ASD process a shocker for SMEs
Closed doors: The ASD credentialing process needs some attention
The Australian Signals Directorate is already taking heavy fire for a perception that Microsoft was not required to meet the same stringent security criteria as its local cloud services competitors when it gained Protected level accreditation for its Azure and Office365 platforms.
But now a tiny Australian cloud services company says the ASD has seriously hampered its government business through a protracted and expensive certification process.
Secure Collaboration – a Sydney-based Platform as a Service provider – spent two years and $80,000 on an ultimately fruitless ASD certification process, which it claims is actively skewed in favour of multinational providers at the expense of the local industry.
Ironically, Secure Collaboration already provides cloud services to several large Australian Government departments and agencies, including the Department of Defence, the Finance department, DFAT, ASIC and the ATO.
Some of these services include managing data that has been classified to Protected level, and all have been audited and security tested by independent bodies. If nothing else, this surely raises serious questions about the credibility of the ASD certification process.
The company has been providing secure cloud services to federal departments and agencies since 2014.
Like Microsoft, Secure Collaboration had sought ASD credentials to provide cloud services to Protected level. This was a straight-forward business decision.
Although the company was already providing secure services to departments and managing data classified to Protected level in some areas, the credentials are seen as a way to boost its Canberra business – despite the significant investment required to go through the process.
The company underwent two separate IRAP (Information Security Registered Assessor Program) assessments. Both recommended that the ASD certify the company to Protected level for cloud services.
After a long and squirrelly process – you can read more about it here – the company held face-to-face interviews with ASD, had conducted a site inspection of its data centre (it uses the Macquarie Government facility which itself has Protected level accreditation), and the ASD verbally confirmed that there were no “showstopper” problems and that subject to a few minor tweaks, the Secure Collaboration application was in the final stretch to approval.
Then three months ago, Secure Collaboration was told there was not enough demand for its services in government – which the company took to mean that it was too small – and that ASD would not certify the company to Protected level.
It has been further informed that it should not re-apply for another year because of the current workload at the ASD. So, two years into a process, and after verbal assurances that everything was on track, the application is declined and the company has been told to not reapply until ASD was less busy.
Two weeks after Secure Collaboration was knocked back, Microsoft’s Azure and Office365 platforms were given Protected level accreditation from ASD, despite caveats – called a ‘Consumer Guide’ in ASD parlance – being placed on the credentials that required certain mitigations.
Comparing the tiny, five-person team at Secure Collaboration with the hyperscale global provider Microsoft might seem like we are comparing apples with a canary, but there are some points worth making.
One of the concerns that ASD had about the Secure Collaborations set-up was that only one of its technical team had been vetted by the Australian Government and held the required security clearances.
Secure Collaboration had acknowledged this and had begun the process of getting other staff – all of whom are based in Australia – security clearances to work on systems that held Protected level data.
It is unsurprising that the Secure Collaboration team was both horrified and very annoyed to learn that Microsoft did not have to meet this requirement to get its own accreditation ticked off by ASD.
The ASD has now confirmed that Microsoft personnel who are not Australian citizens, who are not based in Australia, who do not have appropriate Australian Government security credentials – and who may not be known individually to the Australian cyber authorities – will have access to systems holding Protected level government data.
It is unclear why the Australian Signals Directorate publicly endorsed Microsoft’s Azure and Office365 services before it had met the security requirements sought by ASD (as evidenced by ASD still working with the company on a blueprint for compensating security controls.)
This pre-emptive public endorsement remains extraordinary.
It is understood there is great unrest within the ASD over the Microsoft decision. There are also questions about who made the decision to go ahead with the Microsoft accreditation, and why the team that had been involved in the discussion up until that point had been swapped out.
The Australian Government has always been a tough place for smaller Australian companies to do business. The cultural cringe is blinding, and the cost of bidding makes dealing with government problematic.
Surely the ASD’s two-year accreditation process is out of step with the pace of technology change. And of course a two-year process puts enormous pressure on a small business.
One final irony is that Secure Collaboration says it’s a no-brainer that the government should want Microsoft’s Azure and Office365 available, and they are supporters of that policy. Microsoft has great tools, a great service and would present lots of opportunities for other SMEs.
But why does an Australian cloud service provider get squashed in the process of expediting accreditation for Microsoft?