Home Security 'Cloud' over Microsoft accreditation for top tier of govt service
'Cloud' over Microsoft accreditation for top tier of govt service Featured

Microsoft's certification as a Protected provider of its Azure Cloud and Office 365 services to the Australian Government has literally come under a cloud, with the Australian Signals Directorate issuing a consumer guide containing a number of fiats about the service.

But the disquiet is not limited to the ASD, with a highly-placed source in the IT industry, who has intimate knowledge of the procedures involved in gaining such certification, claiming to iTWire that the certification had been granted despite the company allegedly not meeting all the needed criteria.

The Protected status, which was publicised by Microsoft on 3 April, means it can now handle government data with the highest security clearance.

Microsoft became the fifth provider to be certified to offer such services, with the others being Dimension Data, Vault Systems, Sliced Tech and Macquarie Government.

The source, who requested anonymity because of the sensitivity of the subject matter involved, said: "It's... understood that they (meaning Microsoft) have not been required to have things cleared in the way that others have." The others referred to are the four other companies that have obtained Protected status.

The source pointed out that anyone who was handling data that resided within services offered by these organisations would have to be Australian nationals who were resident within the country and had obtained security clearance from the Defence authorities.

But, the source said, these requirements appeared to have been put temporarily on hold for Microsoft, adding that there were some indications that it might be not enforced at all.

"The effect is that national security stands compromised," the source said, adding that this devalued the entire accreditation system which had been set up to give confidence to government agencies and not require them to have to carry out any additional procedures before using the services of a provider that had gained Protected status.

The time taken for Microsoft to gain Protected certification was also cited by the source, with the company taking six months to obtain the certification which the source said would normally take at least two years.

When iTWire asked Microsoft whether any special dispensation had been granted to the company so that employees from outside Australia who did not have Australian Government clearance could attend to Australian data stored by the company, a company spokesperson responded: "Microsoft has not been granted a special dispensation around personnel, our personnel security practices and policies are compliant with the Australian Government’s personnel security requirements under the Protective Security Policy Framework."

The ASD consumer guide adds some fiats which appear to indicate that Microsoft's service is not up to the mark.

In its consumer guide, the ASD says: "Residual risks attached to this delivery model can be reduced through agency implementation of additional configuration and security controls to be developed by Microsoft in conjunction with the ACSC (the Australian Cyber Security Centre).

"This will provide agencies with a pragmatic level of assurance and confidence in Microsoft’s public cloud offering to the Australian Government. More technical detail will also be provided in the ACSC’s finalised certification report of the services on offer."

In its announcement last week, Microsoft made no mention of any additional security measures that needed to be taken to make its Azure Cloud and Office 365 services suitable for use by government agencies.

The IT industry source attributed the ASD's issuing of the consumer guide as a reaction to the fact there "huge gaps in Microsoft's meeting the accreditation norms".

However, the source, termed the issuing of the consumer guide a cowardly act as it came well after Microsoft trumpeted its being issued Protected status and "was issued at take-out-the-trash-time on a Friday".

But Microsoft contested the fact that the consumer guide had cast any doubts over its Protected status, with a spokesperson telling iTWire: "As part of the recently awarded ASD Protected certification for Azure and Office 365, ASD published a consumer guide along with the listing on the Certified Cloud Services List.

"The consumer guide stated that residual risks 'can be reduced through agency implementation of additional configuration and security controls to be developed by Microsoft in conjunction with the ACSC'. In the interests of clarity, ASD has not asked Microsoft to develop additional security controls into the Azure and Office 365 services. There are no engineering level changes required by Microsoft associated with the award of the Protected certification. The development here refers to configuration guides and blueprints for controls that Microsoft has already built into the services but that need to be turned on and configured by the Government customers.

"Under the Microsoft shared responsibility model, there are controls that Microsoft handles for all customers, controls where responsibility is shared (i.e Microsoft implements a control in the Service but the customer controls its activation and configuration) and controls that are solely the responsibility of the customer. The focus of the guides is the latter two categories."

The spokesperson added: "Whilst Microsoft’s services on the CCSL are the only ones ASD has produced a Consumer Guide for, consumer guides are not new. The ASD Evaluated Products List includes a consumer guide with many of the evaluation outcomes. A specific example is the use of Apple iOS devices by government at the Protected level. To operate those devices at Protected, Australian Government agencies need to configure them in accordance with the hardening guide issued by ASD. That does not mean the Apple iOS devices need to have new controls developed, this is the same for Microsoft’s Azure and Office 365."

iTWire contacted the ASD on Wednesday, asking why the consumer guide had been issued, pointing out that the other four companies which had gained the Protected certification had had no such fiats issued. A response was sought by close of business yesterday.

When the ASD was contacted this morning, iTWire was told that a response was being worked on and would be available as soon as possible. Any response will be added here as soon as it is received.

iTWire also sought comment from the four vendors who have gained Protected certification – Macquarie Government, Dimension Data, Vault Systems and Sliced Tech. A Dimension Data spokesperson responded, saying: "Thank you for your inquiry but Dimension Data does not comment on other companies and their products or services."

Update, 5pm: Following publication of this article, a Microsoft spokesperson added the following comments: "Firstly, Microsoft’s certification was awarded 14 months after we first lodged our IRAP Assessment recommending Protected with ASD – not six months. Additionally, the Microsoft service complies with all requirements for certification, including personnel security requirements. No policy has been changed." (IRAP stands for Infosec Registered Assessor Program)

"The government’s position under the Protective Security Policy Framework on personnel security as it relates to outsourced services and functions is clearly outlined in the Attorney-General’s 2015 publication: Australian Government protective security governance guidelines – Security of outsourced services and functions

"It should be noted that under the government’s information security manual, certification is followed by a process of accreditation, which is an agency responsibility and it must undertake its own due diligence and accept any risks before using any cloud service regardless of the cloud services certification.

"When comparing security of different services, it’s important that you’re comparing like for like. A simple infrastructure as a service (IaaS) offering in a private cloud is far less complex than a hyperscale cloud platform like Azure or a software as a service (SaaS) offering like Office 365.

"In IaaS, the cloud provider simply provisions the infrastructure and then the agency has to implement everything on top of that — authentication, encryption and applications — in a way that complies with the Information Security Manual.

"Microsoft’s cloud services operate further up the stack and offer a diverse range of configurable services at the Protected level (Over 35 services across Azure and Office365 have been certified to Protected), so an agency implementing our service does require some guidance about how to configure the service in a way that complies with their security requirements."

47 REASONS TO ATTEND YOW! 2018

With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

YOW! 2018 is a great place to network with the best and brightest software developers in Australia. You’ll be amazed by the great ideas (and perhaps great talent) you’ll take back to the office!

Register now for YOW! Conference

· Sydney 29-30 November
· Brisbane 3-4 December
· Melbourne 6-7 December

Register now for YOW! Workshops

· Sydney 27-28 November
· Melbourne 4-5 December

REGISTER NOW!

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

 

Popular News

 

Telecommunications

 

Sponsored News

 

 

 

 

Connect