Security Market Segment LS
Friday, 08 June 2018 11:17

No Protected cloud for you: ASD knocks back Aussie firm, but not Microsoft Featured

By

The Australian Signals Directorate appears to be bending the rulebook when it comes to the granting of Protected cloud status, favouring multinational American companies and knocking back smaller Australian outfits that meet the desired criteria.

This is the only conclusion that can be drawn from the fact that a fortnight before the ASD awarded Microsoft the coveted Protected cloud status — which means the US company can now host top-secret Australian Government data — the agency knocked back an Australian company, Secure Collaboration, that was seeking the same status.

The main reason, apparently, was that "unfortunately the demand from wider government is not there", which Secure Collaboration interpreted to mean "you are too small".

And this, despite the fact that Secure Collaboration was already providing secure cloud services to seven Federal Government agencies since 2014, including Defence, Finance, ASIC and DFAT.

The IT systems that the Sydney-based platform-as-a-service provider uses are secured inside data centres managed by Macquarie Telecom, whose service is already certified by the ASD.

(Five companies have Protected cloud status: Dimension Data, Sliced Tech, Macquarie Government, Vault Systems and Microsoft.)

Secure Collaboration has detailed what it went through to try and obtain the certification. It spent two years and about $80,000. The story was first reported by InnovationAus.

Managing director Jeremy Sadler told iTWire that no company could totally satisfy the requirements of the Information Security Manual (the specifications laid down for aspirants to Protected cloud status). He said it had been "a punch in the guts" when he heard of Microsoft being given the certification and the fiats that accompanied it.

In every case, it was a question of mitigating risk, he said, adding that Secure Collaboration had been perfectly willing to follow the ASD's advice on the six items which were identified as needing mitigation.

When it was announced that the ASD would accept applications for Protected cloud status, Secure Collaboration decided to do so and engaged a certified IRAP (Information Security Registered Assessor Program) assessor to carry out the required tests.

In June 2016, the assessor delivered the report to the ASD, recommending that Secure Collaboration be granted Protected cloud status.

But there was no acknowledgement of this from the ASD and when the company made an email inquiry it was ignored. By March 2017, when Secure Collaboration finally managed to make contact with the ASD, it found that the report had not even been looked at.

Secure Collaboration was then told to do another assessment as per the new ISM standard for 2016. The cost for the new assessment was triple the cost of the first and Secure Collaboration went through the entire process: "multiple emails, conference calls ending in Secure Collaboration flying to Canberra to meet the ASD face-to-face".

The company wrote: "After an intense two-hour meeting and a physical inspection of the installation, the verbal response was positive and by early August 2017, the second report was officially submitted. Once again, the IRAP Assessor recommended that Secure should get Protected level certification."

But then the ASD ignored the report for six months. When it finally looked at the report, the agency said there were only a few minor items that needed clarification.

"There were no showstoppers (so they said)," Secure Collaboration said. "(We) escalated to ASD management and assurances were given that the ASD wanted to support small business and, 'you’re in the final stage'."

Another face-to-face grilling took place in Sydney to review the installation. The company had to pay for a consultant to be flown in from Japan and face four hours of grilling on every item on the assessment report.

"Were they being very thorough, or were they just trying to find a problem? Once again the verbal indication was positive, just a few residual risks that (we) would need to clarify or remedy, but still no 'show-stoppers',” the company said.

But a fortnight later, an email to Secure Collaboration said: "…. regrettably ASD are unable to award Secure Collaboration ASD Certification…. apologies for the length of time it has taken". This was three months ago.

The Microsoft certification came with a number of fiats, with the ASD issuing a consumer guide in which it said: "Residual risks …… can be reduced through agency implementation of additional configuration and security controls”. It also said the ASD was “working with Microsoft to ensure general compensating security control blueprints are made available".

The Redmond-based outfit was allowed to have staff from outside the country administer systems on which Protected data would be stored – even though other companies with the same status are not allowed to do so.

Sadler said he had been told that Secure Collaboration would have to wait for a year before it tried again to obtain Protected cloud status. In the interim, he said he had decided to go public and fight it out.

Asked whether he had had any interaction with Alastair MacGibbon, the head of the Australian Cyber Security Institute and ASD deputy director-general, who has been quoted numerous times as saying he is fully satisfied with granting Protected status to Microsoft, Sadler said he had not met MacGibbon.

iTWire has contacted the ASD for comment.

LEARN HOW TO BE A SUCCESSFUL MVNO

Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments