But the disquiet is not limited to the ASD, with a highly-placed source in the IT industry, who has intimate knowledge of the procedures involved in gaining such certification, claiming to iTWire that the certification had been granted despite the company allegedly not meeting all the needed criteria.
The Protected status, which was publicised by Microsoft on 3 April, means it can now handle government data with the highest security clearance.
Microsoft became the fifth provider to be certified to offer such services, with the others being Dimension Data, Vault Systems, Sliced Tech and Macquarie Government.
The source pointed out that anyone who was handling data that resided within services offered by these organisations would have to be Australian nationals who were resident within the country and had obtained security clearance from the Defence authorities.
But, the source said, these requirements appeared to have been put temporarily on hold for Microsoft, adding that there were some indications that it might be not enforced at all.
"The effect is that national security stands compromised," the source said, adding that this devalued the entire accreditation system which had been set up to give confidence to government agencies and not require them to have to carry out any additional procedures before using the services of a provider that had gained Protected status.
The time taken for Microsoft to gain Protected certification was also cited by the source, with the company taking six months to obtain the certification which the source said would normally take at least two years.
When iTWire asked Microsoft whether any special dispensation had been granted to the company so that employees from outside Australia who did not have Australian Government clearance could attend to Australian data stored by the company, a company spokesperson responded: "Microsoft has not been granted a special dispensation around personnel, our personnel security practices and policies are compliant with the Australian Government’s personnel security requirements under the Protective Security Policy Framework."
The ASD consumer guide adds some fiats which appear to indicate that Microsoft's service is not up to the mark.
In its consumer guide, the ASD says: "Residual risks attached to this delivery model can be reduced through agency implementation of additional configuration and security controls to be developed by Microsoft in conjunction with the ACSC (the Australian Cyber Security Centre).
"This will provide agencies with a pragmatic level of assurance and confidence in Microsoft’s public cloud offering to the Australian Government. More technical detail will also be provided in the ACSC’s finalised certification report of the services on offer."
In its announcement last week, Microsoft made no mention of any additional security measures that needed to be taken to make its Azure Cloud and Office 365 services suitable for use by government agencies.
The IT industry source attributed the ASD's issuing of the consumer guide as a reaction to the fact there "huge gaps in Microsoft's meeting the accreditation norms".
However, the source, termed the issuing of the consumer guide a cowardly act as it came well after Microsoft trumpeted its being issued Protected status and "was issued at take-out-the-trash-time on a Friday".
But Microsoft contested the fact that the consumer guide had cast any doubts over its Protected status, with a spokesperson telling iTWire: "As part of the recently awarded ASD Protected certification for Azure and Office 365, ASD published a consumer guide along with the listing on the Certified Cloud Services List.
"The consumer guide stated that residual risks 'can be reduced through agency implementation of additional configuration and security controls to be developed by Microsoft in conjunction with the ACSC'. In the interests of clarity, ASD has not asked Microsoft to develop additional security controls into the Azure and Office 365 services. There are no engineering level changes required by Microsoft associated with the award of the Protected certification. The development here refers to configuration guides and blueprints for controls that Microsoft has already built into the services but that need to be turned on and configured by the Government customers.
"Under the Microsoft shared responsibility model, there are controls that Microsoft handles for all customers, controls where responsibility is shared (i.e Microsoft implements a control in the Service but the customer controls its activation and configuration) and controls that are solely the responsibility of the customer. The focus of the guides is the latter two categories."
The spokesperson added: "Whilst Microsoft’s services on the CCSL are the only ones ASD has produced a Consumer Guide for, consumer guides are not new. The ASD Evaluated Products List includes a consumer guide with many of the evaluation outcomes. A specific example is the use of Apple iOS devices by government at the Protected level. To operate those devices at Protected, Australian Government agencies need to configure them in accordance with the hardening guide issued by ASD. That does not mean the Apple iOS devices need to have new controls developed, this is the same for Microsoft’s Azure and Office 365."
iTWire contacted the ASD on Wednesday, asking why the consumer guide had been issued, pointing out that the other four companies which had gained the Protected certification had had no such fiats issued. A response was sought by close of business yesterday.
When the ASD was contacted this morning, iTWire was told that a response was being worked on and would be available as soon as possible. Any response will be added here as soon as it is received.
iTWire also sought comment from the four vendors who have gained Protected certification – Macquarie Government, Dimension Data, Vault Systems and Sliced Tech. A Dimension Data spokesperson responded, saying: "Thank you for your inquiry but Dimension Data does not comment on other companies and their products or services."
Update, 5pm: Following publication of this article, a Microsoft spokesperson added the following comments: "Firstly, Microsoft’s certification was awarded 14 months after we first lodged our IRAP Assessment recommending Protected with ASD – not six months. Additionally, the Microsoft service complies with all requirements for certification, including personnel security requirements. No policy has been changed." (IRAP stands for Infosec Registered Assessor Program)
"The government’s position under the Protective Security Policy Framework on personnel security as it relates to outsourced services and functions is clearly outlined in the Attorney-General’s 2015 publication: Australian Government protective security governance guidelines – Security of outsourced services and functions
"It should be noted that under the government’s information security manual, certification is followed by a process of accreditation, which is an agency responsibility and it must undertake its own due diligence and accept any risks before using any cloud service regardless of the cloud services certification.
"When comparing security of different services, it’s important that you’re comparing like for like. A simple infrastructure as a service (IaaS) offering in a private cloud is far less complex than a hyperscale cloud platform like Azure or a software as a service (SaaS) offering like Office 365.
"In IaaS, the cloud provider simply provisions the infrastructure and then the agency has to implement everything on top of that — authentication, encryption and applications — in a way that complies with the Information Security Manual.
"Microsoft’s cloud services operate further up the stack and offer a diverse range of configurable services at the Protected level (Over 35 services across Azure and Office365 have been certified to Protected), so an agency implementing our service does require some guidance about how to configure the service in a way that complies with their security requirements."