ASD brawl over Microsoft
Mike Burgess: Overseeing a restructure of accreditation procedures at ASD
The Australian Signals Directorate executive at the centre of an internal brawl over Microsoft’s Azure and Office365 cloud services being granted Protected Certification has quietly departed the intelligence agency.
Melissa Osborne, a 24-year veteran of Defence, had run industry partnerships and certifications at the ASD, and managed the agency’s Information Security Registered Assessors Program (IRAP) initiatives. It is understood she has now accepted a cyber role with a US vendor.
Ms Osborne signed off on the first four cloud providers to gain the ASD’s Protected level status – Dimension Data, Macquarie Telecom, Sliced Tech and Vault Systems – and had been overseeing Microsoft’s application and the mitigation work the company was doing to overcome ASD security concerns.
When Ms Osborne declined to sign off on the Microsoft services on security grounds earlier this year, it is understood she was removed from the role by the ASD director-general Mike Burgess, who started as head of the agency in early January.
The Microsoft Azure and Office365 cloud services were awarded Protected Certification in late March, personally signed off by the then special advisor to the Prime Minister on cyber security and current deputy director-general of the ASD Alastair MacGibbon. Mr MacGibbon is also the Head of the Australian Cyber Security Centre.
Once removed from the role, the highly-regarded Ms Osborne is understood to have taken leave from the agency and is said to have been sidelined from the process up until leaving Defence last week.
The revelation sheds some light on the procedures that resulted in Microsoft being awarded its Protected Certification, and highlights the significant changes underway within Australia’s primary security apparatus in relation to cyber.
It also reflects internal frictions created through the ASD’s transition into a statutory agency within the Defence portfolio and the changed priorities under the new management of Mike Burgess.
It underscores a radical rethinking of the Australian Government’s approach to cyber security, and has led to significant changes to the way cloud companies apply for – and are awarded – Protected Certification.
The accreditation role within ASD looks to have been caught between an ongoing adherence the government’s Information Security Manual – the list of rules and controls that departments and agencies must follow in relation to cyber – and the new management’s desire to quickly introduce an overhauled manual based on a risk management/mitigation approach.
Microsoft has been caught in the middle, having been awarded Protected Certification while not having met the same strict ISM-informed criteria as the four other Protected level cloud services providers.
Specifically, the Microsoft services will host Protected level government data in a public cloud for the first time, albeit within two special Canberra-based Azure regions specially set up within Canberra Data Centres facilities.
The other more controversial issue relates to Microsoft personnel without standard Australian Government security clearances having access to the services from outside of Australia.
These are fundamental changes. It resulted in the Microsoft’s Protected Certification being awarded with caveats – the ASD called the notes Consumer Guides – that highlighted to potential government users that the agency was still working with the company on mitigation strategies for concerns that it did not state.
It marked the first time the ASD had awarded Protected Certification on a ‘provisional’ basis. This itself caused significant unhappiness among other cloud service providers seeking accreditation to a similar level.
The ASD confirmed to InnovationAus.com that a new draft Information Security Manual is being circulated within government and industry, a process that is expected to last several months.
It is understood the ISM has been renamed as the Cyber Security Manual – or CSM – although a Defence spokesperson would only say that a new title is under consideration as a part of the consultation.
But the agency says the processes behind cloud certification are also being overhauled.
“Procedures relating to cloud certification are being examined for a range of reasons, primarily the need to keep pace with evolving technology,” the Defence spokesperson told InnovationAus.com.
“Once this examination has concluded, the Australian Signals Directorate (ASD) will continue to publish information about cloud certification to ensure clarity and transparency of the process.”
Meanwhile, senior Microsoft executives are understood to have briefed a Cabinet-level committee on security measures it had undertaken to satisfy the ASD.
It is understood Microsoft has assured government that any Microsoft employees with access to the systems and who might, as a result get accidental or incidental access to Australian Government data, would hold US Government security credentials to an appropriate level.
The overhaul of the Australian Government cybersecurity processes and procedures is still a work in progress. But once complete, it will almost certainly drive a huge migration of government services to the cloud services.