Azure parades new ASD status
James Kavanagh: Microsoft's Azure now has 25 services on Protected, AWS has zero
Microsoft Azure has scored the coveted Protected status for its public cloud from the Australian Signals Directorate (ASD), giving it a big advantage over arch competitor Amazon Web Services (AWS) in the fast growing federal government cloud market.
Microsoft today said it had been given ASD verified Protected status for 25 Azure services and 10 services within the Microsoft 365 productivity suite, and will work on getting further services verified.
At the same time, it switched on its two new Canberra region Azure data centres and co-location facilities. These sit within the federal government’s secure ICON network.
“This makes Microsoft the only global cloud provider to be awarded Protected certification,” said Microsoft Azure engineering lead James Kavanagh.
Until today there were just four cloud vendors, all locals, with the gold standard, ASD verified Protected classification level under the ASD Certified Cloud Services List (CCSL). These are Dimension Data, Macquarie Government, Sliced Tech and Vault Systems.
The ASD verifies Protected status for more sensitive data than Unclassified DLM. According to the ASD website, “highly sensitive data is defined as data classified as Protected.”
Cloud vendors with the lower ASD verified security status of Unclassified Dissemination Limiting Markers (DLM) are AWS, ServiceNow, Salesforce, IBM, Education Services Australia, and Microsoft’s Dynamics CRM.
Unclassified DLM data includes sensitive personal data that aligns with the definition of sensitive information in the Privacy Act 1988 and For Official Use Only data.
While some 90 to 95 per cent of federal government data is Unclassified DLM, Protected status gives agencies an extra layer of security comfort and allows a cloud vendor to play deep into an agency’s compute needs.
Federal agencies have increased their cloud appetite of late after prompting from the Turnbull government to be more responsive in rolling out services.
“It is something I have been passionate about, as has the Prime Minister,” Minister for Law Enforcement and Cybersecurity Angus Taylor told InnovationAus.com.
“We know that if government is going to really drive a digital transformation agenda cloud is a crucial part of it. But it’s also crucial for security and privacy," he said.
"I’m very confident cloud can provide a more secure environment. You don’t get to this level unless we know exactly where the data is being housed.”
Mr Taylor said he expected the federal government cloud services market to accelerate.
“We have already got four Protected status providers and this is the fifth and the biggest and gives us a mix of smaller local players and a big global player," Mr Taylor said.
“That mix gives us the potential to accelerate the process and part of it is changing the way government does projects in moving away the big, old style IT project to the more modern, agile faster moving projects," he said.
"It is very hard to do that without a good cloud service environment and that’s what we are doing here."
Mr Taylor said the government was reforming its cloud certification capability with a new senior responsible officer within the Australian Cyber Security Centre and a review of the certification program to ensure that it covers emerging technology.
Microsoft’s Azure announcement’s give it an advantage over competitor AWS, which is still in the process of getting ASD verified Protected status.
A vendor can tout for Protected agency data business after obtaining an independent assessment of its security chops through the Information Security Registered Assessors Program (IRAP). Vendors pay for their IRAP assessment.
This is what AWS announced last week, perhaps aware of Microsoft’s news this week.
The big US public cloud vendor said last week it had completed an IRAP assessment “allowing Australian government agencies and departments to store and run highly sensitive data at the Protected security classification level in the AWS Asia Pacific (Sydney) Region.”
ASD has written a to-do list for agencies seeking to follow best security practice called the Information Security Manual (ISM) and an IRAP assessor writes its opinion on a vendors security capability based on the ISM.
But it’s another level of comfort again for agencies if ASD has verified a cloud player against the ISM.
Azure’s advantage was a “a significant one”, said Mr Kavanagh.
“Microsoft Azure has 40 services on Unclassified DLM, AWS has five. Microsoft Azure now has 25 services on Protected, AWS has zero.
“It is a very extensive journey to go from IRAP assessment to certification,” he said.