The Australian Signals Directorate has placed an unusual caveat on the much-lauded ‘Protected’ security status it signed off for Microsoft’s Azure public cloud, publishing a special “Consumer Guide” for potential government customers.
And it is understood the company has been given special clearance that in effect allows non-citizen, offshore staff with no Australian Government security accreditation to conduct support operations, even where that support might lead to “incidental or accidental” exposure to government protected data.
The accreditation marks a significant departure from past Australian Signals Directorate policy and has been implemented after lengthy technical, policy and procedural negotiations between Microsoft and agencies attached to the Attorney-Generals department.
Microsoft last week became the first of the global cloud platform providers to be certified at the ASD ‘Protected’ level for government configurations of it’s Azure public cloud and Office 365 services.
But after taking several days to publish Microsoft’s ‘Protected’ level credentials on the ASD list, the security chiefs added the services only with special notes that government customers would need to add additional controls to the configuration and that this delivery model carried “residual risks.”
The guidance maintains the risks could “be reduced through agency implementation of additional configuration and security controls to be developed by Microsoft in conjunction with the [Australian Cyber Security Centre].
Microsoft is now the fifth public cloud vendor with Australian Government ‘Protected’ credentials, joining local providers Dimension Data, Macquarie Government, Sliced Tech, and Vault Systems.
But Microsoft is the only provider where the ASD has published additional security guidance.
For the Microsoft competitors, there is concern that the Australian Government security overseers have introduced a ‘two-speed’ system, where the offshore providers have been given a slightly different set of criteria to meet, particularly in relation to the clearance level of offshore technical staff that have access to government data in performing dev-ops and admin functions.
The issue is not straight forward, and Microsoft maintains it has met all the same security hurdles as any of the other providers. It says it has been working with the ACSC on writing configuration blueprints for government customers to ensure its services’ security measures are properly implemented.
Although Microsoft is the first of the public cloud providers to have a “Consumer Guide” published against its service, it says such guidance is not unusual for the ASD to publish – and that it has regularly done so in relation to other configurable products, from iPhones and iPads to routers and switches.
The ASD has clearly made a decision that it is now applying the same strategy to complex, configurable services platforms.
Microsoft maintains that it has not been asked to build any additional security controls to meet ASD’s public cloud benchmarks, merely that it produce the specific blueprint for achieve best practice configurations for security.
It is understood the company has been given special dispensation that would enable non-citizen, offshore staff without Australian Government security accreditation to perform work on the platform in a system administration or dev-ops capacity.
These Microsoft employees would have cleared the company’s own security hurdles and would be allowed to be perform these technical tasks from outside of Australia.
But the company would not be obliged to nominate the individuals who perform the work, and it is understood they would not necessarily be known to the Australian security services.
The new measures have raised eyebrows in Canberra, and mark a significant shift in Australian security policy. The changes appear to open the door to offshore providers, and will result in significant new competition for the Australian cloud providers.
The fact that there is a fair degree of cross-recognition of security credentials at the highest levels between the Five Eyes intelligence network partners is most likely the underpinning for the new direction that underpins the Microsoft Azure and Office 365 services.
But Australian competitors have already raised concerns.
“Basically, it says to government agencies that they need to go through the MS certification to understand all the areas where the standards written in the Information Security Manual are not met, and be willing to accept those risks themselves,” one company’s spokesman said yesterday.
“No other vendor has ever had this type of qualification against their certification.”
The issue is expected to be discussed at the Australian Cyber Security Centre conference which opens in Canberra today.