case, it was a question of mitigating risk, he said, adding that Secure Collaboration had been perfectly willing to follow the ASD's advice on the six items which were identified as needing mitigation.

When it was announced that the ASD would accept applications for Protected cloud status, Secure Collaboration decided to do so and engaged a certified IRAP (Information Security Registered Assessor Program) assessor to carry out the required tests.

In June 2016, the assessor delivered the report to the ASD, recommending that Secure Collaboration be granted Protected cloud status.

But there was no acknowledgement of this from the ASD and when the company made an email inquiry it was ignored. By March 2017, when Secure Collaboration finally managed to make contact with the ASD, it found that the report had not even been looked at.

Secure Collaboration was then told to do another assessment as per the new ISM standard for 2016. The cost for the new assessment was triple the cost of the first and Secure Collaboration went through the entire process: "multiple emails, conference calls ending in Secure Collaboration flying to Canberra to meet the ASD face-to-face".

The company wrote: "After an intense two-hour meeting and a physical inspection of the installation, the verbal response was positive and by early August 2017, the second report was officially submitted. Once again, the IRAP Assessor recommended that Secure should get Protected level certification."

But then the ASD ignored the report for six months. When it finally looked at the report, the agency said there were only a few minor items that needed clarification.

"There were no showstoppers (so they said)," Secure Collaboration said. "(We) escalated to ASD management and assurances were given that the ASD wanted to support small business and, 'you’re in the final stage'."

Another face-to-face grilling took place in Sydney to review the installation. The company had to pay for a consultant to be flown in from Japan and face four hours of grilling on every item on the assessment report.

"Were they being very thorough, or were they just trying to find a problem? Once again the verbal indication was positive, just a few residual risks that (we) would need to clarify or remedy, but still no 'show-stoppers',” the company said.

But a fortnight later, an email to Secure Collaboration said: "…. regrettably ASD are unable to award Secure Collaboration ASD Certification…. apologies for the length of time it has taken". This was three months ago.

The Microsoft certification came with a number of fiats, with the ASD issuing a consumer guide in which it said: "Residual risks …… can be reduced through agency implementation of additional configuration and security controls”. It also said the ASD was “working with Microsoft to ensure general compensating security control blueprints are made available".

The Redmond-based outfit was allowed to have staff from outside the country administer systems on which Protected data would be stored – even though other companies with the same status are not allowed to do so.

Sadler said he had been told that Secure Collaboration would have to wait for a year before it tried again to obtain Protected cloud status. In the interim, he said he had decided to go public and fight it out.

Asked whether he had had any interaction with Alastair MacGibbon, the head of the Australian Cyber Security Institute and ASD deputy director-general, who has been quoted numerous times as saying he is fully satisfied with granting Protected status to Microsoft, Sadler said he had not met MacGibbon.

iTWire has contacted the ASD for comment.


As part of our Lead Machine Methodology we will help you get more leads, more customers and more business. Let us help you develop your digital marketing campaign

Digital Marketing is ideal in these tough times and it can replace face to face marketing with person to person marketing via the phone conference calls and webinars

Significant opportunity pipelines can be developed and continually topped up with the help of Digital Marketing so that deals can be made and deals can be closed

- Newsletter adverts in dynamic GIF slideshow formats

- News site adverts from small to large sizes also as dynamic GIF slideshow formats

- Guest Editorial - get your message out there and put your CEO in the spotlight

- Promotional News and Content - displayed on the homepage and all pages

- Leverage our proven event promotion methodology - The Lead Machine gets you leads

Contact Andrew our digital campaign designer on 0412 390 000 or via email



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments