Home Security No Protected cloud for you: ASD knocks back Aussie firm, but not Microsoft
No Protected cloud for you: ASD knocks back Aussie firm, but not Microsoft Featured

The Australian Signals Directorate appears to be bending the rulebook when it comes to the granting of Protected cloud status, favouring multinational American companies and knocking back smaller Australian outfits that meet the desired criteria.

This is the only conclusion that can be drawn from the fact that a fortnight before the ASD awarded Microsoft the coveted Protected cloud status — which means the US company can now host top-secret Australian Government data — the agency knocked back an Australian company, Secure Collaboration, that was seeking the same status.

The main reason, apparently, was that "unfortunately the demand from wider government is not there", which Secure Collaboration interpreted to mean "you are too small".

And this, despite the fact that Secure Collaboration was already providing secure cloud services to seven Federal Government agencies since 2014, including Defence, Finance, ASIC and DFAT.

The IT systems that the Sydney-based platform-as-a-service provider uses are secured inside data centres managed by Macquarie Telecom, whose service is already certified by the ASD.

(Five companies have Protected cloud status: Dimension Data, Sliced Tech, Macquarie Government, Vault Systems and Microsoft.)

Secure Collaboration has detailed what it went through to try and obtain the certification. It spent two years and about $80,000. The story was first reported by InnovationAus.

Managing director Jeremy Sadler told iTWire that no company could totally satisfy the requirements of the Information Security Manual (the specifications laid down for aspirants to Protected cloud status). He said it had been "a punch in the guts" when he heard of Microsoft being given the certification and the fiats that accompanied it.

In every case, it was a question of mitigating risk, he said, adding that Secure Collaboration had been perfectly willing to follow the ASD's advice on the six items which were identified as needing mitigation.

When it was announced that the ASD would accept applications for Protected cloud status, Secure Collaboration decided to do so and engaged a certified IRAP (Information Security Registered Assessor Program) assessor to carry out the required tests.

In June 2016, the assessor delivered the report to the ASD, recommending that Secure Collaboration be granted Protected cloud status.

But there was no acknowledgement of this from the ASD and when the company made an email inquiry it was ignored. By March 2017, when Secure Collaboration finally managed to make contact with the ASD, it found that the report had not even been looked at.

Secure Collaboration was then told to do another assessment as per the new ISM standard for 2016. The cost for the new assessment was triple the cost of the first and Secure Collaboration went through the entire process: "multiple emails, conference calls ending in Secure Collaboration flying to Canberra to meet the ASD face-to-face".

The company wrote: "After an intense two-hour meeting and a physical inspection of the installation, the verbal response was positive and by early August 2017, the second report was officially submitted. Once again, the IRAP Assessor recommended that Secure should get Protected level certification."

But then the ASD ignored the report for six months. When it finally looked at the report, the agency said there were only a few minor items that needed clarification.

"There were no showstoppers (so they said)," Secure Collaboration said. "(We) escalated to ASD management and assurances were given that the ASD wanted to support small business and, 'you’re in the final stage'."

Another face-to-face grilling took place in Sydney to review the installation. The company had to pay for a consultant to be flown in from Japan and face four hours of grilling on every item on the assessment report.

"Were they being very thorough, or were they just trying to find a problem? Once again the verbal indication was positive, just a few residual risks that (we) would need to clarify or remedy, but still no 'show-stoppers',” the company said.

But a fortnight later, an email to Secure Collaboration said: "…. regrettably ASD are unable to award Secure Collaboration ASD Certification…. apologies for the length of time it has taken". This was three months ago.

The Microsoft certification came with a number of fiats, with the ASD issuing a consumer guide in which it said: "Residual risks …… can be reduced through agency implementation of additional configuration and security controls”. It also said the ASD was “working with Microsoft to ensure general compensating security control blueprints are made available".

The Redmond-based outfit was allowed to have staff from outside the country administer systems on which Protected data would be stored – even though other companies with the same status are not allowed to do so.

Sadler said he had been told that Secure Collaboration would have to wait for a year before it tried again to obtain Protected cloud status. In the interim, he said he had decided to go public and fight it out.

Asked whether he had had any interaction with Alastair MacGibbon, the head of the Australian Cyber Security Institute and ASD deputy director-general, who has been quoted numerous times as saying he is fully satisfied with granting Protected status to Microsoft, Sadler said he had not met MacGibbon.

iTWire has contacted the ASD for comment.


With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

YOW! 2018 is a great place to network with the best and brightest software developers in Australia. You’ll be amazed by the great ideas (and perhaps great talent) you’ll take back to the office!

Register now for YOW! Conference

· Sydney 29-30 November
· Brisbane 3-4 December
· Melbourne 6-7 December

Register now for YOW! Workshops

· Sydney 27-28 November
· Melbourne 4-5 December



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.


Popular News




Sponsored News