Microsoft Australia is the latest cloud services provider to be awarded the Federal Government’s “protected” status, giving the vendor the ability to handle classified and highly sensitive government data.
The Federal Government revealed on 3 April that the Australian Signals Directorate (ASD), the intelligence agency that sits within the Department of Defence, had designated Microsoft Azure and Office 365 with the much sought after “protected” classification on its Certified Cloud Services List (CCSL).
Inclusion on the ASD’s CCSL gives cloud services suppliers – along with certain resellers partnering with the selected vendors – the ability to vie for public sector work requiring an InfoSec Registered Assessors Program (IRAP) security assessment, along with other security checks and balances.
"All of our 11,000 partners in the country will have access to the Azure capability," Microsoft Australia managing director, Steven Worrall said.
Microsoft already claims a number of cloud services that have been granted the ASD’s “Unclassified - Dissemination Limiting Markers (DLM)” information certification -- meaning for use with data that is not classified but may be sensitive and is not intended for public release.
The ASD last year formally certified dozens of additional Microsoft cloud services across Azure and Office 365 as “unclassified DLM”, imbuing the vendor with around 50 cloud services approved by the certification scheme.
However, the new “protected” status means that Microsoft can now provide Azure and Office 365 services for public sector work that involves classified and highly sensitive data.
The security controls required for "protected" certification of Azure and Office 365 have been implemented in all of Microsoft's Australian regions where the vendor's cloud platform is available -- Sydney, Melbourne and Canberra, with the latter launched as Microsoft receives its "protected" status.
Australia’s Minister for Law Enforcement and Cyber Security, Angus Taylor, said that awarding the certification to Microsoft will help to accelerate the adoption of cloud technology by Commonwealth, State and Territory Governments.
While Microsoft is the largest cloud services vendor to be awarded with the ASD’s “protected” classification – and the first hyper-scale public cloud provider to receive it – no fewer than four other suppliers have been handed the “protected” classification level.
Dimension Data, Macquarie Government, Sliced Tech and Vault Systems all claim the “protected” classification for certain services.
Taylor said that there are no limits as to how many providers could be accredited and there are many currently going through the process.
"We've already credentialed five, four Australian providers and this is the first major global player and this is important because it means we can bring that global capacity alongside the local capacity and is that mix we want to see.
The minister did not comment on how long it took Microsoft to go through the accreditation process but some providers, such as Sliced Tech, have gone through six years of steps leading to the protected accreditation.
The minister said the government is working to make the process shorter but did not specify how short.
Microsoft’s new classification coincides with the launch of the company’s new Azure Australia Central regions in Canberra after setting up shop in Canberra Data Centres’ (CDC) facilities in the nation’s capital, as part of a broader move to lure government agencies to its cloud platform.
The two new Canberra regions were officially made available on 3 April, giving Microsoft and its partners in the local market the ability to deliver hyper-scale cloud services that can handle the “unclassified” and “protected” government data classifications required by many local public sector entities.
Given the work required to achieve this level of clearance, the vendor’s new regions are limited to Australian and New Zealand Government customers.
The move comes as global cloud rival, Amazon Web Services (AWS), also closes in on obtaining the ASD’s “protected” status, with the company revealing on 28 March it had completed the independent assessment needed for such clearance.
The assessment specifically relates to services delivered via AWS’ Asia Pacific (Sydney) Region.
Although the official inclusion of AWS on the Government’s list as a supplier of “protected” cloud services remains up to the ASD, the successful completion of the IRAP assessment means that Australian federal, state and local government agencies and departments can store and run “protected”-level, mission-critical workloads on the AWS Cloud.
However, because AWS has not yet been officially invited to join the ASD’s CCSL ranking as a provider of “protected” services, Government agencies will have to manage their own risk assessment, and self-accredit “protected-level” workloads to run on AWS Cloud.
According to AWS, there are now 46 of the cloud vendor’s services offered for government agencies and departments to leverage on AWS Sydney Region at the “protected” level.
Like Microsoft, AWS also claims several cloud services that have been awarded with the “unclassified DLM” status by the ASD.
According to Taylor, awarding Microsoft with the “protected” certification reflects the Government’s commitment to prioritise and deliver secure cloud services, ensuring a very high level of security for Australians.
“It has never been more important for government and Australian enterprises to strategically manage cyber security risks,” Taylor said.
“Australia is under increasing cyber security threat and as government and critical infrastructure innovate and transform, it is imperative that we remove risk in our existing systems and use modern, secure cloud technology,” he said.
Microsoft’s efforts to obtain the “protected” status is part of a broad effort by the vendor to push its cloud offering further into the government space, with the company revealing a new initiative on 27 March to deliver cloud computing skills to 5,000 public sector workers by 2020.
