This is the only conclusion that can be drawn from the fact that a fortnight before the ASD awarded Microsoft the coveted Protected cloud status — which means the US company can now host top-secret Australian Government data — the agency knocked back an Australian company, Secure Collaboration, that was seeking the same status.
The main reason, apparently, was that "unfortunately the demand from wider government is not there", which Secure Collaboration interpreted to mean "you are too small".
And this, despite the fact that Secure Collaboration was already providing secure cloud services to seven Federal Government agencies since 2014, including Defence, Finance, ASIC and DFAT.
(Five companies have Protected cloud status: Dimension Data, Sliced Tech, Macquarie Government, Vault Systems and Microsoft.)
Managing director Jeremy Sadler told iTWire that no company could totally satisfy the requirements of the Information Security Manual (the specifications laid down for aspirants to Protected cloud status). He said it had been "a punch in the guts" when he heard of Microsoft being given the certification and the fiats that accompanied it.
In every case, it was a question of mitigating risk, he said, adding that Secure Collaboration had been perfectly willing to follow the ASD's advice on the six items which were identified as needing mitigation.
When it was announced that the ASD would accept applications for Protected cloud status, Secure Collaboration decided to do so and engaged a certified IRAP (Information Security Registered Assessor Program) assessor to carry out the required tests.
In June 2016, the assessor delivered the report to the ASD, recommending that Secure Collaboration be granted Protected cloud status.
But there was no acknowledgement of this from the ASD and when the company made an email inquiry it was ignored. By March 2017, when Secure Collaboration finally managed to make contact with the ASD, it found that the report had not even been looked at.
Secure Collaboration was then told to do another assessment as per the new ISM standard for 2016. The cost for the new assessment was triple the cost of the first and Secure Collaboration went through the entire process: "multiple emails, conference calls ending in Secure Collaboration flying to Canberra to meet the ASD face-to-face".
The company wrote: "After an intense two-hour meeting and a physical inspection of the installation, the verbal response was positive and by early August 2017, the second report was officially submitted. Once again, the IRAP Assessor recommended that Secure should get Protected level certification."
But then the ASD ignored the report for six months. When it finally looked at the report, the agency said there were only a few minor items that needed clarification.
"There were no showstoppers (so they said)," Secure Collaboration said. "(We) escalated to ASD management and assurances were given that the ASD wanted to support small business and, 'you’re in the final stage'."
Another face-to-face grilling took place in Sydney to review the installation. The company had to pay for a consultant to be flown in from Japan and face four hours of grilling on every item on the assessment report.
"Were they being very thorough, or were they just trying to find a problem? Once again the verbal indication was positive, just a few residual risks that (we) would need to clarify or remedy, but still no 'show-stoppers',” the company said.
But a fortnight later, an email to Secure Collaboration said: "…. regrettably ASD are unable to award Secure Collaboration ASD Certification…. apologies for the length of time it has taken". This was three months ago.
The Microsoft certification came with a number of fiats, with the ASD issuing a consumer guide in which it said: "Residual risks …… can be reduced through agency implementation of additional configuration and security controls”. It also said the ASD was “working with Microsoft to ensure general compensating security control blueprints are made available".
The Redmond-based outfit was allowed to have staff from outside the country administer systems on which Protected data would be stored – even though other companies with the same status are not allowed to do so.
Sadler said he had been told that Secure Collaboration would have to wait for a year before it tried again to obtain Protected cloud status. In the interim, he said he had decided to go public and fight it out.
Asked whether he had had any interaction with Alastair MacGibbon, the head of the Australian Cyber Security Institute and ASD deputy director-general, who has been quoted numerous times as saying he is fully satisfied with granting Protected status to Microsoft, Sadler said he had not met MacGibbon.
iTWire has contacted the ASD for comment.