Microsoft has moved to win the favour of Australian government agencies by volunteering to have its Azure cloud service assessed against the Australian Signals Directorate's information security manual (ISM).
Microsoft employed ASD-accredited assessor Foresight Consulting to complete an Industry Security Registered Assessors Program (IRAP) compliance assessment (i.e. audit) of Azure for storage and transmission of unclassified data by Australian Government agencies.
The IRAP is an ASD initiative that allows experts in the private sector to provide cyber security assessments to Australian government agencies based on checklists in the ASD's information security manual, which is updated annually.
The scope of Foresight Consulting's four-month audit covered the physical data centres, the processes used by Microsoft’s IT operations team, plus a set of products including Azure Virtual Machines, Cloud Services, Storage Services, Virtual Network, Azure SQL DB and Azure Active Directory.
Foresight assessor Peter Baussmann first compared Azure's system architecture and information security documentation against all applicable controls recommended in the ISM, and further checked that these controls were implemented and operating effectively in a functioning system.
The assessment covered 'unclassified' data up to but not including data classified 'top secret'.
Microsoft's Australian instance of Azure is currently in private preview, awaiting a public launch later in the year.
The company's local chief security advisor James Kavanagh confirmed to sister publication iTnews that the public launch has been timed to ensure the service will be accredited both to global standards like ISO27001, but also to a handful of local requirements.
Did Microsoft just make up an ASD standard?
The IRAP allows for private sector assessors to officially certify internet gateway services as ASD-approved, among others. But the advice it is based on is platform-agnostic - to date there is no official ASD standard for the security posture of a cloud service.
Adoption of cloud services relies on the information security manager of a government agency to certify that a proposed application or system meets ISM requirements, and ultimately the CIO of that agency must agree to accept the residual risk of using that service for the transmission or storage of government data.
The assessment that underpins a decision to use a cloud service can be outsourced to an independent IRAP assessor, but only for a specific business use of the system. So for example, the Tax Office's use of cloud service for a specific application can be certified, but not the inherent security posture of the cloud service itself.
But by asking an IRAP assessor to scrutinise its physical security, network security and its security controls and processes against the ISM, Kavanagh argued that Microsoft has done much of the CIO’s work for them when looking to consume Azure services.
“Today we can hand them a letter of compliance,” he said, as well as audit documentation from four months of assessments.
“CIOs can factor that information into their assessment and certify for themselves that they consider it adequate,” he said.
Independent security advisor Nathan Joy, a former IT security manager at several federal government departments, told iTnews that while no formal accreditation exists for cloud services, the Australian Signals Directorate has been "very proactive in assisting iRAP Assessors, agencies and service providers to pragmatically implement the requirements of the ISM in the context of cloud technology."
"ASD's advice on cloud, as with Apple iOS & the ASD 35, is ahead of its time and has been praised and elements adopted by overseas governments," he noted.
Joy said advice in the ISM should not be read in isolation, but rather alongside the broader Protective Security Policy Framework and the agency's risk management frameworks and existing certification and accreditation.
Joy told iTnews that he felt that any efforts to ensure services conform to the ISM are to be welcomed.
“I would expect a long list of cloud providers are in the process of doing the same or at least considering it,” he said.
"Compliance with overseas standards is not a substitute for a proper assessment against Australian Government requirements. Although it is likely that such providers do have mature security programs, the control requirements and audit scopes do not exactly align to the Australian Government requirements."